Thanks a lot Matthew. I am still not close to what I want. So far using the GroupNumber does not work yet. My groups in the openldap do not have memberUid on each group but only a gidNumber which is under each user. dn: cn=students,ou=Groups,dc=testexample,dc=com objectClass: posixGroup cn: students gidNumber: 5000 So I maybe misunderstanding how the ldap.attrmap works and how to assign values to radius attributes. I created in the dictionary an integer attribute ATTRIBUTE GroupNumber 3003 integer And then I put in the ldap.attrmap file: checkItem GroupNumber gidNumber and my users file includes: DEFAULT GroupNumber == 5000 Filter-Id ="UNP-Corp" but when I see the output , I still see: [ldap] gidNumber -> GroupNumber == 5000 ++[files] returns noop after more reading more I see that replyItem at the ldap.attmap assign the attribute with "=". So I tried that as well but the users file still returns noop. But I saw that GroupNumber now equals 5000 but the users file returns noop with the check groupNumber == 5000 [peap] Got tunneled reply RADIUS code 2 GroupNumber = 5000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xee4a4eb1daeee77d3db5c2630ef2bd69 MS-MPPE-Recv-Key = 0x24bb1af26320924243f5d7704278df1a EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "javier" Filter-Id = So I will try to check what I need to use Ldap-Group. Looks to me I need to add GroupofNames in each of my groups and each group like students should have also memberOf as well. Below is the whole output with checkitem GroupNumber gidNumber. Thanks for any advice, David FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Feb 24 2014 at 15:16:51 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.242.254.254 { require_message_authenticator = no secret = "testing123" shortname = "ldap-switch" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "localhost" port = 389 password = "test2004" identity = "cn=admin,dc=testexample,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "dc=testexample,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "userPassword" auto_header = no access_attr = "dialupAccess" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP gidNumber mapped to RADIUS GroupNumber rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x93b1128 Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_challenge { attrsfile = "/etc/freeradius/attrs.access_challenge" key = "%{User-Name}" } Module: Linked to module rlm_always Module: Instantiating module "handled" from file /etc/freeradius/modules/always always handled { rcode = "handled" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.242.254.254 port 1096, id=215, length=105 User-Name = "javier" NAS-IP-Address = 10.242.254.254 NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0200000b016a6176696572 Message-Authenticator = 0xd227f5b5ed3998c8ca99f51619ece5c9 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "javier", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] Entering ldap_groupcmp() [files] expand: dc=testexample,dc=com -> dc=testexample,dc=com [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> javier [files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=javier) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to localhost:389, authentication 0 [ldap] bind as cn=admin,dc=testexample,dc=com/test2004 to localhost:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=testexample,dc=com, with filter (uid=javier) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=students,ou=Groups,dc=testexample,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group cn=students,ou=Groups,dc=testexample,dc=com not found or user is not a member. ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 215 to 10.242.254.254 port 1096 EAP-Message = 0x0101001604105f62eeb37a57a6229642ce48bb7a9428 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6002eb116003efdfae16a97bdb417a13 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1096, id=216, length=118 User-Name = "javier" NAS-IP-Address = 10.242.254.254 State = 0x6002eb116003efdfae16a97bdb417a13 NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x020100060319 Message-Authenticator = 0x63b69a602348a027f3bba2ab18040515 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "javier", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] Entering ldap_groupcmp() [files] expand: dc=testexample,dc=com -> dc=testexample,dc=com [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> javier [files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=javier) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=testexample,dc=com, with filter (uid=javier) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=students,ou=Groups,dc=testexample,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group cn=students,ou=Groups,dc=testexample,dc=com not found or user is not a member. ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 216 to 10.242.254.254 port 1096 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6002eb116100f2dfae16a97bdb417a13 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1096, id=217, length=219 User-Name = "javier" NAS-IP-Address = 10.242.254.254 State = 0x6002eb116100f2dfae16a97bdb417a13 NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0202006b198000000061160301005c01000058030155e9f43c98779fc365b33bd57265e3e6eb9e9dbf7d7d76e42fdfa74558054add000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100 Message-Authenticator = 0x20758232dd351bf89e6c631675fe0ced Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "javier", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 97 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005c], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02ac], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 217 to 10.242.254.254 port 1096 EAP-Message = 0x010302f6190016030100310200002d030155e9f43cf7e3582ffdeadb131b48a8105c3ec9b3dbbee7129bf78396a3c367b7000035000005ff0100010016030102ac0b0002a80002a50002a23082029e30820186020900f110e01208f73412300d06092a864886f70d01010505003011310f300d060355040313067562756e7475301e170d3133303631353031353130335a170d3233303631333031353130335a3011310f300d060355040313067562756e747530820122300d06092a864886f70d01010105000382010f003082010a0282010100aa7bbf84790314288b6502a71473e60b430317330ed2f25d1522b93cc4fb4f43d85243cfcaeb8b7680 EAP-Message = 0x04eb7b41349f34b43b5e8f9af52fc49311b5b2fe08fc74b29db8015fe6f2a9896f63080a079aa779a62c64b962341acb140b7d2415bb67a93583fd1d340769103bb955dbf24ef36f07f0b1e227626b659e62ed0f487abef679edbce503fe7a53bd37db38f7290dd719bdcac5009450b5f1c6b448c1108c68b27adf3ddf4610d38054e2a09c2a3e622711150357388637de11fad849185f7742cd3ebf54125145a9a49d56a648c7e817649d14d65234ff2d927efb26321e79851fe5b631021fbc7a94b9d43f036476994c48afa98506ef41751d525fb04b0203010001300d06092a864886f70d0101050500038201010015eddb2e324a5e49273001d6f6 EAP-Message = 0xb2805a5578995f1ee22286f4a35e90823af81cd309da655f3373c7920de53673445afd95935f95151befea7b5007bcf7a9db41e0686ba4216ab979182929830fc0e44f8497873feb34e8c2d0503911d70d718ff63f1caa87226231f316ee3bd407457f0d40af68dbaf5313d471a774e7f66bc12e426e01b88c22c6ed7778bd55dbf99cd16cbf56871bf24de914af12355ce07841102a1b22b21d983f08973881faaa6fe293dcc2058b4da434a294ef225d1f1d1a6d1f4c1bbcb8a3eb742ebab0d6c81d3578b1b72081ea3a63be643bff8f5bd30f67698f04405a6fc03802e51a6805943a178f73fa6e01c18294004c1c12454c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6002eb116201f2dfae16a97bdb417a13 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1096, id=218, length=450 User-Name = "javier" NAS-IP-Address = 10.242.254.254 State = 0x6002eb116201f2dfae16a97bdb417a13 NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0203015019800000014616030101061000010201002d0b69fd1f2d08388844fe6560b08de30622939cee3fca1cac6e976a7ba38beeefa35d55f0fa22e09fe8547ebc2ccd6710e9cc80bab775073cb42916066669c9caa824f3b5acba021b258c4e888375a407e1b22b02b1afaa59583dc43a9e36d74cb4c58eaf32a8ccdfe0c6d6749dc74e89f3fb3f200c83b1ccc607398be8bd891a814effa1e6fce4762e6ad0e8ac864ac7c0bd6993492cd80751e2c833d884e4d73c0cb7680c3f7ddf1430fbac683764d7198cf6e765f9be69fe90b28a8e95f3d092b64997ca9df221d5c1a6d180cf0597452acc8821cc8da27a375bf573248c1eca7ddb97d717de EAP-Message = 0x21ff25bd7af1a2fa513ee10034551d035c8715b1be186c2a1403010001011603010030c7b0c623e48c6d63cc9459c9319b392fd45966dc18273214ef61d15e463bcea0a524f565a814ac52d662f9b6fbe61517 Message-Authenticator = 0x7e43051ba39cc2924835a196ff7d2c22 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "javier", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 218 to 10.242.254.254 port 1096 EAP-Message = 0x0104004119001403010001011603010030f65890b658a2a56e9a39a4df91b37f99ec32037a348e9903e731277ae932b6ca811b571ecb090d7e4323bd7c2c75a78a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6002eb116306f2dfae16a97bdb417a13 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1096, id=219, length=118 User-Name = "javier" NAS-IP-Address = 10.242.254.254 State = 0x6002eb116306f2dfae16a97bdb417a13 NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x020400061900 Message-Authenticator = 0xf946d864e11a6b5077059f8a89cf59d5 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "javier", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 219 to 10.242.254.254 port 1096 EAP-Message = 0x0105002b19001703010020ff22c2c27e8e55be5b913e0707446d89fe57423394b1f5217dcefa6c95f8a5b4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6002eb116407f2dfae16a97bdb417a13 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1096, id=220, length=155 User-Name = "javier" NAS-IP-Address = 10.242.254.254 State = 0x6002eb116407f2dfae16a97bdb417a13 NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0205002b190017030100208710cb81840bfcbe5fe2aa10a64689379cac245bc53745fa8ba4d6937b86832d Message-Authenticator = 0x1bc1e6fccdaf3c74ff5669af49623730 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "javier", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - javier [peap] Got inner identity 'javier' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0205000b016a6176696572 server { PEAP: Setting User-Name to javier Sending tunneled request EAP-Message = 0x0205000b016a6176696572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "javier" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[mschap] returns noop [suffix] No '@' in User-Name = "javier", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 5 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for javier [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> javier [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=javier) [ldap] expand: dc=testexample,dc=com -> dc=testexample,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=testexample,dc=com, with filter (uid=javier) [ldap] checking if remote access for javier is allowed by dialupAccess [ldap] Added User-Password = javier in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] gidNumber -> GroupNumber == 5000 [ldap] userPassword -> Password-With-Header == "javier" [ldap] sambaNtPassword -> NT-Password == 0x3144303031323439393444314230303441463436434430323443463738364243 [ldap] sambaLmPassword -> LM-Password == 0x4436413536334536353736353446353642423632323932333945343337314431 [ldap] looking for reply items in directory... [ldap] user javier authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [ldap] Entering ldap_groupcmp() [files] expand: dc=testexample,dc=com -> dc=testexample,dc=com [files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=students,ou=Groups,dc=testexample,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group cn=students,ou=Groups,dc=testexample,dc=com not found or user is not a member. ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010600201a0106001b10f5e78e2fd833b41b649fcf7e216e99bf6a6176696572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0d408c3c0d212096ce29499f3d6f751 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010600201a0106001b10f5e78e2fd833b41b649fcf7e216e99bf6a6176696572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0d408c3c0d212096ce29499f3d6f751 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 220 to 10.242.254.254 port 1096 EAP-Message = 0x0106004b19001703010040bd6ff86adf62150a9a67f86277a8c7bc6ce9ee562aecf83e89524e33ea0fe8c46d034f384657c62971c6ea109d212a15cdb510df9991bc54eb2cb04e051c28f7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6002eb116504f2dfae16a97bdb417a13 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1096, id=221, length=219 User-Name = "javier" NAS-IP-Address = 10.242.254.254 State = 0x6002eb116504f2dfae16a97bdb417a13 NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0206006b19001703010060fec9fede01a036ee1b9468a5f5c9e2e40dc6f3d988671741d8f033a14058f8731bf198d741d63355c7fd865d00afbc598e3d2e0cd2994bce097f618457e066be2082328101dbb59409d2fa1a0289cfcb22fb85b1f1d58073e0df494c18cf0fda Message-Authenticator = 0xb490f32807fa692e506e09c75b5d8861 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "javier", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020600411a0206003c310f86fd8a83a8f49fd651973130f0f33200000000000000002fdbfb3f332ed517ca1ab5fdaa314c18a86d1b0e67760eb7006a6176696572 server { PEAP: Setting User-Name to javier Sending tunneled request EAP-Message = 0x020600411a0206003c310f86fd8a83a8f49fd651973130f0f33200000000000000002fdbfb3f332ed517ca1ab5fdaa314c18a86d1b0e67760eb7006a6176696572 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "javier" State = 0xc0d408c3c0d212096ce29499f3d6f751 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[mschap] returns noop [suffix] No '@' in User-Name = "javier", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 65 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for javier [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> javier [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=javier) [ldap] expand: dc=testexample,dc=com -> dc=testexample,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=testexample,dc=com, with filter (uid=javier) [ldap] checking if remote access for javier is allowed by dialupAccess [ldap] Added User-Password = javier in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] gidNumber -> GroupNumber == 5000 [ldap] userPassword -> Password-With-Header == "javier" [ldap] sambaNtPassword -> NT-Password == 0x3144303031323439393444314230303441463436434430323443463738364243 [ldap] sambaLmPassword -> LM-Password == 0x4436413536334536353736353446353642423632323932333945343337314431 [ldap] looking for reply items in directory... [ldap] user javier authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [ldap] Entering ldap_groupcmp() [files] expand: dc=testexample,dc=com -> dc=testexample,dc=com [files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=students,ou=Groups,dc=testexample,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group cn=students,ou=Groups,dc=testexample,dc=com not found or user is not a member. ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Found LM-Password [mschap] Found NT-Password [mschap] Creating challenge hash with username: javier [mschap] Told to do MS-CHAPv2 for javier with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700331a0306002e533d44313830333946344633303830373135304332444136323335303137393443433142334644463433 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0d408c3c1d312096ce29499f3d6f751 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700331a0306002e533d44313830333946344633303830373135304332444136323335303137393443433142334644463433 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0d408c3c1d312096ce29499f3d6f751 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 221 to 10.242.254.254 port 1096 EAP-Message = 0x0107005b19001703010050fd2f7dd331ff48ea58ec1ad5eefee43adc36e1b91dc53151ef370a4e2c38f432d79638a0dfe518efec9f9f043c2f939e90ca0eeb2bc0cada39799714adf19fadce2cc2f6dc03c8d726309c9f5b6bed1b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6002eb116605f2dfae16a97bdb417a13 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1096, id=222, length=155 User-Name = "javier" NAS-IP-Address = 10.242.254.254 State = 0x6002eb116605f2dfae16a97bdb417a13 NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0207002b190017030100200ab3471348db15ca052ce10e32699fccfcb9fcecd6ebb997c7589c6c29b7f681 Message-Authenticator = 0xf24fedc3a0cd41ccb9c8220616774e60 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "javier", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700061a03 server { PEAP: Setting User-Name to javier Sending tunneled request EAP-Message = 0x020700061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "javier" State = 0xc0d408c3c1d312096ce29499f3d6f751 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[mschap] returns noop [suffix] No '@' in User-Name = "javier", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for javier [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> javier [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=javier) [ldap] expand: dc=testexample,dc=com -> dc=testexample,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=testexample,dc=com, with filter (uid=javier) [ldap] checking if remote access for javier is allowed by dialupAccess [ldap] Added User-Password = javier in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] gidNumber -> GroupNumber == 5000 [ldap] userPassword -> Password-With-Header == "javier" [ldap] sambaNtPassword -> NT-Password == 0x3144303031323439393444314230303441463436434430323443463738364243 [ldap] sambaLmPassword -> LM-Password == 0x4436413536334536353736353446353642423632323932333945343337314431 [ldap] looking for reply items in directory... [ldap] user javier authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [ldap] Entering ldap_groupcmp() [files] expand: dc=testexample,dc=com -> dc=testexample,dc=com [files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=students,ou=Groups,dc=testexample,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group cn=students,ou=Groups,dc=testexample,dc=com not found or user is not a member. ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group post-auth {...} expand: %{GroupNumber} -> ++[reply] returns noop } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x1c0c36f727470776723ce5681364d73a MS-MPPE-Recv-Key = 0x35063671916a00a14a097f31df9a3192 EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "javier" Filter-Id = "" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x1c0c36f727470776723ce5681364d73a MS-MPPE-Recv-Key = 0x35063671916a00a14a097f31df9a3192 EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "javier" Filter-Id = "" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 222 to 10.242.254.254 port 1096 EAP-Message = 0x0108002b19001703010020641680f1f6dbff6771637953d779a4e365716ec2df71f767004da0d7dc3f5d63 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6002eb11670af2dfae16a97bdb417a13 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.242.254.254 port 1096, id=223, length=155 User-Name = "javier" NAS-IP-Address = 10.242.254.254 State = 0x6002eb11670af2dfae16a97bdb417a13 NAS-Port = 77 NAS-Port-Type = Ethernet Calling-Station-Id = "e4115b3ef3b4" EAP-Message = 0x0208002b190017030100204514e8fe85d564a75cb29f0b1290fc91411b18df58013d323d10fa12ecaa19fa Message-Authenticator = 0xe720a11bcd724c9aa5b7483990305199 Service-Type = Framed-User # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "javier", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = "javier" Filter-Id = "" [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 223 to 10.242.254.254 port 1096 User-Name = "javier" Filter-Id = "" MS-MPPE-Recv-Key = 0xd8299ae88d614647e7628398c754e883d9f99685091115f5f5b724806ae22def MS-MPPE-Send-Key = 0x5108a3562a8e91e4593f91783a0fb4dc7ce7d9349a94cf969043bbc3b0c70ca5 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 8. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 215 with timestamp +17 Cleaning up request 1 ID 216 with timestamp +17 Cleaning up request 2 ID 217 with timestamp +17 Cleaning up request 3 ID 218 with timestamp +17 Cleaning up request 4 ID 219 with timestamp +17 Cleaning up request 5 ID 220 with timestamp +17 Cleaning up request 6 ID 221 with timestamp +17 Cleaning up request 7 ID 222 with timestamp +17 Cleaning up request 8 ID 223 with timestamp +17 Ready to process requests.