Ok, I connect to the wireless with my client cert installed, I get a see an eap exchange but cannot connect. I've been looking over this for days now, just wanted to get some advice/help because I'm honestly lost at this point. Feel free to ask me for anything else you need to see. Jason Hall -- begin -X output -- FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Feb 23 2009 at 21:43:09 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" shortname = "(domain).com" nastype = "other" } client 10.40.2.11/24 { require_message_authenticator = no secret = "(secret)" shortname = "private-network-1" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } realm (domain) { } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "(root key password)" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating ntdomain realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=212, length=174 User-Name = "(domain)\\(username)" Calling-Station-Id = "00-24-D7-29-45-30" Called-Station-Id = "00-1D-70-02-20-70:(domain)" NAS-Port = 29 NAS-IP-Address = 10.40.2.11 NAS-Identifier = "Cisco_b2:3f:03" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020011015353505f43435c4a48616c6c Message-Authenticator = 0x3e4f70b0ba4049be59b248ac79b67555 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 17 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 212 to 10.40.2.11 port 32769 EAP-Message = 0x0103001604105d2f7ac821c18b3dda4fc5a730446754 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa900c63aa903c2d5a3d2ff9a18384d61 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=213, length=181 User-Name = "(domain)\\(username)" Calling-Station-Id = "00-24-D7-29-45-30" Called-Station-Id = "00-1D-70-02-20-70:(domain)" NAS-Port = 29 NAS-IP-Address = 10.40.2.11 NAS-Identifier = "Cisco_b2:3f:03" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060319 State = 0xa900c63aa903c2d5a3d2ff9a18384d61 Message-Authenticator = 0x8cce320615eaa79d7a6c8a2041a0a494 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 213 to 10.40.2.11 port 32769 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa900c63aa804dfd5a3d2ff9a18384d61 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=214, length=301 User-Name = "(domain)\\(username)" Calling-Station-Id = "00-24-D7-29-45-30" Called-Station-Id = "00-1D-70-02-20-70:(domain)" NAS-Port = 29 NAS-IP-Address = 10.40.2.11 NAS-Identifier = "Cisco_b2:3f:03" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204007e198000000074160301006f0100006b03014d2f9202942c3269ed5eaade3623eed7959631bdb8b3599f2d872fe0ad7cbab9000018002f00350005000ac013c014c009c00a00320038001300040100002aff0100010000000011000f00000c7373705f63635c6a68616c6c000a0006000400170018000b00020100 State = 0xa900c63aa804dfd5a3d2ff9a18384d61 Message-Authenticator = 0xa0ca7cf59c8e8dc3f81e213053c9a17e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 126 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 116 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006f], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0ae0], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 214 to 10.40.2.11 port 32769 EAP-Message = 0x0105040019c000000b2416030100310200002d03014d2f91b5c8c10b6de09f4b353486dc7b23e5d4fc7d504ad599a8380cf337bb7400002f000005ff010001001603010ae00b000adc000ad90005643082056030820448a003020102020101300d06092a864886f70d01010505003081a4310b3009060355040613025553310e300c060355040813055465786173311e301c060355040a131553757373657220486f6c64696e67732c204c4c432e314230400603550403133953757373657220486f6c64696e67732c204c4c432e2053656375726520576972656c65737320547275737465642043657274696669636174653121301f06092a864886f7 EAP-Message = 0x0d0109011612697461646d696e407375737365722e636f6d301e170d3131303131303230333134325a170d3231303130363230333134325a3081a3310b3009060355040613025553310e300c060355040813055465786173311e301c060355040a131553757373657220486f6c64696e67732c204c4c432e3141303f0603550403133853757373657220486f6c64696e67732c204c4c432e2053656375726520576972656c657373205365727665722043657274696669636174653121301f06092a864886f70d0109011612697461646d696e407375737365722e636f6d30820122300d06092a864886f70d01010105000382010f003082010a028201 EAP-Message = 0x0100bcace3a1736baa41e7b28a9779bc5505649c2ac7055c1748827d678fe5762f8e815088097070ec4d063dc5f5b0ce4905f53d191fca459147e11b8bda3215e6e75ecbcd3e6a2097809c60370572236f79d114648251b3b6951e7d7ad8b386047adb1c73d8465a4fbe3755f4fd9758f5648917c95f8657997dfb435d32cd264771b07b8f1ffef2169b25809fb515d092f0d805488f8b0240b04bc91c9e8c4d80b5a9dd6eafd4424f68dc89cd0061f778c176bce198cdaf16f8bb683d6ec8c79b6b7401dbe928f549f8445cd77e489c9bd96a78ac6f4cfa42f0b6ad70f5676a284be39d51137c1524e920ed9e7b26b25bbf1d5b149a66bcc13384dd39 EAP-Message = 0x83c898a4dd0203010001a382019a3082019630090603551d1304023000303006096086480186f842010d04231621596153542047656e65726174656420536572766572204365727469666963617465301106096086480186f8420101040403020640300b0603551d0f0404030205a0301d0603551d0e041604146bfc53ec4d8c1de2655e487f85462269cfa0fe273081d90603551d230481d13081ce801414b80c1e8732c50053300194e1d8b6e1c4aed5e2a181aaa481a73081a4310b3009060355040613025553310e300c060355040813055465786173311e301c060355040a131553757373657220486f6c64696e67732c204c4c432e3142304006 EAP-Message = 0x035504031339537573736572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa900c63aab05dfd5a3d2ff9a18384d61 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=215, length=181 User-Name = "(domain)\\(username)" Calling-Station-Id = "00-24-D7-29-45-30" Called-Station-Id = "00-1D-70-02-20-70:(domain)" NAS-Port = 29 NAS-IP-Address = 10.40.2.11 NAS-Identifier = "Cisco_b2:3f:03" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 State = 0xa900c63aab05dfd5a3d2ff9a18384d61 Message-Authenticator = 0x9f5b906f012841434b8c0b92aef12acc +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 215 to 10.40.2.11 port 32769 EAP-Message = 0x010603fc194020486f6c64696e67732c204c4c432e2053656375726520576972656c65737320547275737465642043657274696669636174653121301f06092a864886f70d0109011612697461646d696e407375737365722e636f6d82090089a2f8f8346912ee301d0603551d11041630148112697461646d696e407375737365722e636f6d301d0603551d12041630148112697461646d696e407375737365722e636f6d300d06092a864886f70d01010505000382010100db045c6fca66795e0f54111e406e5896d6e31d483c32db0c93d7fbf25b60cdb0698bc63300e4d3f44d2c73fac15ec3d41edd36b011a3ad9a87f0171885ff5646c86ba4e8 EAP-Message = 0x596bca83e15f117235ae85ea5e09c9c0bb6b0834ae94e9effc9585f147139f9b7889d460f4fa7ce5a2d0198bf01f2beb25be74b61c9d947b1fb3786f5ce17de32cc542bf3a72cf7ad43aa76fba5e7ae9c797290b99fe7864f48bccbc982e498a335f229be5d96c7ca1882051d38b433f63483c36faa619fc8c786fc209e4aac95a8dfd8fe159db33ae5d1992b3726c5af714983cbd894140833c4893da99beb55d06c6f0995e9d2777c5a1e9b3f32b5ad7d9d12ed479fef3679fdaa400056f3082056b30820453a00302010202090089a2f8f8346912ee300d06092a864886f70d01010505003081a4310b3009060355040613025553310e300c060355 EAP-Message = 0x040813055465786173311e301c060355040a131553757373657220486f6c64696e67732c204c4c432e314230400603550403133953757373657220486f6c64696e67732c204c4c432e2053656375726520576972656c65737320547275737465642043657274696669636174653121301f06092a864886f70d0109011612697461646d696e407375737365722e636f6d301e170d3131303131303230323932305a170d3231303130373230323932305a3081a4310b3009060355040613025553310e300c060355040813055465786173311e301c060355040a131553757373657220486f6c64696e67732c204c4c432e31423040060355040313395375 EAP-Message = 0x7373657220486f6c64696e67732c204c4c432e2053656375726520576972656c65737320547275737465642043657274696669636174653121301f06092a864886f70d0109011612697461646d696e407375737365722e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100de30822d81162b33fefec5a17b1b571c521487e99c20d212a8ce11298d2a34eadc2a6f4f721b5f95c7e45e94aca99df5a60dfbcdeeeac9dcde35585cf1ab350e2a426ee3e8cfe65c041f42b2fcc2a30e689120b6d5bd289d272b95a46ecf0cb610a1f8d767cb735addc6ad8b392b073790c9b8dafe857e3810c33065491d159883b9 EAP-Message = 0x538fce96e6f0bcc3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa900c63aaa06dfd5a3d2ff9a18384d61 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=216, length=181 User-Name = "(domain)\\(username)" Calling-Station-Id = "00-24-D7-29-45-30" Called-Station-Id = "00-1D-70-02-20-70:(domain)" NAS-Port = 29 NAS-IP-Address = 10.40.2.11 NAS-Identifier = "Cisco_b2:3f:03" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061900 State = 0xa900c63aaa06dfd5a3d2ff9a18384d61 Message-Authenticator = 0xb0a93c1c5de441689c546bff953552ac +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 216 to 10.40.2.11 port 32769 EAP-Message = 0x0107033e19009acb9a429750087b478f4f28df800790b0fe850a08ed684bf275aef974f7cf1d695a2ae22a042dd7213978179a2afa8026e80e3c665f0e291c6cb49bd67d9b310fa31642c4a6743021a544285809c4253b3d8ba4bdfa1db0d84a324146733d6fd57ebe6fff1a01d57533ee7d7945a57a922bdca5c7830203010001a382019c30820198300f0603551d130101ff040530030101ff302c06096086480186f842010d041f161d596153542047656e657261746564204341204365727469666963617465301106096086480186f8420101040403020106300b0603551d0f040403020106301d0603551d0e0416041414b80c1e8732c5005330 EAP-Message = 0x0194e1d8b6e1c4aed5e23081d90603551d230481d13081ce801414b80c1e8732c50053300194e1d8b6e1c4aed5e2a181aaa481a73081a4310b3009060355040613025553310e300c060355040813055465786173311e301c060355040a131553757373657220486f6c64696e67732c204c4c432e314230400603550403133953757373657220486f6c64696e67732c204c4c432e2053656375726520576972656c65737320547275737465642043657274696669636174653121301f06092a864886f70d0109011612697461646d696e407375737365722e636f6d82090089a2f8f8346912ee301d0603551d11041630148112697461646d696e407375 EAP-Message = 0x737365722e636f6d301d0603551d12041630148112697461646d696e407375737365722e636f6d300d06092a864886f70d01010505000382010100ca48048305b23d2e01dc30838e24ae8dfe74dd335c421ab1b054ee3afb25bf6376f2c1d7da4dda99e414acc1bbe8a4d2e0da6bc7880a6628300f33a2b0170f558dcb606b161eed7b7e53bb10356c56af6b34c48a1de0fad2e23ccb81bac25fdf1a3985ddbd33ddea7f52206425852bf3cd6f9c04598a09143ce6041be582b5a66637b8e7b2359cac82d0950362fde436325c790321f54b5881d57c18e9a2f4c3605402e3b50da27645ed0b32f358fd4ad9fc933718125f31bd6e2ad41747d637792a EAP-Message = 0xdb511a797d44a5272c4694fd77e0336aab254d1cf3655ac4eec005d52428d0aac5786d8572150662155d42a8401f044faa97d650ed5e9f189eae9ea81ddf16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa900c63aad07dfd5a3d2ff9a18384d61 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=217, length=513 User-Name = "(domain)\\(username)" Calling-Station-Id = "00-24-D7-29-45-30" Called-Station-Id = "00-1D-70-02-20-70:(domain)" NAS-Port = 29 NAS-IP-Address = 10.40.2.11 NAS-Identifier = "Cisco_b2:3f:03" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207015019800000014616030101061000010201009a78a32ab69ac47fd717688c8e5f5b673aabe81f8d2021a4829398faa5f1cec667b9317950d7edd93808eb55f56ad23124b940a2c00e18dec4e82ea50af0a9fd127e6ae2985c319eec98078ef361dd63a3802d16f58ce99580c2bf3dd1ecfdacdf8a58b8ea94954afcda8eb14b57d67b0b3b813bba5cd80a9818c44ddb9b2213381e2dccc4768904ecc733be2cdb19fa371815a6f3b902e8d95d279b1832d2aab0cfaf194e091f00771eec0ee88ef766f373e93d84624eb0a3ab1804795535ce2b08ccdd8ca7f78a2288d8bc27651e9c706a9e597651366d5cc94c036138e47181e9788a57a5a916 EAP-Message = 0x4bc098427e639d833761b5bdfed6b316a55406d42d8a19bd14030100010116030100306656570ba40bb3282b036c3c969ac8f7e9511f50550ced6b21a082a886cfb3ae209d4109bd193cc0f0def9395faf7618 State = 0xa900c63aad07dfd5a3d2ff9a18384d61 Message-Authenticator = 0x3a4f1365b73bada36da646a0671428cb +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 217 to 10.40.2.11 port 32769 EAP-Message = 0x0108004119001403010001011603010030161865cc699da89650f3e7ce640e6b086e573dd17514716c46d50498bb3e5d02e040f450e614f19e2feafa1af0186cc8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa900c63aac08dfd5a3d2ff9a18384d61 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=218, length=181 User-Name = "(domain)\\(username)" Calling-Station-Id = "00-24-D7-29-45-30" Called-Station-Id = "00-1D-70-02-20-70:(domain)" NAS-Port = 29 NAS-IP-Address = 10.40.2.11 NAS-Identifier = "Cisco_b2:3f:03" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800061900 State = 0xa900c63aac08dfd5a3d2ff9a18384d61 Message-Authenticator = 0xa0943465f1407909729911da8fb5b48c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 218 to 10.40.2.11 port 32769 EAP-Message = 0x0109002b1900170301002084ee051f9779be59188d096034de18a7a94be3a5ca72647d4f79ab554b6fec9d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa900c63aaf09dfd5a3d2ff9a18384d61 Finished request 6. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=219, length=234 User-Name = "(domain)\\(username)" Calling-Station-Id = "00-24-D7-29-45-30" Called-Station-Id = "00-1D-70-02-20-70:(domain)" NAS-Port = 29 NAS-IP-Address = 10.40.2.11 NAS-Identifier = "Cisco_b2:3f:03" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0209003b190017030100306f7bab96d6d63036e0bb725d1949089071153172a6e25cfba4744a58cd5a6372e9cf3a3475a07a2b902df17f763cb274 State = 0xa900c63aaf09dfd5a3d2ff9a18384d61 Message-Authenticator = 0x97434ca49bae047c3ea91ff71064950d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - (domain)\(username) [peap] Got tunnled request EAP-Message = 0x02090011015353505f43435c4a48616c6c server (null) { PEAP: Got tunneled identity of (domain)\(username) PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to (domain)\(username) Sending tunneled request EAP-Message = 0x02090011015353505f43435c4a48616c6c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "(domain)\\(username)" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "(domain)" for User-Name = "(domain)\(username)" [ntdomain] Found realm "(domain)" [ntdomain] Adding Stripped-User-Name = "(username)" [ntdomain] Adding Realm = "(domain)" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 9 length 17 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00261a010a002110b8d8b7f2698d6c4547c89393a90171365353505f43435c4a48616c6c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd2c630a7d2cc2a826808083c20a703b8 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00261a010a002110b8d8b7f2698d6c4547c89393a90171365353505f43435c4a48616c6c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd2c630a7d2cc2a826808083c20a703b8 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 219 to 10.40.2.11 port 32769 EAP-Message = 0x010a004b19001703010040195ae6d9f978634a3e75a51c482927b5b7db06ed62edeed6afe234cab520a6e7c0ae90f474c0cbf29d316410ce7822c700cca659da41f0c4533b059ac2be0115 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa900c63aae0adfd5a3d2ff9a18384d61 Finished request 7. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=220, length=282 User-Name = "(domain)\\(username)" Calling-Station-Id = "00-24-D7-29-45-30" Called-Station-Id = "00-1D-70-02-20-70:(domain)" NAS-Port = 29 NAS-IP-Address = 10.40.2.11 NAS-Identifier = "Cisco_b2:3f:03" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a006b1900170301006030bf25d92f9528dbe9f11937d488bc75fbf25c7feb986c834b15010317ce3eda4935cf61a665d86730d7434fae79336dc652360792e8694274b94b6e2844039f2f88708d5cc2d3e588dec660648661dea641fb62e476ffe68cebef782ab8399d State = 0xa900c63aae0adfd5a3d2ff9a18384d61 Message-Authenticator = 0x83e9623e00b31de770019d9c60b90fea +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x020a00471a020a0042314d0b9d8cd906abc30c6c3a605d6f42b40000000000000000c089c6a1e5b21d8d8671904d0c3003e6db1a66d3f2b7db28005353505f43435c4a48616c6c server (null) { PEAP: Setting User-Name to (domain)\(username) Sending tunneled request EAP-Message = 0x020a00471a020a0042314d0b9d8cd906abc30c6c3a605d6f42b40000000000000000c089c6a1e5b21d8d8671904d0c3003e6db1a66d3f2b7db28005353505f43435c4a48616c6c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "(domain)\\(username)" State = 0xd2c630a7d2cc2a826808083c20a703b8 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] Looking up realm "(domain)" for User-Name = "(domain)\(username)" [ntdomain] Found realm "(domain)" [ntdomain] Adding Stripped-User-Name = "(username)" [ntdomain] Adding Realm = "(domain)" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 10 length 71 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Told to do MS-CHAPv2 for (domain)\(username) with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 220 to 10.40.2.11 port 32769 EAP-Message = 0x010b002b19001703010020ae3ca0fedfe440153cb7b49364e200704bf8486f1399f0b4ea8ba62cccb9efa1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa900c63aa10bdfd5a3d2ff9a18384d61 Finished request 8. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=221, length=218 User-Name = "(domain)\\(username)" Calling-Station-Id = "00-24-D7-29-45-30" Called-Station-Id = "00-1D-70-02-20-70:(domain)" NAS-Port = 29 NAS-IP-Address = 10.40.2.11 NAS-Identifier = "Cisco_b2:3f:03" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b002b1900170301002078eaf4d8bdc40da5bfc684b788aa859165524f3e8da0fc61999428c2c89cf710 State = 0xa900c63aa10bdfd5a3d2ff9a18384d61 Message-Authenticator = 0x4940f9f48b205143a5ba104ea9da0d72 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> (domain)\(username) attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 221 to 10.40.2.11 port 32769 EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.7 seconds. Cleaning up request 0 ID 212 with timestamp +6 Cleaning up request 1 ID 213 with timestamp +6 Cleaning up request 2 ID 214 with timestamp +6 Cleaning up request 3 ID 215 with timestamp +6 Cleaning up request 4 ID 216 with timestamp +6 Cleaning up request 5 ID 217 with timestamp +6 Waking up in 1.2 seconds. Cleaning up request 6 ID 218 with timestamp +8 Cleaning up request 7 ID 219 with timestamp +8 Cleaning up request 8 ID 220 with timestamp +8 Waking up in 1.0 seconds. Cleaning up request 9 ID 221 with timestamp +8 Ready to process requests.