Hello, I am trying to implement WPA Enterprise / 802.1X, Freeradius and Kerberos. The client is a Linksys running DD-WRT. The Supplicant is Mac OS Laptop. Both are most recent versions of OS. I can exececute radtest on localhost and authenticate through Freeradius to my KDC. I can get my wireless AP to authenticate through WPA if the user is located in /etc/raddb/users. I cannot get all the pieces working together. Laptop->AP->Freeradius-
Kerberos.
I can see this problem has been posted to the list many times, and I have read all the archived followups to no avail. I apologize for bringing it up again. Thanks for reading the details below and I sincerely appreciate your time and assistance. Here are the details: FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu All conf files are freshly installed default, with ONLY the following exceptions: == /etc/raddb/users = (1st line) DEFAULT Auth-Type = Kerberos == /etc/raddb/clients.conf == client wireless { ipaddr = 10.3.10.244 secret = testing123 require_message_authenticator = no nastype = other } == /etc/raddb/modules/krb5 == krb5 { keytab = /etc/krb5.keytab service_principal = radius/phylloxera.int } == /etc/raddb/sites-enabled/default == (authenticate section, added just after pap) Auth-Type Kerberos { krb5 } == /etc/raddb/sites-enabled/inner-tunnel == (authenticate section, added just after pap) Auth-Type Kerberos { krb5 } Here is the debug when I execute /usr/sbin/radiusd -X [root@phylloxera raddb]# /usr/sbin/radiusd -X FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec 8 2008 at 16:00:08 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/krb5.rpmsave including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/ sqlcounter_expire_on_login including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client wireless { ipaddr = 10.3.10.244 require_message_authenticator = no secret = "testing123" nastype = "other" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_krb5 Module: Instantiating krb5 krb5 { keytab = "/etc/krb5.keytab" service_principal = "radius/phylloxera.int" } rlm_krb5: krb5_init ok Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m %d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=125 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000b01746573746572 Message-Authenticator = 0x21503e7549c19cf09711c9f0e287924d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x010100160410b73513541291ee275ba096e282e75d16 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9cd8d359f12250e26f4639c84 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=138 Cleaning up request 0 ID 0 with timestamp +69 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9cd8d359f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060319 Message-Authenticator = 0xca9d479dd79b6db64344460001c1dcff +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9cc8e289f12250e26f4639c84 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=244 Cleaning up request 1 ID 0 with timestamp +69 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9cc8e289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202007019800000006616030100610100005d03014a046f6ffd4622727b7fe840548093a6cd6529401366712b6a4a021431d0890e000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100 Message-Authenticator = 0xc01bb915e0c7c19e635ab791c0a6f397 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 102 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 075b], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0103040019c000000798160301002a0200002603014a046f70d73689ab83ac05850c5bd976108681d95b675f64a04355c10acba8f300002f00160301075b0b0007570007540003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303431353231323835395a170d3130303431353231323835395a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c21fdea27ea336dee51d82d37aa2cd6cb5ac428edc9589e722a11dd0b6d2406a3424524f18f4a4ac96cf1fe7efc4181966d8e3feb450d6d77663a5dc055b EAP-Message = 0xb70617d30dec2ade308d5e6530e8a10239e8031b19e63a9e47a910d1001d2467f2698e7bda7440f9836e836ae8cfa0e0a399ba4daecbb10a39e87779c171f508403da72423897f9c29dc234729bc3e65f504a3008281ec186af0b66d3a85556c9155815a827275fdb08bbc88b853df3302f319e3797db5e4c73c35440ac088bb6f844de1f658e38f9d03065f1eb1753f1f366af383b8554dcb18515f8a6bdb218b193d22ecf42b31b5e90360f0c660874b06eceab5ce20164d113703bb519f897fe10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100ade71a6cecf1ac01e6 EAP-Message = 0xb8b60a0d957897b4d4150ad59299f204cae4806c36bb0c3df5dae241cbf61f9301544e29e51adc5836c0fe2c959c80f77ab2bd91e1a1faf7d42993133d836e4dc772edf387cb4972fcbed57654f0ec76218e39e550a45e7b772a5ef589e8f640da93a36de0d1dc9a24c05f46951ab9c0a74eacf63f4f12366007fdbc01e318dea668aabde8b3a27be808375ab6738e15f9c86478624d81b7af3d60ce6e0e2af140488e82c6ebc7876da321fdc5ff8306e02a7d0e2d4f8dcde33eaf4c0d7ea406bd6637dfc60149e46560bc24c1590514228aebfbeba23035df53620a390643848ceb4a848e6e873e194155abfb769df3b709a7f325735d0003a8308203 EAP-Message = 0xa43082028c020900b50dced6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9cf8f289f12250e26f4639c84 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=138 Cleaning up request 2 ID 0 with timestamp +69 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9cf8f289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0x4efdc7a65d9102db211286ea4c3cbe37 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x010403a81900f8537e02300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303431353231323835375a170d3039303531353231323835375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f EAP-Message = 0x6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d962c5440c1a7bf32c6cb7cf58cd4070ab1636d5bf0ca68ebcba4b97ec334a2672535a2ee47eb748a00041f3bc24c445e0c7fe7b1dc4ebcd64135451cd43934da86062a857131028e4a3be090b3d3fb774e5902597fc5c92ca1477d167014f49cd1b8f64b6d3a8e44a10734214fc8afd90dbd5e6 EAP-Message = 0x6b9ae7842a9fd5e9ff345e2a0a2ee39b7843a83ee1c05977ff5f05a8ec2a28515e402ec7e46a689977997d3d7b6b7b993dede03acee50e9b874d0d4fdfed37c0522512e03fa0cc040fd0d21cfacad236701204b05e9b72599e1ed17676c716da4e6907bf79de552365c842e55232bd29147fe17251edff51532e3c8810627e877d3ae0867a0fb3bd3ee712bf0203010001300d06092a864886f70d010105050003820101002ad962118ec199e96e24d6f6126e922ae96d14046ca2d1b4648610c97263f5df1d79e7ff2e5371ac3ca567c3fa98020582d955cc9a8e530910a2bae4772dfb102a1b061637c113cbc44dd22e3411b0c4f88afc2e946ead82 EAP-Message = 0xf7e596c56cb721acd62de2a4a89f772f74f4afac32c719b6280a4a5b29da6104c43e970ace2d6c7dc883b2c3eb9b3415e59b271fe2109460fdf1ab1d359fdc5ac71bcda1f350b6c951a3197cebb1be60f811bfe6b93d709455ee6d3f82e571318ebb2aa63fdd0916f4d93707b569ded3f429a4d7772d54d22274902a4c2338a3a6d269704e39ae5d83444a424c9ef607dd51c7a80157542bd8700e8d6c15bacc6f9032fdd0d7e6eb16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9ce88289f12250e26f4639c84 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=470 Cleaning up request 3 ID 0 with timestamp +69 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9ce88289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204015019800000014616030101061000010201003b6a2b000b3edb3d8cfe2c7f98cccec696da6b9b38b21f0578e81534a5c3648e69c385a881e3071c633be194e036610c9485c0a435a3a3650c6f8410b5f2c651b4e8dfa827bedc6d9b7b7368af7b6ea9b8cc90df5227d46674ee65faff16e9e59aee2ad25d7452c54672464c06016cd4b34572170fd22ec0bc47a1bd330a17a46870694f269d88918e85793dcd68717483fa18bb509b492019f60e16cd467a6fae08e6ef9628e7c7dd32e15edcc6702e0f013c92d8ac953a751b35eeeda81268affd614a0491572dbff57d953a5ee96c2e100ad030a6e66d0ef5278ce1933a3652550c3db81e7169 EAP-Message = 0x5a6b42214104860bf1ff779d53c7369fc901e893cb13b70f1403010001011603010030523195a3c58ba7ffeac0e5c403f0ca3878dca29734948add69ddc734524a39037ac173eccf4d87495bcdc2bc32ee3d86 Message-Authenticator = 0xdef03fe0f2fd1527dad419f0ca4a82cb +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0105004119001403010001011603010030d233d2d55b9a4773b9280a7c9a51eb7bb57d670664b97b90caa2f8b55fc49d00a4eea9079926b55a97ea4e5fd0139e40 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9c989289f12250e26f4639c84 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=138 Cleaning up request 4 ID 0 with timestamp +69 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9c989289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0x5f15431a241e9da035a94719d1e153fd +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0106002b190017030100202422b6d3cc58e9c4df6ddb64156b89872d122024724063adbb8dd5d4d59c1dfd Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9c88a289f12250e26f4639c84 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=175 Cleaning up request 5 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9c88a289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0206002b190017030100203b73588928855c05e8404224d308d774c925f454228cd76ac9d9ff8c7a501ad9 Message-Authenticator = 0xdc1cd39179ef119fe82530251f72204d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - tester [peap] Got tunneled request EAP-Message = 0x0206000b01746573746572 server { PEAP: Got tunneled identity of tester PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to tester Sending tunneled request EAP-Message = 0x0206000b01746573746572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "tester" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700201a0107001b10e3d69f888fd1a1c22ab23fdb0406c09d746573746572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe925397ee9222325c5dc4fd26464f2d4 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700201a0107001b10e3d69f888fd1a1c22ab23fdb0406c09d746573746572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe925397ee9222325c5dc4fd26464f2d4 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0107004b190017030100407c2585d5e3825e8c2a2405ff40a4a1b1bac08fc2db4a7f47db9369554831651a5092924a410547a5aa77723734e88014b3efcf29f2d4727e8a8db9b2cbc0e7f9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9cb8b289f12250e26f4639c84 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=239 Cleaning up request 6 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9cb8b289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207006b190017030100603baa25744d564eb3059d38dce66a6fbc9fc3d266380331153f90a67b079e2c023477c06ad51ea3c0639af5af9e8adea052387c1cc106d093f08bc1913f28228514d90caa0c377b3159424b1759395805f8f2c1455e1d724f66240edd2b30ca23 Message-Authenticator = 0x87c4ccaca90ff6414683bf77e1b9dfb5 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700411a0207003c31f415ae70d8b3ae03bd6f856609f16b1600000000000000001486deed28060aea0af3df3e5f8887229975398b0694667a00746573746572 server { PEAP: Setting User-Name to tester Sending tunneled request EAP-Message = 0x020700411a0207003c31f415ae70d8b3ae03bd6f856609f16b1600000000000000001486deed28060aea0af3df3e5f8887229975398b0694667a00746573746572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "tester" State = 0xe925397ee9222325c5dc4fd26464f2d4 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for tester with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0108002b19001703010020bc216b00504ff8add69117afc6cc7e928e4240d2bfcebe8be6530eab97bdf092 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8c31a9ca84289f12250e26f4639c84 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=175 Cleaning up request 7 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0xcd8c31a9ca84289f12250e26f4639c84 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208002b19001703010020ef084f918baf1609d5265d80d08eff32798f600b5c92db2cb8e274078fbcc824 Message-Authenticator = 0x5699520904f01c53d5352d8738666a1a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> tester attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=125 Cleaning up request 8 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b01746573746572 Message-Authenticator = 0x3194e7f8f7a958e666638cd3182ddf80 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x010200160410f7612c264c829c4995aa9cda0e9b127c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c578de5c52e669b108f8455764 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=138 Cleaning up request 9 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c578de5c52e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060319 Message-Authenticator = 0xa9a0893329cc091115343940f725fcec +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c579df4152e669b108f8455764 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=244 Cleaning up request 10 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c579df4152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203007019800000006616030100610100005d03014a046f6f7d6aaeb890601ac86bcecc8affe25094a4150fb95cbf3f7e1d160646000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100 Message-Authenticator = 0xe3c10ee0699969c4312d3bf0b58056d6 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 102 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 075b], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0104040019c000000798160301002a0200002603014a046f71c8aacead425cef78684cae50dc0259c36026fbce1a09cb7e080a6f8c00002f00160301075b0b0007570007540003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303431353231323835395a170d3130303431353231323835395a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c21fdea27ea336dee51d82d37aa2cd6cb5ac428edc9589e722a11dd0b6d2406a3424524f18f4a4ac96cf1fe7efc4181966d8e3feb450d6d77663a5dc055b EAP-Message = 0xb70617d30dec2ade308d5e6530e8a10239e8031b19e63a9e47a910d1001d2467f2698e7bda7440f9836e836ae8cfa0e0a399ba4daecbb10a39e87779c171f508403da72423897f9c29dc234729bc3e65f504a3008281ec186af0b66d3a85556c9155815a827275fdb08bbc88b853df3302f319e3797db5e4c73c35440ac088bb6f844de1f658e38f9d03065f1eb1753f1f366af383b8554dcb18515f8a6bdb218b193d22ecf42b31b5e90360f0c660874b06eceab5ce20164d113703bb519f897fe10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100ade71a6cecf1ac01e6 EAP-Message = 0xb8b60a0d957897b4d4150ad59299f204cae4806c36bb0c3df5dae241cbf61f9301544e29e51adc5836c0fe2c959c80f77ab2bd91e1a1faf7d42993133d836e4dc772edf387cb4972fcbed57654f0ec76218e39e550a45e7b772a5ef589e8f640da93a36de0d1dc9a24c05f46951ab9c0a74eacf63f4f12366007fdbc01e318dea668aabde8b3a27be808375ab6738e15f9c86478624d81b7af3d60ce6e0e2af140488e82c6ebc7876da321fdc5ff8306e02a7d0e2d4f8dcde33eaf4c0d7ea406bd6637dfc60149e46560bc24c1590514228aebfbeba23035df53620a390643848ceb4a848e6e873e194155abfb769df3b709a7f325735d0003a8308203 EAP-Message = 0xa43082028c020900b50dced6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c57ad84152e669b108f8455764 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=138 Cleaning up request 11 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c57ad84152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0x05c66744945082f28f36c2771a60e3f2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x010503a81900f8537e02300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303431353231323835375a170d3039303531353231323835375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f EAP-Message = 0x6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d962c5440c1a7bf32c6cb7cf58cd4070ab1636d5bf0ca68ebcba4b97ec334a2672535a2ee47eb748a00041f3bc24c445e0c7fe7b1dc4ebcd64135451cd43934da86062a857131028e4a3be090b3d3fb774e5902597fc5c92ca1477d167014f49cd1b8f64b6d3a8e44a10734214fc8afd90dbd5e6 EAP-Message = 0x6b9ae7842a9fd5e9ff345e2a0a2ee39b7843a83ee1c05977ff5f05a8ec2a28515e402ec7e46a689977997d3d7b6b7b993dede03acee50e9b874d0d4fdfed37c0522512e03fa0cc040fd0d21cfacad236701204b05e9b72599e1ed17676c716da4e6907bf79de552365c842e55232bd29147fe17251edff51532e3c8810627e877d3ae0867a0fb3bd3ee712bf0203010001300d06092a864886f70d010105050003820101002ad962118ec199e96e24d6f6126e922ae96d14046ca2d1b4648610c97263f5df1d79e7ff2e5371ac3ca567c3fa98020582d955cc9a8e530910a2bae4772dfb102a1b061637c113cbc44dd22e3411b0c4f88afc2e946ead82 EAP-Message = 0xf7e596c56cb721acd62de2a4a89f772f74f4afac32c719b6280a4a5b29da6104c43e970ace2d6c7dc883b2c3eb9b3415e59b271fe2109460fdf1ab1d359fdc5ac71bcda1f350b6c951a3197cebb1be60f811bfe6b93d709455ee6d3f82e571318ebb2aa63fdd0916f4d93707b569ded3f429a4d7772d54d22274902a4c2338a3a6d269704e39ae5d83444a424c9ef607dd51c7a80157542bd8700e8d6c15bacc6f9032fdd0d7e6eb16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c57bd94152e669b108f8455764 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=470 Cleaning up request 12 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c57bd94152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205015019800000014616030101061000010201004202367899c3b793e58f85eec54ec3d11ea5c6800f075d699049871581144420a8d3dc1f2754eff11d2bf4203b2398b5a7a994b8de84c2f9e3d976e28e8576978d43173d352cfcf5cce2da6374106face22df881f22b3783440ff08496e7c85a180ba55837efc2ce7bc8d2dfb5e6db95b957c6caebf2dd48eee51b2314de51cde52bb1f3578efe428ac32c5a4f1a8263315fd59799e5449c166704227f3d1765891b47808ec9775bfe6863f9a75337c5968f2b81a3dc05f09ceb1151b9875c82f3c663958f578dc2b82c6fe04a949539041875efa0de9eae9e772592e6ae7f1b3d0328b6ad6a3a92 EAP-Message = 0xdd6767afc3d0ffaceeca4952958bf89b71f6e1d7d4b649b51403010001011603010030c258f6ca81c4367137829a379f872c85f15ec4e0ac8f51ed46ac28fb62eb72fa696e0ea9d4e0e443bec9c6535d7bc46a Message-Authenticator = 0x4f3f3f37579e8ad0b7066fa0405493b0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0106004119001403010001011603010030795e90a9ee62aefc345d48a85c3773deb9e5c7ca96666cab97a391a7270d20124acd3d2e60516e1437b69176e43a3f06 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c57cda4152e669b108f8455764 Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=138 Cleaning up request 13 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c57cda4152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061900 Message-Authenticator = 0x0127c630203668e74ce78a8061760d8a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0107002b190017030100209f2268fee846793f5e2d91120ef82714cd39e92edbb90bb6a78247708dc580ec Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c57ddb4152e669b108f8455764 Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=175 Cleaning up request 14 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c57ddb4152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207002b19001703010020d1323b8745befe8dd0d52860fa045bff328dd0064886b2e1f65f720a8c6903ec Message-Authenticator = 0xd56322919087c0d758cb8ec640899a42 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - tester [peap] Got tunneled request EAP-Message = 0x0207000b01746573746572 server { PEAP: Got tunneled identity of tester PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to tester Sending tunneled request EAP-Message = 0x0207000b01746573746572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "tester" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800201a0108001b10487952190361a4bc6c5211037f944c43746573746572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x64d177e764d96d1b400f4dd37b7bca98 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800201a0108001b10487952190361a4bc6c5211037f944c43746573746572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x64d177e764d96d1b400f4dd37b7bca98 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0108004b19001703010040d219d80fa26576c8ce19ab7a9e891944155f20b7e19366e64b8975cbf8731f837b9dba4205dc568e146fd55941531e0b8d2669ec7dd8a0f2bf4dfe7f8357f2b2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c57ed44152e669b108f8455764 Finished request 15. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=239 Cleaning up request 15 ID 0 with timestamp +70 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c57ed44152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208006b19001703010060bc0f8394d7a2889505db5d86be74fcfe859175dcdcbedd71a0c628ea107f34adb0a24bbdf710f0dd7219fea3387b0faa439facdaaf73bbef0b04b0ccf3c974df2cf4239525aa3638a8223a6bce230ab8ca0628a5fcfa3f020b4edf78b2ab0a7a Message-Authenticator = 0xd95188675b4fad312942d9c5f83398af +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800411a0208003c31944d3962585fa4571e78b1701f226610000000000000000026c2cd378ca09641cc901c546d5cb398beb1288fd42726c000746573746572 server { PEAP: Setting User-Name to tester Sending tunneled request EAP-Message = 0x020800411a0208003c31944d3962585fa4571e78b1701f226610000000000000000026c2cd378ca09641cc901c546d5cb398beb1288fd42726c000746573746572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "tester" State = 0x64d177e764d96d1b400f4dd37b7bca98 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for tester with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x0109002b1900170301002060bfbfb66c2bd64e39f20872626195a181c0c08bca0521ea5b49bfac3a094a12 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x78dc58c57fd54152e669b108f8455764 Finished request 16. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0, length=175 Cleaning up request 16 ID 0 with timestamp +74 User-Name = "tester" NAS-IP-Address = 10.3.10.244 Called-Station-Id = "001a70e1d008" Calling-Station-Id = "0017f242d025" NAS-Identifier = "001a70e1d008" NAS-Port = 55 Framed-MTU = 1400 State = 0x78dc58c57fd54152e669b108f8455764 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0209002b19001703010020602339290ccce2168a04de6503cc6adcfdbb2e0c274149a39c0980b0c64e6491 Message-Authenticator = 0xaff4f98041cc4d8d802f7e234a36ec41 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "tester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> tester attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 17 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 17 Sending Access-Reject of id 0 to 10.3.10.244 port 1027 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 17 ID 0 with timestamp +74 Ready to process requests. Scott Sears scott@myemma.com