First is a failed test. (couldn’t exactly tell where it began and ended, might have copied too much text). Seems like they are both using EAP-PEAP but maybe I’m mistaken. Not sure by reading what I’m missing. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=121 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020000090174657374 Message-Authenticator = 0xd6876568d04adfae1a8dc597d5f170ab # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user --> 'test' rlm_sql (sql): Reserving sql socket id: 18 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority rlm_sql (sql): Released sql socket id: 18 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x0101001604100bb6fcfca6af7dc22064ddd5a982c685 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c5e83956c4ec1059e8fcd700a9cbe3 Finished request 30. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=138 Cleaning up request 30 ID 0 with timestamp +408 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x56c5e83956c4ec1059e8fcd700a9cbe3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100080319152b Message-Authenticator = 0x569958b8550134d78cc687d9a04c21ba # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 1 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user --> 'test' rlm_sql (sql): Reserving sql socket id: 17 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority rlm_sql (sql): Released sql socket id: 17 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c5e83957c7f11059e8fcd700a9cbe3 Finished request 31. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=257 Cleaning up request 31 ID 0 with timestamp +408 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x56c5e83957c7f11059e8fcd700a9cbe3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202007f19800000007516030100700100006c030159583c4fba968d39fc410de8eec268d5b0f4f6d440667e95e3136ca9b790054d00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000 Message-Authenticator = 0x707833097727ab3ae61d8e452f65508f # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 127 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 117 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0070], ClientHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 02c4], Certificate [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] TLS_accept: Need to read more data: unknown state In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x0103040019c0000004601603010039020000350301e112e771ea49e667c178ce6b8894ceaead602b518eb6450b867e04312ea3c7b600c01400000dff01000100000b00040300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900e5e53bd18a4a5609300d06092a864886f70d01010b050030133111300f06035504030c087261646975737069301e170d3137303633303030303333345a170d3237303632383030303333345a30133111300f06035504030c08726164697573706930820122300d06092a864886f70d01010105000382010f003082010a0282010100dfe1c10be65401d289225a9db9f689531529e7a4 EAP-Message = 0x93b519b66b02f0c2b9dce87d0a62a2c778915193da4112f2d22ebf223cfb9ccdbeb331f1cf47f274586e42df0408fc99446f4be2714c1cd2db4e0f585faac4c4aa5ed60767de82ad6e2071dc04ee77ce1e0d07b13b76404ff4f702d8e92642e4e7fb26271c5ddc9cdd0a9fa9462ed200da9f1eefc1598d2e9223a8571a752da003f8dc0feb4c5689420aa070a6dfd817ff4a230adb91fd462457d28cc184c713740de6c68273f089d2cdb3da2c087946278ce742eea6c0c79db71604f9f737548dc70d4b0395faf74efb6685083dfedd9d576fdedecaf6f989cb47ba5f480c88693bf9667d551f9371cbf2490203010001a30d300b30090603551d1304 EAP-Message = 0x023000300d06092a864886f70d01010b05000382010100356db2051726585975dd0817ab5829b0ddaf98c1a6093e6b9cfc1ac9303092ce7a36814b9c175290d85ed2ba723fbd222c35a33e8dd44fbfd5e6748e7f9965db830b2b8e1f1187c901c839e817843e557e417fac27662b57f07c0866ddfd7839c05cdf3300ecac6a613dbea38c05c679bdfc9de0f9746654b878b8164c2e0fbebd90e79f4613c54de9b6bc8cd546ea641441cc8eaa50d24a7ee877477996087acb3a0526cb19055fd445567201ee0e9aa3a27185aca7b238aaf03e09c0e48625361d1362d8ab34790de8f75964b0ea804d60f3a612db2135b1656ee135b133162fb5a7144979 EAP-Message = 0xc4f5629f56b2d2ad877c9f0e95d0dbc889df503804f256a9f15c160301014b0c0001470300174104bd770cf7d9bb493664451bacadde85508ad7b7a1eb7dacb26d0d907764aae3f3e33cf0827e16faf6738ca263120c18cb04b1ee384e10c0a7002ea550266aa0b601009795255e9efc8c5bfc511935cfb99160d3c6ec6b01d6a7390c238f251d03aa2a0767293e45775738c09ee4fc0719666c47f3d429c79719399a85af66feac6e0045a04de7791a652521a624da12e1e6345387377368fe89d1e3103ef2a585e6aea8742f209bbd123b9cbe2de99a3b6dc80dbdb5446aabfcca71e8aba8619e64ea22d8c0cc731638b845e50361bddb95f5021ab0 EAP-Message = 0x40d8598eb5021fe8d452b8d2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c5e83954c6f11059e8fcd700a9cbe3 Finished request 32. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=136 Cleaning up request 32 ID 0 with timestamp +408 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x56c5e83954c6f11059e8fcd700a9cbe3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0x421ecc297169cf1e8a55bb5f6f9d5ec6 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x01040070190003208396d20e3bef19b658a5296891ff3463d22a42d15d345d740d45b07d5906f75e6b5ba836416f6840bf0561e97a3f6a6062a839fb925aeec02ed1b7ff77a5c0231d3f8bb855737c865f7989d82fd813bc7b2cd446a609928a33532c0afc47b516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c5e83955c1f11059e8fcd700a9cbe3 Finished request 33. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=274 Cleaning up request 33 ID 0 with timestamp +408 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x56c5e83955c1f11059e8fcd700a9cbe3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204009019800000008616030100461000004241042b0f0d744287c8baf011c5d4f3f02c33cd755f3dca6191ed52c8591e384e13a7303dc29a512503b48a78f1781bee725f529ac20a750c88e11cb33cdb3c5f05c514030100010116030100302b3003fe0220ebdff2b8823a05f3c213462163d0a5145937b0430031e95d7fdc827a82dea60cc89bceb16e5738663603 Message-Authenticator = 0x57a0d4dc6abb5d513c5cfd21aadee2e3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x0105004119001403010001011603010030c8765a080582e00ae18a20328f7d0317ca987085de00803ee1fd0e0bd54352397890a577486d8c11b3e34bfe7ecc56a9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c5e83952c0f11059e8fcd700a9cbe3 Finished request 34. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=136 Cleaning up request 34 ID 0 with timestamp +408 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x56c5e83952c0f11059e8fcd700a9cbe3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0xe1d254510fb825e6e0f7909cf3c23e33 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x0106002b19001703010020c18e27bd09b1381d6e2b7279225abd611c041091b59b5a927eb2cf7fe1c67eeb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c5e83953c3f11059e8fcd700a9cbe3 Finished request 35. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=173 Cleaning up request 35 ID 0 with timestamp +408 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x56c5e83953c3f11059e8fcd700a9cbe3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0206002b190017030100203a8f919da04ebc373fa4fd60286ebeadd3a1cb953fcd9a3514eb042ac79736ba Message-Authenticator = 0xe41b96134553d063a4f78831390a0145 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test [peap] Got inner identity 'test' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020600090174657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020600090174657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 6 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107001e1a0107001910d8d6a5029ef8e0ce8690cb31534e903574657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe3a53b0ee3a22103e80c239114094b7a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107001e1a0107001910d8d6a5029ef8e0ce8690cb31534e903574657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe3a53b0ee3a22103e80c239114094b7a [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x0107003b1900170301003030ba75f4a66fae8c6773a4d53af411a1201e26b71a9afb000b665738ce05e75edcc832e52c8e282797c17d5cf6b70752 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c5e83950c2f11059e8fcd700a9cbe3 Finished request 36. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=221 Cleaning up request 36 ID 0 with timestamp +408 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x56c5e83950c2f11059e8fcd700a9cbe3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207005b190017030100500ea54a4586f96bacad82fa8cb728c056e5f1a28ed8bb4d602bb532f4778ad25c052ae4e66a4e41496e71a2c34ebc5827c4f5ed2bb7530a63ce4abe16807ef5d364a84d0aec84e882e3cb75aacf5ca6cc Message-Authenticator = 0x814ac94db845338cedd9d99d3a14e07c # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 91 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207003f1a0207003a31147a3a58b9bb60c90e6abe9c2fe6b7ee0000000000000000e72e88852562339873cf5e5867f2c17bc5f5fba4dea79cb70074657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x0207003f1a0207003a31147a3a58b9bb60c90e6abe9c2fe6b7ee0000000000000000e72e88852562339873cf5e5867f2c17bc5f5fba4dea79cb70074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0xe3a53b0ee3a22103e80c239114094b7a server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: test [mschap] Client is using MS-CHAPv2 for test, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x0108002b19001703010020df30d157fb2bb8719d02c4294eb2e34cf622c8e77e89e98db4d1fe17780b26c9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x56c5e83951cdf11059e8fcd700a9cbe3 Finished request 37. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=173 Cleaning up request 37 ID 0 with timestamp +408 User-Name = "test" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x56c5e83951cdf11059e8fcd700a9cbe3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208002b19001703010020abcd2f4c2b9f8cb9ed842ec21e8fdc8f3e5f6ebacba2b991f0252f9246e99ec8 Message-Authenticator = 0xe37e33b2b2647dce1fdad3d6e133479c # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user --> 'test' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '', 'Access-Reject', '2017-07-01 20:20:32') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test', '', 'Access-Reject', '2017-07-01 20:20:32') rlm_sql (sql): Reserving sql socket id: 16 rlm_sql (sql): Released sql socket id: 16 ++[sql] = ok [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 38 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 38 Sending Access-Reject of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 38 ID 0 with timestamp +409 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 36006, id=13, length=69 User-Name = "00:22:58:7d:fd:7d" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 User-Password = "testing123" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "00:22:58:7d:fd:7d", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop [sql] expand: %{User-Name} -> 00:22:58:7d:fd:7d [sql] sql_set_user escaped user --> '00:22:58:7d:fd:7d' rlm_sql (sql): Reserving sql socket id: 15 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00:22:58:7d:fd:7d' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '00:22:58:7d:fd:7d' ORDER BY priority rlm_sql (sql): Released sql socket id: 15 [sql] User 00:22:58:7d:fd:7d not found ++[sql] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [sql] expand: %{User-Name} -> 00:22:58:7d:fd:7d [sql] sql_set_user escaped user --> '00:22:58:7d:fd:7d' [sql] expand: %{User-Password} -> testing123 [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '00:22:58:7d:fd:7d', 'testing123', 'Access-Reject', '2017-07-01 20:21:34') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '00:22:58:7d:fd:7d', 'testing123', 'Access-Reject', '2017-07-01 20:21:34') rlm_sql (sql): Reserving sql socket id: 14 rlm_sql (sql): Released sql socket id: 14 ++[sql] = ok [attr_filter.access_reject] expand: %{User-Name} -> 00:22:58:7d:fd:7d attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 39 for 1 seconds Going to the next request Waking up in 0.9 seconds. ________________________________________________________________________________________________________________________________________________ Heres a successful test. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=129 User-Name = "John Doe" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000d014a6f686e20446f65 Message-Authenticator = 0x7a79937b215e3edbd56d0a283edd1ee0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 0 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [sql] expand: %{User-Name} -> John Doe [sql] sql_set_user escaped user --> 'John Doe' rlm_sql (sql): Reserving sql socket id: 31 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'John Doe' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'John Doe' ORDER BY priority rlm_sql (sql): Released sql socket id: 31 [sql] User John Doe not found ++[sql] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x010100160410bbe0563ca46d98903186aae04d0ecf6e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2cbc36db2cbd32dda40dc75c373a2704 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=142 Cleaning up request 0 ID 0 with timestamp +25 User-Name = "John Doe" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x2cbc36db2cbd32dda40dc75c373a2704 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100080319152b Message-Authenticator = 0xff6cb93ab2439ddd9fa9351616f62018 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 1 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [sql] expand: %{User-Name} -> John Doe [sql] sql_set_user escaped user --> 'John Doe' rlm_sql (sql): Reserving sql socket id: 30 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'John Doe' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'John Doe' ORDER BY priority rlm_sql (sql): Released sql socket id: 30 [sql] User John Doe not found ++[sql] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2cbc36db2dbe2fdda40dc75c373a2704 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=261 Cleaning up request 1 ID 0 with timestamp +25 User-Name = "John Doe" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x2cbc36db2dbe2fdda40dc75c373a2704 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202007f19800000007516030100700100006c030159583d388d9a6c7e077e3a220c0bc6c54d76ceabfdbae16ed8618c2d2abd0c2d00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000 Message-Authenticator = 0xea28a029c063909831f3570ed5947f35 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 127 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 117 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0070], ClientHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 02c4], Certificate [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] TLS_accept: Need to read more data: unknown state In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x0103040019c00000046016030100390200003503019679275650baa9cb32ac07d36763e6c19ba146ee87a800d3517903a213559bac00c01400000dff01000100000b00040300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900e5e53bd18a4a5609300d06092a864886f70d01010b050030133111300f06035504030c087261646975737069301e170d3137303633303030303333345a170d3237303632383030303333345a30133111300f06035504030c08726164697573706930820122300d06092a864886f70d01010105000382010f003082010a0282010100dfe1c10be65401d289225a9db9f689531529e7a4 EAP-Message = 0x93b519b66b02f0c2b9dce87d0a62a2c778915193da4112f2d22ebf223cfb9ccdbeb331f1cf47f274586e42df0408fc99446f4be2714c1cd2db4e0f585faac4c4aa5ed60767de82ad6e2071dc04ee77ce1e0d07b13b76404ff4f702d8e92642e4e7fb26271c5ddc9cdd0a9fa9462ed200da9f1eefc1598d2e9223a8571a752da003f8dc0feb4c5689420aa070a6dfd817ff4a230adb91fd462457d28cc184c713740de6c68273f089d2cdb3da2c087946278ce742eea6c0c79db71604f9f737548dc70d4b0395faf74efb6685083dfedd9d576fdedecaf6f989cb47ba5f480c88693bf9667d551f9371cbf2490203010001a30d300b30090603551d1304 EAP-Message = 0x023000300d06092a864886f70d01010b05000382010100356db2051726585975dd0817ab5829b0ddaf98c1a6093e6b9cfc1ac9303092ce7a36814b9c175290d85ed2ba723fbd222c35a33e8dd44fbfd5e6748e7f9965db830b2b8e1f1187c901c839e817843e557e417fac27662b57f07c0866ddfd7839c05cdf3300ecac6a613dbea38c05c679bdfc9de0f9746654b878b8164c2e0fbebd90e79f4613c54de9b6bc8cd546ea641441cc8eaa50d24a7ee877477996087acb3a0526cb19055fd445567201ee0e9aa3a27185aca7b238aaf03e09c0e48625361d1362d8ab34790de8f75964b0ea804d60f3a612db2135b1656ee135b133162fb5a7144979 EAP-Message = 0xc4f5629f56b2d2ad877c9f0e95d0dbc889df503804f256a9f15c160301014b0c000147030017410444f21266e2ef76f24b49a2d1298ba0fb9b8b4ab237bc3192cfe14cd9b483945bf0fb140c76e3d6b8373fe6cf35f196d80dbb6ab518ce607d7188352b54bb7e430100884a4627d70245b449cf3b47f8fd92966a406ecd73851012f6653c38d3ca0f103ba8becb7a4efc8bd96479b4b5000d3fb61c92f4e47c600a5627cb15db3c85fc6966ef134c2960148f6eaf5957d88f931eb9d54059095e17f578692c2636446141d7f90f71e83983842b03c26bf97e1e479ea05f22fccd8e810a7e980002ec5caf760b076f6808c223b8e6383df607999688f1 EAP-Message = 0x9c9f2dd70a6808508cafd093 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2cbc36db2ebf2fdda40dc75c373a2704 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=140 Cleaning up request 2 ID 0 with timestamp +25 User-Name = "John Doe" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x2cbc36db2ebf2fdda40dc75c373a2704 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0xcbe89a2a0ba23b8d1d86cf093be70f71 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x010400701900df6c1cb9c1b759665131bfae9073ef3ad48ce782a606e291da4e01b99ca31ba98eae76a2debb30500de88d8d501ab51cd644dc7024b49d898ca66093a1f3e77c3b927649b2888bd626b5fc9d872f991f8eeb7fbcbca6681f9e5f5f9fb9f7105f5d16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2cbc36db2fb82fdda40dc75c373a2704 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=278 Cleaning up request 3 ID 0 with timestamp +25 User-Name = "John Doe" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x2cbc36db2fb82fdda40dc75c373a2704 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400901980000000861603010046100000424104b66d9b6ab00da45b063d9cb5513da3c2cfc93889ea938d1089767ab4179a43c2d6df6643a1a80d9dfcd6d90ba7f910207139ed6eb3d80a02a519347e02c782d414030100010116030100309391156011db0e96ca5f5ceaf48655bf18b0b582bdeb51a7c6b1e29786386aa2e31f14d7d1893e956723584672faa544 Message-Authenticator = 0x4e7e100c4a3cd3c214daec066ef43a8e # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x01050041190014030100010116030100305ec45bfac387fd2caeb10e58160c7b3cfa6b7006d2efc8f4fdaac7d2355e62423509048ac61185f3bbc608bcd7d5b3b5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2cbc36db28b92fdda40dc75c373a2704 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=140 Cleaning up request 4 ID 0 with timestamp +25 User-Name = "John Doe" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x2cbc36db28b92fdda40dc75c373a2704 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0x9a3a385138a93fc79a810aca891342d3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x0106002b190017030100204ed57ceeb6222f6ce784070d88311c2fa826741a70b374395cba4dc419a320ef Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2cbc36db29ba2fdda40dc75c373a2704 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=177 Cleaning up request 5 ID 0 with timestamp +25 User-Name = "John Doe" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x2cbc36db29ba2fdda40dc75c373a2704 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0206002b190017030100202da6b49225db08f9af496625c49dd02f91c325a48e23f77a8a0976112121b0c8 Message-Authenticator = 0x4956f1952466c46aad3bc602953ea5a5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - John Doe [peap] Got inner identity 'John Doe' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000d014a6f686e20446f65 server { [peap] Setting User-Name to John Doe Sending tunneled request EAP-Message = 0x0206000d014a6f686e20446f65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "John Doe" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 6 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry John Doe at line 90 [files] expand: Hello, %{User-Name} -> Hello, John Doe ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 Reply-Message = "Hello, John Doe" EAP-Message = 0x010700221a0107001d1022248ca453e8f76ed2b3a3e2e4abbfca4a6f686e20446f65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x277ade67277dc4d2c79f13f3806da1b3 [peap] Got tunneled reply RADIUS code 11 Reply-Message = "Hello, John Doe" EAP-Message = 0x010700221a0107001d1022248ca453e8f76ed2b3a3e2e4abbfca4a6f686e20446f65 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x277ade67277dc4d2c79f13f3806da1b3 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x0107004b19001703010040fb652c4ea7ddfe1e476b9f0f6e15f1da76efe99daceeaf6c08e00a6909318acbf0bf3a6695ab22844b5e4fe13e83f22d2cba465d072ab9e130631e5cb94c1089 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2cbc36db2abb2fdda40dc75c373a2704 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=241 Cleaning up request 6 ID 0 with timestamp +25 User-Name = "John Doe" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x2cbc36db2abb2fdda40dc75c373a2704 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207006b1900170301006051acaec17ba88679526186d1c88d976dcd1c63c4f97bca573a65c91f43d3a7f363d469d61085e2cebe26e3864eb231c92fe535115a36de1db188b175a82214a0e53b022065a59ebccd9b03889034034d860fb9a83889c5689d2a0fa58d0bee85 Message-Authenticator = 0xb7f6a3d2a313ce13b9df084acc27649e # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700431a0207003e313730cb5300654e05eaeeaa8d640a0e0d00000000000000000207d42bc1f0727534f312ff980b07b0c4d572994b0def6a004a6f686e20446f65 server { [peap] Setting User-Name to John Doe Sending tunneled request EAP-Message = 0x020700431a0207003e313730cb5300654e05eaeeaa8d640a0e0d00000000000000000207d42bc1f0727534f312ff980b07b0c4d572994b0def6a004a6f686e20446f65 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "John Doe" State = 0x277ade67277dc4d2c79f13f3806da1b3 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry John Doe at line 90 [files] expand: Hello, %{User-Name} -> Hello, John Doe ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: John Doe [mschap] Client is using MS-CHAPv2 for John Doe, we need NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 Reply-Message = "Hello, John Doe" EAP-Message = 0x010800331a0307002e533d44313644303030334135304437343643354233423943464536463834343643374634464434343241 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x277ade672672c4d2c79f13f3806da1b3 [peap] Got tunneled reply RADIUS code 11 Reply-Message = "Hello, John Doe" EAP-Message = 0x010800331a0307002e533d44313644303030334135304437343643354233423943464536463834343643374634464434343241 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x277ade672672c4d2c79f13f3806da1b3 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x0108005b19001703010050e1d2d94cc6f03d0f088e359a933b203ec7231a1e8876f6a883a73d7688b6bece47bb79ab4fc069915e9aa828a8988b0c47b3bfe803120f54ce6f998a596f1b248a95f8e8d641c7db958611f8c4f9632b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2cbc36db2bb42fdda40dc75c373a2704 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=177 Cleaning up request 7 ID 0 with timestamp +25 User-Name = "John Doe" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x2cbc36db2bb42fdda40dc75c373a2704 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208002b190017030100202bd8a62b61a412e286fc75415a50df7362211bea782fa1ffdcb2c640490881cb Message-Authenticator = 0xdb1e577830c82fd3f04cee76286dcd7b # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800061a03 server { [peap] Setting User-Name to John Doe Sending tunneled request EAP-Message = 0x020800061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "John Doe" State = 0x277ade672672c4d2c79f13f3806da1b3 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry John Doe at line 90 [files] expand: Hello, %{User-Name} -> Hello, John Doe ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 Reply-Message = "Hello, John Doe" MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x058b95207a82d4a2a1ceb223e3ca00ef MS-MPPE-Recv-Key = 0xcc842f46892378ed7a1224fd8758b728 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "John Doe" [peap] Got tunneled reply RADIUS code 2 Reply-Message = "Hello, John Doe" MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x058b95207a82d4a2a1ceb223e3ca00ef MS-MPPE-Recv-Key = 0xcc842f46892378ed7a1224fd8758b728 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "John Doe" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 192.168.1.1 port 50039 EAP-Message = 0x0109002b190017030100208b133db85b6a423a1f73511128560ffeb919667bcf93d28ba64d9d32f069591e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2cbc36db24b52fdda40dc75c373a2704 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 50039, id=0, length=177 Cleaning up request 8 ID 0 with timestamp +25 User-Name = "John Doe" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "04a151235d3c" Calling-Station-Id = "b853ac7af8af" NAS-Identifier = "04a151235d3c" NAS-Port = 45 Framed-MTU = 1400 State = 0x2cbc36db24b52fdda40dc75c373a2704 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0209002b1900170301002011b49092f1de57876becec07cee215290108b267f2019129ae7873046f4f77e3 Message-Authenticator = 0x89092ff5a40a4e77f255fe33b1fdfc7d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "John Doe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { [sql] expand: %{User-Name} -> John Doe [sql] sql_set_user escaped user --> 'John Doe' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'John Doe', '', 'Access-Accept', '2017-07-01 20:24:24') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'John Doe', '', 'Access-Accept', '2017-07-01 20:24:24') rlm_sql (sql): Reserving sql socket id: 29 rlm_sql (sql): Released sql socket id: 29 ++[sql] = ok ++[exec] = noop +} # group post-auth = ok Sending Access-Accept of id 0 to 192.168.1.1 port 50039 MS-MPPE-Recv-Key = 0x946ef363b21a7d1bbfa42cb5d45e23434493f1c464ae5005f1b8ae839803b0a8 MS-MPPE-Send-Key = 0x0ed0756c845db40fa6a544a824debc87485d003e09afed3b9536251fb6c18d9b EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "John Doe" Finished request 9. Going to the next request Waking up in 4.9 seconds. Cleaning up request 9 ID 0 with timestamp +25 Ready to process requests.
On Jul 1, 2017, at 8:08 PM, Matthew Newton <matthew@newtoncomputing.co.uk> wrote:
On Sat, Jul 01, 2017 at 11:52:04PM +0000, Brian Hogans wrote:
I'm sorry I'm still new at this. How would I get you the full debug? Or where can I find the steps to do so?
OK... same as you did before. Run FreeRADIUS like
radiusd -X
(or likely "freeradius -X" if it's Debian system). Then try and authenticate (both a successful and failed auth is best).
The stop FreeRADIUS and send all the output.
Easiest is to do something like
radiusd -X | tee debuglog
then when you Ctrl-C to quit the file "debuglog" will contain it all.
The key is to try and authenticate otherwise the debug output doesn't show what's actually happening.
But before you send it best to read the debug output through yourself. It will tell you exactly what the server is doing. Compare successful and failed and you'll hopefully see what's different and therefore what is going wrong.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html