No there are no other lines before that one. I cannot update, because univention ucs2.4 is based on lenny and FR 2.2 depends on newer packets from squeeze. Already tried that. well radlogin worked even when unix in default was active. But after i #-ed everything with unix i could login. After the login there comes the information for accepting the certificate. But after a klick for accepting there comes the loginscreen another time. output from -X: rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=74, length=197 Message-Authenticator = 0xb8f705a6d721830c471b297ff86bc1da Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000014016e6164696e652e626f737368617264 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for nadine.bosshard WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard)) expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as cn=admin,dc=tcsvo,dc=local/pPWSrf5 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=tcsvo,dc=local, with filter (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard)) rlm_ldap: checking if remote access for nadine.bosshard is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{crypt}$1$QWzPnrgt$zDhDp8t6inQRkVyuvb6en/" rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 0x4431393433313746304145303337384139434535423745394230313835334233 rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 0x3944443632393938313730333033343036463342414634373331353033384646 rlm_ldap: looking for reply items in directory... rlm_ldap: user nadine.bosshard authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 74 to 10.119.12.2 port 1332 EAP-Message = 0x010100160410ce5ed62bba0b994eed20635dd85199a8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654516b5618cb11aad47c413c7ca Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=75, length=201 Message-Authenticator = 0x4ba48fcb53c68cc0e385d0d12cfad5fc Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654516b5618cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020100060319 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for nadine.bosshard WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard)) expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=tcsvo,dc=local, with filter (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard)) rlm_ldap: checking if remote access for nadine.bosshard is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{crypt}$1$QWzPnrgt$zDhDp8t6inQRkVyuvb6en/" rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 0x4431393433313746304145303337384139434535423745394230313835334233 rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 0x3944443632393938313730333033343036463342414634373331353033384646 rlm_ldap: looking for reply items in directory... rlm_ldap: user nadine.bosshard authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 75 to 10.119.12.2 port 1332 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654517b67c8cb11aad47c413c7ca Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=76, length=323 Message-Authenticator = 0x32ce24190f3bd9a7fe8b5bfcba1fc4dc Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654517b67c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0202008019800000007616030100710100006d0301504f2f339bf42035c99689e4b9f5f239952eeccfc90cde3694f18e32a18a204e00003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 128 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 118 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0071], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0051], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ac9], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 76 to 10.119.12.2 port 1332 EAP-Message = 0x0103040019c000000b2d16030100510200004d0301504f2f34362fc1262c3b636e2050c8649ca8051cd6e96e77afeacceb0b82f6b020d64590097eda15b621fa50f97c6ff690cbe70000754bfce0db0efd7bb2f58af5002f000005ff010001001603010ac90b000ac5000ac20004c5308204c1308203a9a003020102020101300d06092a864886f70d01010505003081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b301906035504 EAP-Message = 0x0b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f726174652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c301e170d3131313031383132343135325a170d3136313031363132343135325a3081c1310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b13125443532053657276 EAP-Message = 0x6963652043656e746572311e301c060355040313157372746373766f30342e746373766f2e6c6f63616c311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c30819f300d06092a864886f70d010101050003818d0030818902818100aa068e1696137a6013728212da97bde84338a84c01434740dd7c3d76e9ac208d33efef6cf5b19436e09f71aae9517ec9a79ab6386ac2cee886c4b82e306ab065799071439537013af6f32fcf103e563341e5ec03837fefb32cab3a80e085624a722dca77fb2d0881e2912d078a404708506df80f9fa5459a3846c41b3a1be8410203010001a38201363082013230090603551d130402 EAP-Message = 0x3000301d0603551d0e04160414d60b8a292f824ee8593ead12079908a996fa25ce308201040603551d230481fc3081f980141894cd73cc0286f2e6b0ab65777f605667044a3ca181d5a481d23081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f726174652053657276657220526f6f742043 EAP-Message = 0x41311e301c06092a864886f7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654514b77c8cb11aad47c413c7ca Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=77, length=201 Message-Authenticator = 0xc5cd91f31beec31485c1a018cca1a538 Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654514b77c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300061900 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 77 to 10.119.12.2 port 1332 EAP-Message = 0x010403fc19400d010901160f73736c40746373766f2e6c6f63616c820900de6d547bd0d02bb7300d06092a864886f70d0101050500038201010070b8aa764d29097af2190422c618f6c5a4753df81c1ff392cb1b379de862bd338b414b5fdcdc7b8ed053df5224ec2e4e85babe4adac4a490fd663627c211c837819ae267f4d9125d19e04fc82ac089a9ab9c3a7f01be2f54ff64381d8f233dd0f4e1070221a6d9751e3f5c5f4a4d3a81c2784377ac37056e3472e64770818f741f39659163dfb5b72e44cba594acb1fc8549bbd3ca2a42eed1741fedd1fd784f88270182168861461bf8e395f33544d1d6950ccb5bd39bf31e06c7a95e3134dba44f7a EAP-Message = 0x00f72b04cb086681c2fca1497fd8842e6453e9c305971535d8ec031581b1a37c97199ed6295c692c91515b121b459421b4d320429da9eebf9fa46692560005f7308205f3308204dba003020102020900de6d547bd0d02bb7300d06092a864886f70d01010505003081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74 EAP-Message = 0x696f6e20436f72706f726174652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c301e170d3131313031383132343135325a170d3136313031363132343135325a3081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f7261 EAP-Message = 0x74652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb23aad5b224b6451b2b71d383a8fdab7fc47c1d3c01a4cbbc495530c121edf8e00206507e5c357930f32483539f43f3f4523fbc6f180225477898f1e28d89627ebeda8a0f33264ba5431b43403033b32b662913717a2ced71906fb24c710dcd2b51494c2f9f9a4cdbe655248673c6d520d3012350b8cc999d7e319bd0dc15bd28696d03c06adea3e7e45d506f342f54428c9914664b30110c85771b9b6b6d4709ba70075d85c4a96860b4 EAP-Message = 0xcbfcc9fde3fc1e69 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654515b07c8cb11aad47c413c7ca Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=78, length=201 Message-Authenticator = 0xe1657a312df473007ae4e66e5386abba Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654515b07c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400061900 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 78 to 10.119.12.2 port 1332 EAP-Message = 0x0105034719006c0ac5bff0ac06e64f339336a607f02d6f89c67c8db227cf7d6dd61df083dc348a6b83d9f5a6b83186380ef5fd3ea29a95649910de04d80494fae634bd6ea242623c8a520c996d77b9e43ceaa10203010001a38201ce308201ca300f0603551d130101ff040530030101ff301d0603551d0e041604141894cd73cc0286f2e6b0ab65777f605667044a3c308201040603551d230481fc3081f980141894cd73cc0286f2e6b0ab65777f605667044a3ca181d5a481d23081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355 EAP-Message = 0x040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f726174652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c820900de6d547bd0d02bb7300b0603551d0f040403020106301106096086480186f8420101040403020007301a0603551d1104133011810f73736c40746373766f2e6c6f63616c301a0603551d1204133011810f73736c40746373766f2e6c6f63616c303806096086480186f8 EAP-Message = 0x42010d042b162954686973206365727469666963617465206973206120526f6f74204341204365727469666963617465300d06092a864886f70d01010505000382010100620c56161414e3959e61866f66eb546cd7bf45398138cfb59e89c222e518454951c9fb0bb3dee9a950d577e4d48ac79dcada6a52b9abee23756bf3af3132425af8367294e2766d119ddfa86ebf64be0ad752149a9b42762f94ddbbc9a85f338c53a9252175dea564dc6c74bcf9bfb60c63f4580e463c2c21cb0048b08f8e6a93026de80f60191ec1fe5a07074161986f7f18eb4b5e2e93b1e1b084ceed5193a264aaa275353c7d1bc13b2dce45a799727b68aa79a39073263d EAP-Message = 0xb65a905d7bab8419a963ea7f069d0c618070bb107ffd9c291baf3f3908a4fbbf9a8ca172e1f39301934bdf17939a65b9c794b7162169b2c5bceb6aaf48fa715a584c6eea1e0dd916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654512b17c8cb11aad47c413c7ca Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=79, length=403 Message-Authenticator = 0xf76ea41848db75155a999de19b0b8ab8 Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654512b17c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020500d01980000000c61603010086100000820080a9fa249e85b6565a5675f299fd98e7f2db6767a944b7691b5b42e738a2034e254510fa33eaa56734c708cf596d81b193ea6a1947769cb63f83fac6c2d71dd434985b3a115e8a90a68349d2dd7cca49d3cec3f32fa190b21111949bf1829bfe7dbe5bd1ac6a1c37544a1b04d81ad98f89e0806aeb827a955deefc1bdf0b60e82e1403010001011603010030341c5ed324da181fd43d39d7ed41f23724e32cb3e2e55a57da946c5691257bb74199385181f308e2e6450489745d04c9 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 208 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 198 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 79 to 10.119.12.2 port 1332 EAP-Message = 0x0106004119001403010001011603010030b213aaedf5b207d7f89aa93d1379c29e85c4c32f1927ca9318dcd335398921d3014d7ef185c94ecc6167c183f3178c37 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654513b27c8cb11aad47c413c7ca Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=80, length=201 Message-Authenticator = 0xa7658f5b5828f25d72267be5a62ee3d9 Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654513b27c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020600061900 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 80 to 10.119.12.2 port 1332 EAP-Message = 0x0107002b1900170301002076cff579edcc27200d5c7a2da8010742e440dcfec3cbf4a4586062522b8feee8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654510b37c8cb11aad47c413c7ca Finished request 6. Going to the next request Waking up in 1.2 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=81, length=254 Message-Authenticator = 0xe19f6b601971918ae28622d4e1023915 Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654510b37c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0207003b19001703010030a363428512dd817485942d2771ad4bc57cfd522bbca80127738d56ba90b901fdc460d220b30b1e326ed6ef5392338784 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 59 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - nadine.bosshard PEAP: Got tunneled EAP-Message EAP-Message = 0x02070014016e6164696e652e626f737368617264 PEAP: Got tunneled identity of nadine.bosshard PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to nadine.bosshard PEAP: Sending tunneled request EAP-Message = 0x02070014016e6164696e652e626f737368617264 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "nadine.bosshard" server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing EAP. ++[eap] returns noop ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for nadine.bosshard WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard)) expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=tcsvo,dc=local, with filter (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard)) rlm_ldap: checking if remote access for nadine.bosshard is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "{crypt}$1$QWzPnrgt$zDhDp8t6inQRkVyuvb6en/" rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password == 0x4431393433313746304145303337384139434535423745394230313835334233 rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password == 0x3944443632393938313730333033343036463342414634373331353033384646 rlm_ldap: looking for reply items in directory... rlm_ldap: user nadine.bosshard authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Normalizing NT-Password from hex encoding rlm_pap: Normalizing LM-Password from hex encoding rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [nadine.bosshard/<no User-Password attribute>] (from client aptcsvo02 port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 PEAP: Processing from tunneled session code 0x15a7cd0 3 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 81 to 10.119.12.2 port 1332 EAP-Message = 0x0108002b19001703010020fd01c27653428a0b4c1b91a8c8a72745376f00967edad64c2942c892ce583c95 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16b4654511bc7c8cb11aad47c413c7ca Finished request 7. Going to the next request Waking up in 1.2 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=82, length=238 Message-Authenticator = 0xf77a7553970336997c53b0f4dd243710 Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 State = 0x16b4654511bc7c8cb11aad47c413c7ca Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0208002b1900170301002025cb1272fcd8494d630037f0c267cf2b860f7edfeeb4b730993de53c79e20735 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 43 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [nadine.bosshard/<via Auth-Type = EAP>] (from client aptcsvo02 port 1 cli 9803D861E85C) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> nadine.bosshard attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=82, length=238 Waiting to send Access-Reject to client aptcsvo02 port 1332 - ID: 82 Sending delayed reject for request 8 Sending Access-Reject of id 82 to 10.119.12.2 port 1332 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.1 seconds. Cleaning up request 0 ID 74 with timestamp +313 Cleaning up request 1 ID 75 with timestamp +313 Cleaning up request 2 ID 76 with timestamp +313 Cleaning up request 3 ID 77 with timestamp +313 Cleaning up request 4 ID 78 with timestamp +313 Cleaning up request 5 ID 79 with timestamp +313 Waking up in 3.6 seconds. Cleaning up request 6 ID 80 with timestamp +317 Cleaning up request 7 ID 81 with timestamp +317 Waking up in 1.0 seconds. Cleaning up request 8 ID 82 with timestamp +317 Ready to process requests. Thanks for the help. Am 09/11/2012 11:06 AM, schrieb Fajar A. Nugraha:
On Tue, Sep 11, 2012 at 3:54 PM, Mihajlo Joksimovic <mihajlo.joksimovic@adfinis-sygroup.ch> wrote:
IPhone test: rad_recv: Access-Request packet from host 10.119.12.2 port 1318, id=21, length=197 Message-Authenticator = 0x24691ccd1f2040d828405d72ef7189ec
Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000014016e6164696e652e626f737368617264 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation There should be other lines before that. Like the ones that says it's using inner-tunnel?
rlm_unix: [nadine.bosshard]: invalid shell [/bin/false] ++[unix] returns reject Did you read that line? You have "unix" in authorize section of inner tunnel. And user nadine.bosshard is not allowed to login to the system (invalid shell). FR does the right thing. Comment-out that line in inner tunnel.
Your radlogin test succeed because you don't have "unix" in authorize section of default virtual server.
See how important complete debug logs are?
... and seriously, upgrade. There are many known bugs fixed since 2.0.x. And if you can edit the configuration freely by hand, you should be able to upgrade.
-- Adfinis SyGroup AG Mihajlo Joksimovic, System Engineer Güterstrasse 86 | CH-4053 Basel Tel. 061 333 80 33