Hi,

I've stumbled upon a nasty problem:
- I need to set up FreeRadius as an authentication server where I have to authenticate users from two external databases. I've set up FreeRadius to use ntlm_auth module and swapped the 'ntlm_auth' command with my own script (see debug output). This script must be called with full username and password in cleartext so that I can then connect to the databases and check if user's credentials are correct and (s)he is allowed to connect to service. Both databases save user passwords encrypted according to their rules (SHA256 with and without salt) and for that reason I need a password supplied from the Radius client in cleartext.

However, when everything is set up, somehow '%{User-Password}' or '%{Cleartext-Password}' (I've tried them both) does not expand to anything when executing ntlm_auth authentication and my script always rejects the user. For testing purposes, I've set up a bash script that exits with status 0 if the username is 'testuser@med.bg.ac.rs' and password is 'proba.321' or with status 1 otherwise. The script works when called from command line.

The OS is CentOS 5.8 64-bit and FreeRADIUS version is 2.1.12. I have tried to check the auth with 'eapol_test' with the following configuration:

network={
        key_mgmt=IEEE8021X
        eap=TTLS
        identity="testuser@med.bg.ac.rs"
        password="proba.321"
        anonymous_identity="anonymous"
        phase2="auth=MD5"
        ca_cert="/etc/raddb/certs/ca.pem"
}


The output from the 'radiusd -X' is as follows:

FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Feb 22 2012 at 14:59:35
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/eduroam
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/eduroam-inner-tunnel
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
    user = "radiusd"
    group = "radiusd"
    allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
    name = "radiusd"
    prefix = "/usr"
    localstatedir = "/var"
    sbindir = "/usr/sbin"
    logdir = "/var/log/radius"
    run_dir = "/var/run/radiusd"
    libdir = "/usr/lib64/freeradius"
    radacctdir = "/var/log/radius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    pidfile = "/var/run/radiusd/radiusd.pid"
    checkrad = "/usr/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 log {
    stripped_names = no
    auth = yes
    auth_badpass = yes
    auth_goodpass = yes
 }
 security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
    retry_delay = 5
    retry_count = 3
    default_fallback = no
    dead_time = 120
    wake_all_if_all_dead = no
 }
 home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth+acct"
    secret = "testing123"
    response_window = 20
    max_outstanding = 65536
    require_message_authenticator = yes
    zombie_period = 40
    status_check = "status-server"
    ping_interval = 30
    check_interval = 30
    num_answers_to_alive = 3
    num_pings_to_alive = 3
    revive_interval = 120
    status_check_timeout = 4
 }
 realm med.bg.ac.rs {
    authhost = LOCAL
    accthost = LOCAL
 }
 realm LOCAL {
 }
 realm NULL {
 }
radiusd: #### Loading Clients ####
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = "testing123"
    nastype = "other"
    virtual_server = "eduroam"
 }
 client ftlr1.ac.rs {
    ipaddr = 147.91.4.204
    require_message_authenticator = no
    secret = "******"
    shortname = "ftlr1"
    nastype = "other"
    virtual_server = "eduroam"
 }
 client ftlr2.ac.rs {
    ipaddr = 147.91.1.101
    require_message_authenticator = no
    secret = "******"
    shortname = "ftlr2"
    nastype = "other"
    virtual_server = "eduroam"
 }
 client netiis.monitor {
    ipaddr = 147.91.3.12
    require_message_authenticator = no
    secret = "******"
    shortname = "netiis"
    nastype = "other"
    virtual_server = "eduroam"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/raddb/modules/exec
  exec {
    wait = no
    input_pairs = "request"
    shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration
  expiration {
    reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime
  logintime {
    reply-message = "You are calling outside your allowed timespan  "
    minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
 modules {
  Module: Creating Auth-Type = digest
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/raddb/modules/pap
  pap {
    encryption_scheme = "auto"
    auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
  mschap {
    use_mppe = yes
    require_encryption = no
    require_strong = no
    with_ntdomain_hack = no
    allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /etc/raddb/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/raddb/modules/unix
  unix {
    radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/raddb/eap.conf
  eap {
    default_eap_type = "ttls"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    CA_path = "/etc/raddb/certs"
    pem_file_type = yes
    private_key_file = "/etc/raddb/certs/server.key"
    certificate_file = "/etc/raddb/certs/server.pem"
    CA_file = "/etc/raddb/certs/ca.pem"
    private_key_password = "******"
    dh_file = "/etc/raddb/certs/dh"
    random_file = "/dev/urandom"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    cipher_list = "DEFAULT"
    make_cert_command = "/etc/raddb/certs/bootstrap"
    cache {
    enable = no
    lifetime = 24
    max_entries = 255
    }
    verify {
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
    default_eap_type = "md5"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    virtual_server = "eduroam-inner-tunnel"
    include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = yes
    virtual_server = "eduroam-inner-tunnel"
    soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
    with_ntdomain_hack = no
    send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess
  preprocess {
    huntgroups = "/etc/raddb/huntgroups"
    hints = "/etc/raddb/hints"
    with_ascend_hack = no
    ascend_channels_per_line = 23
    with_ntdomain_hack = no
    with_specialix_jetstream_hack = no
    with_cisco_vsa_hack = no
    with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
  realm suffix {
    format = "suffix"
    delimiter = "@"
    ignore_default = no
    ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/raddb/modules/files
  files {
    usersfile = "/etc/raddb/users"
    acctusersfile = "/etc/raddb/acct_users"
    preproxy_usersfile = "/etc/raddb/preproxy_users"
    compat = "no"
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique
  acct_unique {
    key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file /etc/raddb/modules/detail
  detail {
    detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
    header = "%t"
    detailperm = 384
    dirperm = 493
    locking = no
    log_packet_header = no
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
  radutmp {
    filename = "/var/log/radius/radutmp"
    username = "%{User-Name}"
    case_sensitive = yes
    check_with_nas = yes
    perm = 384
    callerid = yes
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
    attrsfile = "/etc/raddb/attrs.accounting_response"
    key = "%{User-Name}"
    relaxed = no
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
    attrsfile = "/etc/raddb/attrs.access_reject"
    key = "%{User-Name}"
    relaxed = no
  }
 } # modules
} # server
server eduroam { # from file /etc/raddb/sites-enabled/eduroam
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Instantiating module "auth_log" from file /etc/raddb/modules/detail.log
  detail auth_log {
    detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
    header = "%t"
    detailperm = 384
    dirperm = 493
    locking = no
    log_packet_header = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Checking accounting {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking pre-proxy {...} for more modules to load
 Module: Instantiating module "pre_proxy_log" from file /etc/raddb/modules/detail.log
  detail pre_proxy_log {
    detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d"
    header = "%t"
    detailperm = 384
    dirperm = 493
    locking = no
    log_packet_header = no
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Instantiating module "post_proxy_log" from file /etc/raddb/modules/detail.log
  detail post_proxy_log {
    detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d"
    header = "%t"
    detailperm = 384
    dirperm = 493
    locking = no
    log_packet_header = no
  }
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "reply_log" from file /etc/raddb/modules/detail.log
  detail reply_log {
    detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
    header = "%t"
    detailperm = 384
    dirperm = 493
    locking = no
    log_packet_header = no
  }
 } # modules
} # server
server eduroam-inner-tunnel { # from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
 modules {
  Module: Creating Auth-Type = ntlm_auth
 Module: Checking authenticate {...} for more modules to load
 Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth
  exec ntlm_auth {
    wait = yes
    program = "/usr/local/sbin/medauth %{User-Name} %{Cleartext-Password} >& /dev/null"
    input_pairs = "request"
    shell_escape = yes
  }
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking pre-proxy {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
    type = "auth"
    ipaddr = *
    port = 0
}
listen {
    type = "acct"
    ipaddr = *
    port = 0
}
listen {
    type = "control"
 listen {
    socket = "/var/run/radiusd/radiusd.sock"
 }
}
listen {
    type = "auth"
    ipaddr = 127.0.0.1
    port = 18120
}
 ... adding new socket proxy address * port 36934
 ... adding new socket proxy address * port 33386
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=0, length=126
    User-Name = "anonymous"
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = "02-00-00-00-00-01"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 11Mbps 802.11b"
    EAP-Message = 0x0200000e01616e6f6e796d6f7573
    Message-Authenticator = 0x1ce7f102551d22fcc6ba9815d29d098f
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 0 to 127.0.0.1 port 57434
    EAP-Message = 0x010100061520
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x453e5638453f433c1dde145a555d75ae
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=1, length=225
    User-Name = "anonymous"
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = "02-00-00-00-00-01"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 11Mbps 802.11b"
    EAP-Message = 0x0201005f150016030100540100005003014fdefc0a35aa637e8a3b2e436e90f60e9e83e5b6c5631ebb720ffbd5e117812800002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100
    State = 0x453e5638453f433c1dde145a555d75ae
    Message-Authenticator = 0x960996a07cd20c784ce8b254694b6c90
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 1 length 95
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0054], ClientHello 
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello 
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 0920], Certificate 
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange 
[ttls]     TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone 
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode 
[ttls] eaptls_process returned 13
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 1 to 127.0.0.1 port 57434
    EAP-Message = 0x0102040015c000000b7616030100310200002d03014fdefc0a8aff87adf2ab470247564a15f475076cf5c27c0b81400b87be48c892000039010005ff0100010016030109200b00091c0009190003e8308203e4308202cca003020102020101300d06092a864886f70d01010505003081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a864886f70d010901161163696b74406d65642e62672e61632e727331333031
    EAP-Message = 0x0603550403132a5363686f6f6c206f66204d65646963696e652043657274696669636174696f6e20417574686f72697479301e170d3132303631363032343733355a170d3132303831353032343733355a308193310b3009060355040613025253310f300d0603550408130653657262696131333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c6772616465311c301a060355040313137261646975732e6d65642e62672e61632e72733120301e06092a864886f70d010901161163696b74406d65642e62672e61632e727330820122300d06092a864886f70d0101010500038201
    EAP-Message = 0x0f003082010a0282010100d7b1a23166efda162efe3b619671dc16aa89e337d70c55b4deb769d0b5136e8f7a098d83f6d30b7a60896ca1067f5b94de49d56bc1db3a7c874eab1f41101061886a1ef7d1f3b184cea254719a9f5781e8305cf2cd06921923b964ec94020e95fd53a9f7b8b00dad9c821901e53705f9763fdae2d9cb72167b4c770bc9c5b527fd3f11bd83ebbf957716c36764743ef8e3a93b8e8392ef4b5e0f1c3fcc6196d5796f444633c397f350367aa16d85db0dff74d66c3f7d664fbd1c64690e41e15b23a0dae9fabcb439455eb91054f348b605156f6167c4010fdc57e0fd286bd93ae5a31636c2b601f360191384afc480131583
    EAP-Message = 0x33a45b144e4308383fd57a8630730203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010044b74245061b3b22760405c9d5f91cbd59e99c6c69716a2b9e73709f453bc962760dfde83c429c28970c9360e03760886604d99c33a9ea869a4a415bb2eb288421c193583e8fd440af40feda2db008a03160be444eb111e8441b4ff3f072dda6b456b52e0270aa9bacd3a08226f6ad01b0f480b5656433b56fabea5484f2eb2b0900aaea34603de355fc1084c7fe7ed3762e506a4da9188dc04616785bf3f42562ad4f9871df0d7559f0b42380995a4cd5167b2b1a6456b0585bce4a82
    EAP-Message = 0xc332ff74a92620533a7b61da
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x453e5638443c433c1dde145a555d75ae
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=2, length=136
    User-Name = "anonymous"
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = "02-00-00-00-00-01"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 11Mbps 802.11b"
    EAP-Message = 0x020200061500
    State = 0x453e5638443c433c1dde145a555d75ae
    Message-Authenticator = 0xa3b3094ac897f879e1f4d836e982f0ee
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 2 to 127.0.0.1 port 57434
    EAP-Message = 0x0103040015c000000b767190effa7c037121c8eaa8702f555ead739aceed753b5959e59bc050b756d274cc85e5d6e6701f3981baae062502de1480a1695c0f54d500052b308205273082040fa003020102020900cb73058e093a87dc300d06092a864886f70d01010505003081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a864886f70d010901161163696b74406d65642e62672e61632e727331333031060355
    EAP-Message = 0x0403132a5363686f6f6c206f66204d65646963696e652043657274696669636174696f6e20417574686f72697479301e170d3132303631363032343733355a170d3132303831353032343733355a3081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a864886f70d010901161163696b74406d65642e62672e61632e7273313330310603550403132a5363686f6f6c206f66204d65646963696e6520436572746966
    EAP-Message = 0x69636174696f6e20417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100cd1d33bc86769aab2584b35488d4adbb56935d320ca011116d7a3da9aa7b331cd98db824215b4328f742a62825df0cc2b8cf7a0e3599e5cf54080334bca0d7360bec4961d34c58525302fb74a140b32e2815c67ebdf46d470759c6e55398bbe822efb14fb1e94338cb37cf12814f6c2c69af576bda232a01cbe7ba1a2f48f740f44a2942c7ea50c3be896372d6a972b0c29fc39e8de188891c9b273a90bcf8021d6185fb679d77f482bee8d8ec727535aaf66c93b41bb8c4e5499e3b7f7894cbbd1505c5fa9c3e4c8d1166
    EAP-Message = 0x9c58ce4f2d041fc783d9397acf87d083a5041a77a534f0fb5dfe8d8d85cc011fb63af7060a54ebcd5e1667a9874284430c3be348e90203010001a382012630820122301d0603551d0e04160414b7dc49418f1a1fe4235e3a3a53de7b35691c8c9c3081f20603551d230481ea3081e78014b7dc49418f1a1fe4235e3a3a53de7b35691c8c9ca181c3a481c03081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a8648
    EAP-Message = 0x86f70d010901161163696b74
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x453e5638473d433c1dde145a555d75ae
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=3, length=136
    User-Name = "anonymous"
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = "02-00-00-00-00-01"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 11Mbps 802.11b"
    EAP-Message = 0x020300061500
    State = 0x453e5638473d433c1dde145a555d75ae
    Message-Authenticator = 0xab683dac1c19264b7cefbfb39f1036e4
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 3 to 127.0.0.1 port 57434
    EAP-Message = 0x01040394158000000b76406d65642e62672e61632e7273313330310603550403132a5363686f6f6c206f66204d65646963696e652043657274696669636174696f6e20417574686f72697479820900cb73058e093a87dc300c0603551d13040530030101ff300d06092a864886f70d010105050003820101006069bb5c8707f0caca80d1998f57a5ab0bf43843b6359b91085100a3fcd29348b669e5cfdff8ef56a583af32823d20a34f213a0bee64d360319eab9b6cb936a78f4345e96139b36caa0f394e850a20e9b2b96cbda103eabf7533af89f84731b82d7599a592455a0d8f10c6fc3eaebff1939d74609589fc820372df3d16414aa5c4f14e0d
    EAP-Message = 0xe6d9375f29d21aa334834aefe4de97c9076f6f59d538c973884a5929440962f02c1f05692564b636bd8f2b33dab7e387c5190e0d4a9894304d4c41651ff78feec39bba7d9590ac6e5a423cc83a63c26d47bea741cb0af86017727c7d2a16b611a9374d3d8c2a7d6773eef0d0a3f15b0288d7d4d2f0d0376d9dc0d91b160301020d0c00020900809581c2d77458ae39e8ced3fc1c136cdf0e5c874f0145a1ba3b1cadd518c96731cf5ce5ffdb56d03d05fd3920b7e19d3bd0435ca1ae9bd7c7888e953c4f4c572bb511a70579b804f7f7cc5392222e6fe69cac502f39bf2166c7281fd6ddedfc9a5934dbdb44133155fe1f89cf6b33db04059e65164fb0
    EAP-Message = 0xf060679b652950dab40b00010200800ed41ea9a51c998c4f28af7bfa7e70b31a5baf43a288bf5c40ed11226423740f5a79393a18b936d417fe3156726fd8d3017faa90807b1924beb8ba713b585c03fdd8e401576caee1d777b6b7e876afd14a5b4fc9902484c04a28cb14a04718f45e294c86bdb06bce91c9002d345bd7411e77bc4e07cea999589bbdebc0f20c1701004b5fac779365dafeca7ef4696018786c2fa7c9b70579b45182df31d5c1f70751076524d3196265774ed43c460fa8991a6aad5506125c17f46614d8ec7ad5ad621aab6be4f7cf7d21d17f37b3bad0bcb1a8206a77a3c2f1789ef2bebf81926b429255f1e513f97e00c71540b6
    EAP-Message = 0x2f4821bea23b5cff0a7d3990578d637d2644223669454da8f87a85d22cb30008a01230edcfeee10c19cab0697e3c1e98ca88ec691eebb16e6b3ecba362ed16e0d01690f4264191dc2e3d77f4af8a6481968a0c936d3e69c9f818d724f1c7e8cda71a1d424b016c9c669c153607d196eaa753a20ef07ee60b920849cd38087231067a53bc5cde17c3664302856b61f434968c22bf16030100040e000000
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x453e5638463a433c1dde145a555d75ae
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=4, length=334
    User-Name = "anonymous"
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = "02-00-00-00-00-01"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 11Mbps 802.11b"
    EAP-Message = 0x020400cc150016030100861000008200804947f508ab581679165a93c50e5588f04e8e34bef4b96e49115c604a5012d77ed91e7003b1e5d72cd2585c830fe047329ece54be7e4b482d67ead0b996de2c7036893af0bf556b8c2d0a345756b5f4f6c34ef3d7a438ef6596de4b722eebc538222a1ae3141433123867a99fca7debea94caf233eee09c4d1f8fc4986355b771140301000101160301003024c728b211d0593f1a575c7f570f7cd38dfbfe14c76a92baf855b3d245407a1ac4497e4349e0450a70857a9685355d39
    State = 0x453e5638463a433c1dde145a555d75ae
    Message-Authenticator = 0x6cb71a422ffeaad397d8c36e03ff6703
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange 
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] 
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished 
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] 
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished 
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 4 to 127.0.0.1 port 57434
    EAP-Message = 0x0105004515800000003b1403010001011603010030d13042ffaa9f5208530f9d196691755fe795dbe60c277e81e11947821f2698414cce5df41150a18716654f9fee2c4068
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x453e5638413b433c1dde145a555d75ae
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=5, length=242
    User-Name = "anonymous"
    NAS-IP-Address = 127.0.0.1
    Calling-Station-Id = "02-00-00-00-00-01"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 11Mbps 802.11b"
    EAP-Message = 0x02050070150017030100202b83edb5b87ff66b7b5d13339196f62f8e44061ac02821a6ab8f5fe44aa5ff6b17030100404de9cda8169d8c9e0969a9fb2245697166f27290ce6f23473c57364c7d5ae08e85039938f8cbb126727f888bf92807c008c7f46f8b1e0f9c42e504b25f8c3bb2
    State = 0x453e5638413b433c1dde145a555d75ae
    Message-Authenticator = 0x6197eff33cfffb5b484c44e49735b5d4
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 5 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
    EAP-Message = 0x0200001a017465737475736572406d65642e62672e61632e7273
    FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Got tunneled identity of testuser@med.bg.ac.rs
[ttls] Setting default EAP type for tunneled EAP session.
[ttls] Sending tunneled request
    EAP-Message = 0x0200001a017465737475736572406d65642e62672e61632e7273
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "testuser@med.bg.ac.rs"
server eduroam-inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+- entering group authorize {...}
[auth_log]     expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] Looking up realm "med.bg.ac.rs" for User-Name = "testuser@med.bg.ac.rs"
[suffix] Found realm "med.bg.ac.rs"
[suffix] Adding Stripped-User-Name = "testuser"
[suffix] Adding Realm = "med.bg.ac.rs"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 0 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth]     expand: %{User-Name} -> testuser@med.bg.ac.rs
[ntlm_auth]     expand: %{Cleartext-Password} ->
Exec-Program output:
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Invalid user: [testuser@med.bg.ac.rs/<via Auth-Type = ntlm_auth>] (from client localhost port 0 via TLS tunnel)
} # server eduroam-inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user testuser@med.bg.ac.rs
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client localhost port 0 cli 02-00-00-00-00-01)
} # server eduroam
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 5 to 127.0.0.1 port 57434
    EAP-Message = 0x04050004
    Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +5
Cleaning up request 1 ID 1 with timestamp +5
Cleaning up request 2 ID 2 with timestamp +5
Cleaning up request 3 ID 3 with timestamp +5
Cleaning up request 4 ID 4 with timestamp +5
Waking up in 1.0 seconds.
Cleaning up request 5 ID 5 with timestamp +5
Ready to process requests.
--
Veselin Mijušković
Senior System Administrator
School of Electrical Engineering's Computing Centre
University of Belgrade * Serbia * www.etf.bg.ac.rs