Hi community, I keep trying in order to radius authenticate and authorize users from XP. I have a very simple configuration, only a "plain user". Please bear in mind that I've just read http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#PEAP_or_EAP-TLS_Doe.... I've put xpextensions file in the same directory that openssl.cnf. I've imported cacert.pem both Windows XP and Linux too. (Linux is an Ubuntu 7.04) I feel like a fool because I can't solve this problem being and server so easy to configure it... I've even read some RFC, but I couldn't find the problem The Access Point es a Linksys WAP54G. Please could you help me? ########## radtest output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 2147483647 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/privandpubradius.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/privandpubradius.pem" tls: CA_file = "/usr/local/etc/raddb/certs/CA/cacert.pem" tls: private_key_password = "pepito" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.30.1.151:32836, id=114, length=58 User-Name = "esaure" User-Password = "ric54aur" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "esaure", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 154 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 114 to 10.30.1.151 port 32836 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 114 with timestamp 46fab901 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.30.1.151:32836, id=118, length=56 User-Name = "test" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 1 modcall[authorize]: module "pap" returns updated for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type pap auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 1 rlm_pap: login attempt with password testing rlm_pap: Using clear text password "testing". rlm_pap: User authenticated successfully modcall[authenticate]: module "pap" returns ok for request 1 modcall: leaving group PAP (returns ok) for request 1 Sending Access-Accept of id 118 to 10.30.1.151 port 32836 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 118 with timestamp 46fab90b Nothing to do. Sleeping until we see a request. ############### Using Windows XP this the output: # Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = yes mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 2147483647 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/privandpubradius.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/privandpubradius.pem" tls: CA_file = "/usr/local/etc/raddb/certs/CA/cacert.pem" tls: private_key_password = "pepito" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.30.1.151:1030, id=49, length=98 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020100090174657374 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x783938e0109f4432b84399bad878bd2b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 49 to 10.30.1.151 port 1030 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84a491220515c511552ab706171613e1 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=50, length=187 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0202005019800000004616030100410100003d030146fac439ea8581ba21eabf553c7e2bede79d8a8b5e8050ec49018ce88e0d365e00001600040005000a000900640062000300060013001200630100 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x84a491220515c511552ab706171613e1 Message-Authenticator = 0xf94bf86181675508eb38163c3ccdb58a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 1 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0323], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 50 to 10.30.1.151 port 1030 EAP-Message = 0x010303861900160301004a02000046030146fac4f81d7c08476b0948611ad7e1d430ac48de3ece9df4a2657b53903d14a420be0aa5ecc0d3b39cfa23ccc8fdf0e89ab2d8bede855333a1a1b3d9206783405100040016030103230b00031f00031c000319308203153082027ea003020102020101300d06092a864886f70d01010405003081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f06 EAP-Message = 0x0355040b1308496e7465726e657431193017060355040313106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e656475301e170d3037303932363139333435395a170d3038303932353139333435395a3081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f060355040b1308496e7465726e6574311930170603550403 EAP-Message = 0x13106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e65647530819f300d06092a864886f70d010101050003818d0030818902818100eae88c4ee5755bcff546c3a68bab7b736e6f65d8606c1aadecf6992e59f340adddb323e7a3400a65e50cc80d7dd9ad58d86e50755c9e7e16640cd216ce68ce368aa37792817f1fc9aa30a016a3ee11ef5ab0b70d75543ec1aa8786d84caa7e6fe65bd4d9717cbf419d04f08181a24aa3591b1254bd78c4493f7424ccce2c1f150203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104 EAP-Message = 0x050003818100b0496218dcda605d85723a61b574fe1254e2d9a02fcc7c635099f663609b0e5c4507497ed3ee2b15082bdc3ad578060c015ed439a6072eb1e6f418a7a0394442afbf6465258a1afd677343c6a71f9a4cf79d34f28d1c074053e2f7a9de236dbe7d7ea9a2150b26643b95e33f83172a0e36805e9ee185e5d2f8a914843a8647f516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf67d20ce350871f2a01558b626942ec1 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=51, length=113 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020300061900 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0xf67d20ce350871f2a01558b626942ec1 Message-Authenticator = 0xff8212d6d6cf53f90aa029b7e1750412 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 2 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 51 to 10.30.1.151 port 1030 EAP-Message = 0x010400061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6718a187125536104c34d39a67d872ae Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 49 with timestamp 46fac4f8 Cleaning up request 1 ID 50 with timestamp 46fac4f8 Cleaning up request 2 ID 51 with timestamp 46fac4f8 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.30.1.151:1030, id=52, length=98 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020100090174657374 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xa50d51122cbcbca9b42f183e87bcf2ff Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 3 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 52 to 10.30.1.151 port 1030 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2f11f2363c9058735a8cf115c21579b Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=53, length=187 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0202005019800000004616030100410100003d030146fac440ecd88b50f115a021416ea93ede6ca1ae6530c8aeee1359ebe421693700001600040005000a000900640062000300060013001200630100 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0xf2f11f2363c9058735a8cf115c21579b Message-Authenticator = 0x6a66b60b4c1c090bd1fefdb7af34f958 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 2 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 4 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0323], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 53 to 10.30.1.151 port 1030 EAP-Message = 0x010303861900160301004a02000046030146fac4feae310afd57f4d452d3ca2c1b9ade58df6c5ef678849403348d9434a920d2ca33e32297851bbec15b48031db583cad63e4e78827d50403ff35a801aa36200040016030103230b00031f00031c000319308203153082027ea003020102020101300d06092a864886f70d01010405003081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f06 EAP-Message = 0x0355040b1308496e7465726e657431193017060355040313106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e656475301e170d3037303932363139333435395a170d3038303932353139333435395a3081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f060355040b1308496e7465726e6574311930170603550403 EAP-Message = 0x13106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e65647530819f300d06092a864886f70d010101050003818d0030818902818100eae88c4ee5755bcff546c3a68bab7b736e6f65d8606c1aadecf6992e59f340adddb323e7a3400a65e50cc80d7dd9ad58d86e50755c9e7e16640cd216ce68ce368aa37792817f1fc9aa30a016a3ee11ef5ab0b70d75543ec1aa8786d84caa7e6fe65bd4d9717cbf419d04f08181a24aa3591b1254bd78c4493f7424ccce2c1f150203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104 EAP-Message = 0x050003818100b0496218dcda605d85723a61b574fe1254e2d9a02fcc7c635099f663609b0e5c4507497ed3ee2b15082bdc3ad578060c015ed439a6072eb1e6f418a7a0394442afbf6465258a1afd677343c6a71f9a4cf79d34f28d1c074053e2f7a9de236dbe7d7ea9a2150b26643b95e33f83172a0e36805e9ee185e5d2f8a914843a8647f516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x686966e2c087d527da96cedec3d51618 Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=54, length=113 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020300061900 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x686966e2c087d527da96cedec3d51618 Message-Authenticator = 0xefee4d42ec5b5f3d2df4736ac0549665 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 5 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 54 to 10.30.1.151 port 1030 EAP-Message = 0x010400061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbbcbe3c8e9f43cc41e8360e599a5e6fa Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 52 with timestamp 46fac4fe Cleaning up request 4 ID 53 with timestamp 46fac4fe Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 54 with timestamp 46fac4ff Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.30.1.151:1030, id=55, length=98 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020100090174657374 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x9917ffe1cd380b71e40ed91da13f7fc1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 6 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 55 to 10.30.1.151 port 1030 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0335900dbfb1bdd2b0c17674b7db419b Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=56, length=187 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0202005019800000004616030100410100003d030146fac4468988f6080cf3248a01b110b6d0700b5487d62a114569b3a3dbf139eb00001600040005000a000900640062000300060013001200630100 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x0335900dbfb1bdd2b0c17674b7db419b Message-Authenticator = 0xd856025ba1d1a5bddc8181150745851a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 2 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 7 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0323], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 56 to 10.30.1.151 port 1030 EAP-Message = 0x010303861900160301004a02000046030146fac50534eb4850570c0325e3c7f6246748938e0249450ac708cd04fe50d068206336c683e84a2a2eaaaaebafdc7416f0891727fae17795cdc92267e5035a75e200040016030103230b00031f00031c000319308203153082027ea003020102020101300d06092a864886f70d01010405003081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f06 EAP-Message = 0x0355040b1308496e7465726e657431193017060355040313106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e656475301e170d3037303932363139333435395a170d3038303932353139333435395a3081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f060355040b1308496e7465726e6574311930170603550403 EAP-Message = 0x13106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e65647530819f300d06092a864886f70d010101050003818d0030818902818100eae88c4ee5755bcff546c3a68bab7b736e6f65d8606c1aadecf6992e59f340adddb323e7a3400a65e50cc80d7dd9ad58d86e50755c9e7e16640cd216ce68ce368aa37792817f1fc9aa30a016a3ee11ef5ab0b70d75543ec1aa8786d84caa7e6fe65bd4d9717cbf419d04f08181a24aa3591b1254bd78c4493f7424ccce2c1f150203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104 EAP-Message = 0x050003818100b0496218dcda605d85723a61b574fe1254e2d9a02fcc7c635099f663609b0e5c4507497ed3ee2b15082bdc3ad578060c015ed439a6072eb1e6f418a7a0394442afbf6465258a1afd677343c6a71f9a4cf79d34f28d1c074053e2f7a9de236dbe7d7ea9a2150b26643b95e33f83172a0e36805e9ee185e5d2f8a914843a8647f516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb877e283342bd8b279df59890c6bf865 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=57, length=113 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020300061900 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0xb877e283342bd8b279df59890c6bf865 Message-Authenticator = 0xbf5b398977c45e8cf03ee239066a4c22 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 8 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 57 to 10.30.1.151 port 1030 EAP-Message = 0x010400061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x869911e557010be04e131fecf32148c2 Finished request 8 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 55 with timestamp 46fac505 Cleaning up request 7 ID 56 with timestamp 46fac505 Cleaning up request 8 ID 57 with timestamp 46fac505 Nothing to do. Sleeping until we see a request. Config Files: ###### radiusd.conf ####### prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { use_mppe = no require_encryption = yes } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } sqlcounter dailycounter { counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = daily query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session reply-name = Session-Timeout sqlmod-inst = sql key = User-Name reset = monthly query = "SELECT SUM(AcctSessionTime - \ GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \ FROM radacct WHERE UserName='%{%k}' AND \ UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'" } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess chap mschap suffix eap files pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } ####### eap.conf ####### test Cleartext-Password := "testing" DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP ######### eap.conf ######### eap { default_eap_type = peap timer_expire = 6000000000 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = pepito private_key_file = ${raddbdir}/certs/privandpubradius.pem certificate_file = ${raddbdir}/certs/privandpubradius.pem CA_file = ${raddbdir}/certs/CA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } peap { default_eap_type = mschapv2 } mschapv2 { } } ######### Output when using Linux supplicant: ################ rad_recv: Access-Request packet from host 10.30.1.151:1030, id=58, length=98 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020100090174657374 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x1fb2a16573be8af3a6d5ac9c59ef92db Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 9 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 58 to 10.30.1.151 port 1030 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1a1d3ba592915afdf20265d5bb6c7465 Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=59, length=200 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0202005d190016030100520100004e030146fac7de8347c7d2fceb438f22f51dcde2c61953096e9a37753b9d4a649e0cee00002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x1a1d3ba592915afdf20265d5bb6c7465 Message-Authenticator = 0x903c36b969609a7633037b48094f00b9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "chap" returns noop for request 10 modcall[authorize]: module "mschap" returns noop for request 10 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 10 rlm_eap: EAP packet type response id 2 length 93 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 10 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 10 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 10 modcall: leaving group authorize (returns updated) for request 10 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0052], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0323], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 10 modcall: leaving group authenticate (returns handled) for request 10 Sending Access-Challenge of id 59 to 10.30.1.151 port 1030 EAP-Message = 0x0103040a19c000000492160301004a02000046030146fac8811f6b21a7e9d3f8a681c0f24e10745b0ad3b21d531b991ea628630eed20b2e785e58cd451052eae3eb8af543ca4b7a6c94ef0d0e2bfe98933776153425900390016030103230b00031f00031c000319308203153082027ea003020102020101300d06092a864886f70d01010405003081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31 EAP-Message = 0x11300f060355040b1308496e7465726e657431193017060355040313106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e656475301e170d3037303932363139333435395a170d3038303932353139333435395a3081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f060355040b1308496e7465726e65743119301706 EAP-Message = 0x0355040313106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e65647530819f300d06092a864886f70d010101050003818d0030818902818100eae88c4ee5755bcff546c3a68bab7b736e6f65d8606c1aadecf6992e59f340adddb323e7a3400a65e50cc80d7dd9ad58d86e50755c9e7e16640cd216ce68ce368aa37792817f1fc9aa30a016a3ee11ef5ab0b70d75543ec1aa8786d84caa7e6fe65bd4d9717cbf419d04f08181a24aa3591b1254bd78c4493f7424ccce2c1f150203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7 EAP-Message = 0x0d010104050003818100b0496218dcda605d85723a61b574fe1254e2d9a02fcc7c635099f663609b0e5c4507497ed3ee2b15082bdc3ad578060c015ed439a6072eb1e6f418a7a0394442afbf6465258a1afd677343c6a71f9a4cf79d34f28d1c074053e2f7a9de236dbe7d7ea9a2150b26643b95e33f83172a0e36805e9ee185e5d2f8a914843a8647f5160301010d0c0001090040e0fd054064941dc533d1652a3e0d1e3585141db612f40f4c306445ebe1cac307043f8709844b12fef4e2a21f5d3b68e0feaf805fde6518baf5d7de0c7b8b2f0300010500405f5c7bc6cfe5e7532afca872913d35c8b5731a43add51cea771459b606333662e7dc93 EAP-Message = 0x8950ea09d12b2097543f9d5b2f099ed5f4f312a357ab Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc29cc4fd6a04b0ef2cbb64df46562bdb Finished request 10 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=60, length=113 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020300061900 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0xc29cc4fd6a04b0ef2cbb64df46562bdb Message-Authenticator = 0x322fdf179efffc12c59e9ec874899e8e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 11 modcall[authorize]: module "preprocess" returns ok for request 11 modcall[authorize]: module "chap" returns noop for request 11 modcall[authorize]: module "mschap" returns noop for request 11 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 11 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 11 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 11 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 11 modcall: leaving group authorize (returns updated) for request 11 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 11 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 11 modcall: leaving group authenticate (returns handled) for request 11 Sending Access-Challenge of id 60 to 10.30.1.151 port 1030 EAP-Message = 0x010400981900fabe1a17cb2a1300809cbc50d12dbb35266732bf1e5fe7b842781cd34d0ebebad76df36c0bca11ce22b5fa5b24a9dab4832393079f61565ba8f848096f3c60f27ffabad67deee72ffd2e7ebdc2b053a923f250cdfa2d2e9aa6eeba4ae77e53558c29fd53b8821552746f698cfb830f277f0a10de5f98c0201a6a566798cccfa3035b2eeba716ce6c9f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0acf35717843bc3dd822134a8499127d Finished request 11 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1030, id=61, length=120 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0204000d190015030100020230 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x0acf35717843bc3dd822134a8499127d Message-Authenticator = 0x5a0d79c56e88c6b6f0bdc193f1a6c701 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 12 modcall[authorize]: module "preprocess" returns ok for request 12 modcall[authorize]: module "chap" returns noop for request 12 modcall[authorize]: module "mschap" returns noop for request 12 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 12 rlm_eap: EAP packet type response id 4 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 12 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 12 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 12 modcall: leaving group authorize (returns updated) for request 12 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 12 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 12 modcall: leaving group authenticate (returns reject) for request 12 auth: Failed to validate the user. Delaying request 12 for 1 seconds Finished request 12 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 58 with timestamp 46fac881 Cleaning up request 10 ID 59 with timestamp 46fac881 Cleaning up request 11 ID 60 with timestamp 46fac881 Sending Access-Reject of id 61 to 10.30.1.151 port 1030 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 12 ID 61 with timestamp 46fac881 Nothing to do. Sleeping until we see a request. ######## Gracias de antemano... -- Sergio Belkin Teléfonos 15-6119-2226 // 4788-8605 ----------------------------------------