Hi Alan,
after some more debugging I've found the reason of my PEAP failing with MACSEC: SoH! I've attached the log with and without SoH. Is this a buggy client behavior or is the FR misinterpreting the packet?
With regard to getting rid of use_tunneled_reply I don't get the Chargeable-User-Identity to show up in the last (Access-Accept) request. If you see anything I may have missed to get the attribute handed out there, please do point me to it.
Not sure why the attached logs have vanished, so here goes: -(snip:PEAP with SoH)- freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/tls_log including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui_log including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/inner_log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/asa_log including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/nksusers including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/soh including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 5 cleanup_delay = 5 max_requests = 2048 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth+acct" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } realm LOCAL { } realm NULL { } realm unistuttgart.de { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client ar30a-y1t-s5 { ipaddr = 172.18.198.32 require_message_authenticator = no secret = "..." nastype = "other" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "..." nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file £Ýç? modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 4096 dh_key_length = 1024 verify_depth = 3 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key" certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt" private_key_password = "..." dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "HIGH:ALL:!ADH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = yes soh_virtual_server = "soh-server" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_challenge { attrsfile = "/etc/freeradius/attrs.access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_challenge Module: Linked to module rlm_always Module: Instantiating module "handled" from file /etc/freeradius/modules/always always handled { rcode = "handled" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Creating Auth-Type = LDAP Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" allow_retry = yes } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "server1" port = 389 password = "..." expect_password = yes identity = "CN=..." net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes cacertfile = "/usr/share/ca-certificates/uni-stuttgart.de/chain-with-dtag.crt" require_cert = "demand" } basedn = "DC=rus,DC=uni-stuttgart,DC=de" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectClass=inetOrgPerson)" auto_header = no access_attr = "msNPAllowDialin" access_attr_used_for_allow = yes chase_referrals = no rebind = no groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 20 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x822e40 Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server soh-server { # from file /etc/freeradius/sites-enabled/soh modules { Module: Checking authorize {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } ... adding new socket proxy address * port 35971 ... adding new socket proxy address * port 34413 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=115, length=147 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021500090174657374 Message-Authenticator = 0x928beab47c7c13d806d39e797867faeb NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 21 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 115 to 172.18.198.32 port 1645 EAP-Message = 0x011600061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbcd4bdd42446ffd395a7bb16f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=116, length=288 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0216008419001603010079010000750301e25a5a77e01eac5a9a77a6256c6668143107032bfcb2fb2ea76ca94ff3af5ee3000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013 Message-Authenticator = 0xda56d8cc7c7ebc0962c23ee6dd512d27 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbcd4bdd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 22 length 132 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0724], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 116 to 172.18.198.32 port 1645 EAP-Message = 0x0117040019c0000009c0160301003902000035030154f5947f695740f9b09e657ddcdb52cf4acd224da737df3533889577038dd75100c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763 EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699 EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132 EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3 EAP-Message = 0x82026630820262304f060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbcc4add42446ffd395a7bb16f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=117, length=162 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021700061900 Message-Authenticator = 0x0942be5e680f9361fd3b672fa8fd82f7 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbcc4add42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 23 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 117 to 172.18.198.32 port 1645 EAP-Message = 0x011803fc19401d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d0603551d1f EAP-Message = 0x048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d73747574 EAP-Message = 0x74676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584da860e15 EAP-Message = 0x39435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741045babac7b408546c2e87c22a233c0b8ccf597c77e4c04897add92855c96e87b2d2f9613b52782c533ae66347f774328b283005e87e73316825eff068b17d5352c02003aead46f3d5de78bf7e05b8a66d2a0d21db962db9e01871ff4445693c7da5a132eaaeea85f6229202222a134f9 EAP-Message = 0x4079ace979428146 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbcf45dd42446ffd395a7bb16f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=118, length=162 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021800061900 Message-Authenticator = 0xbaa29964fe01b08e0e85fcfe53dab543 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbcf45dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 24 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 118 to 172.18.198.32 port 1645 EAP-Message = 0x011901da1900ab8d7cbb29abc62ff4d9569ffe1410094442f2c651841eb495307c87e0609d2e8e2a63b9960a0cf88bfdedb9ce1478caccbc7abb86b5cd6901921759ffe44d6ce4747d64b7df9fd1c73782e055dbdb5baab0edfc6ef185da277554fe891cc039bacc2c5bff2633eef3d040c071872b26d71f10bbae8e38e98f6117815d9cf3e8026fcf53b571753b60993efea53e7fd58378202db4e825220ad183bba43002bc007bfc1e7e2d898f9f7466d85a1913320b3cdd5aed123d79c6c7f9311b69a5d7b9bd8ab79cb0297fa380229b06253026fb131e5d697f4feeb3958debbe8074a8fe75b21296386b5c3f666df0c11a40752c587f2dead659 EAP-Message = 0xb7aa544a240651e75ce75fa47205df2759c2bb78aa196b5b68dfd2d0867d03e6fead87cf9f7fa827047b1dc994e6f46634b3011806388d7bfe5f66efa2349ee22ecb9f97ede15f2369098445334b2906a23ef1b69daa63deb20ae01525a55871d9a3545decad567660a5267f403aad3a6c7f778d259208e75e92705873a975f2fc23879a4dc298fd2800ad0590d9d4707acef2308694088c08dd5327c7bb38a955b4c06f9d2b37b5488bd38b2bcb783bdb836121be70e03a33c37f606c6542b9ea73e26a210640a2d22c8b05a0109f3c5cdd60aa16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbce44dd42446ffd395a7bb16f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=119, length=296 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0219008c190016030100461000004241045f59e48b26f3964c81c8cd86d7fb237e290d979b2954dcc7b40aab5c8e1c303bc64ac5e66edbddee9a4a98714fe901bfaf176a30374f377945a50e2483e775171403010001011603010030f136f69cef068f1336096133e8805d50fbc0a4052ab4a586a057ae8841e5ec728601a980526018c0bb8c2d1267e3f8d3 Message-Authenticator = 0xe0a74f62073469b67b023d259b503e9b NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbce44dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 25 length 140 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 119 to 172.18.198.32 port 1645 EAP-Message = 0x011a0041190014030100010116030100308f22dae63d39cc06a7c858ba9bc95a5f9a6357d71bdece3de33d6b90ba81a871e1f1f328e87d136072c9879d961b58fe Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbc947dd42446ffd395a7bb16f Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=120, length=162 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021a00061900 Message-Authenticator = 0x4ff49831f3d3c18f8c3ae25c3c0e086f NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbc947dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 26 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 120 to 172.18.198.32 port 1645 EAP-Message = 0x011b002b190017030100203a1fa1fede068be34b77a627bf79ece4331c84c8e680fa56f038be9292048d28 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbc846dd42446ffd395a7bb16f Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=121, length=236 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021b005019001703010020712017e92240dd4eda7e155e52c8d754751f33898f7004241ca7286a97ec9a5517030100209dd1894242f272d607b5c1ac058964babbc2f4a37e9bf9a83680d4dce24b2af2 Message-Authenticator = 0x4f22c2d143aadbfcb3bdc1307fdece0a NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbc846dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 27 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test [peap] Got inner identity 'test' [peap] Requesting SoH from client ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 121 to 172.18.198.32 port 1645 EAP-Message = 0x011c003b19001703010030bac336433016e5b57fd6ad3f31c06a2047549f45033e9d4e05c8ebb1d622c1303d4d59f64e40e9fbf7a085acc4695f8b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbcb41dd42446ffd395a7bb16f Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=122, length=252 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021c006019001703010020c361d362beec75836d28cd66ff8c43a6f08455395b16ff14a33e92c1c177554e17030100309d1f880456359376450fc9bb764e62d54e9e93d25727a1f8ba4286857a40d1aaeadef04fa08e087ed2a643fef33ed5b7 Message-Authenticator = 0x242e5e529d9ac60f54f1e9caa298e4ba NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbcb41dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 28 length 96 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR SOH RESPONSE [peap] EAP type 254 [peap] SoH - extended eap vendor 00000000 is not Microsoft [peap] Setting User-Name to test [peap] Processing SoH request SoH-Supported = no FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 [peap] server soh-server { # Executing section authorize from file /etc/freeradius/sites-enabled/soh +group authorize { ++update config { ++} # update config = noop +} # group authorize = noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. [peap] } # server soh-server [peap] Got SoH reply [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x021c00090174657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x021c00090174657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 28 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x011d001e1a011d0019103bd5dadecf4690c3042c15623ed0e57774657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d0368273d1e72fe5df8dd5da55aea6a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x011d001e1a011d0019103bd5dadecf4690c3042c15623ed0e57774657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d0368273d1e72fe5df8dd5da55aea6a [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 122 to 172.18.198.32 port 1645 EAP-Message = 0x011d003b190017030100309802783e3a59d9c56f0b6c3f9206057652857f95b6a456181d91239d2d99935d9b7c0edc627c554d32b9bf8e49c01f1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbca40dd42446ffd395a7bb16f Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=123, length=300 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021d009019001703010020783d86a0a76b549704671f8283e5276a7ae8048a06ec558f0973758fd84ed733170301006031b1499ee0f76154f8d8f7bcf698a701d90df6bc7c98cfc56bcb3123b94e47d3b153cafde228820aa13dc36eee6cb12512e47b2566b66ffe244c1de2da30ac0faf9248f3cc169fc720fee22a3a6b222afad1daf180e5086688116ce93320780d Message-Authenticator = 0x2ea4d7f854cda09df102cb62d047dd0c NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbca40dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 29 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type 254 [peap] Got tunneled request EAP-Message = 0x021d0046fe0000000000001a021d003a316e882ba02b15bc9aec09decfe03db1fb0000000000000000ad6990749d5255b204c8a2d90fe0e1496dc5ee88dc54bfc30074657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x021d0046fe0000000000001a021d003a316e882ba02b15bc9aec09decfe03db1fb0000000000000000ad6990749d5255b204c8a2d90fe0e1496dc5ee88dc54bfc30074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0x3d0368273d1e72fe5df8dd5da55aea6a Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 29 length 70 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Badly formatted EAP Message: Ignoring the packet [eap] Failed in handler ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel) Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 123 to 172.18.198.32 port 1645 EAP-Message = 0x011e002b1900170301002078c06ddf27b6fd9a59447de45007d1fbd3dc0230ce8f8ccb1c56dafa1c877fa9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbc543dd42446ffd395a7bb16f Finished request 8. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=124, length=236 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021e005019001703010020a04bd006cc78e6e1decf8d7867bbc35f8c6b7b6c0c3e1682d002a4dcd781ae2317030100200b7b6d3119ae30f4929cec62ddad8bf67110d9269dd26db2e377f6b663a1b3bd Message-Authenticator = 0x936c2d859e8b42e3502b038b1bb3aee4 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbc543dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 30 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8) Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 124 to 172.18.198.32 port 1645 EAP-Message = 0x041e0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. -(snip)- -(snip:PEAP without SoH)- freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/tls_log including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui_log including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/inner_log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/asa_log including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/nksusers including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/soh including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 5 cleanup_delay = 5 max_requests = 2048 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth+acct" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } realm LOCAL { } realm NULL { } realm unistuttgart.de { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client ar30a-y1t-s5 { ipaddr = 172.18.198.32 require_message_authenticator = no secret = "..." nastype = "other" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "..." nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file £Ýç? modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 4096 dh_key_length = 1024 verify_depth = 3 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key" certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt" private_key_password = "..." dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "HIGH:ALL:!ADH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_challenge { attrsfile = "/etc/freeradius/attrs.access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_challenge Module: Linked to module rlm_always Module: Instantiating module "handled" from file /etc/freeradius/modules/always always handled { rcode = "handled" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Creating Auth-Type = LDAP Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" allow_retry = yes } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "server1" port = 389 password = "..." expect_password = yes identity = "CN=..." net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes cacertfile = "/usr/share/ca-certificates/uni-stuttgart.de/chain-with-dtag.crt" require_cert = "demand" } basedn = "DC=rus,DC=uni-stuttgart,DC=de" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectClass=inetOrgPerson)" auto_header = no access_attr = "msNPAllowDialin" access_attr_used_for_allow = yes chase_referrals = no rebind = no groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 20 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x822f60 Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server soh-server { # from file /etc/freeradius/sites-enabled/soh modules { Module: Checking authorize {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } ... adding new socket proxy address * port 60025 ... adding new socket proxy address * port 33159 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=94, length=147 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020100090174657374 Message-Authenticator = 0xcf8f61e19fda9dd8e3084485b0228b9c NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 94 to 172.18.198.32 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9b4d4a279b4f533796287c14f130a087 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=95, length=147 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020100090174657374 Message-Authenticator = 0xafb0dd93be1f0cffaaaf221de4045dd7 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 95 to 172.18.198.32 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0bb28acbdb91ce7a2572b723f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=96, length=288 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x02020084190016030100790100007503017401bf61c33a106003371a11bf11ef4d828d67f3f3aa766f637112fc8d05c637000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013 Message-Authenticator = 0xccfb81d4264d77ec23e7aaa52d55f66e NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0bb28acbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 132 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0724], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 96 to 172.18.198.32 port 1645 EAP-Message = 0x0103040019c0000009c0160301003902000035030154f593aaca21a8214b1ea7b2d9bc7f421f1f749c48797ed4c804ed7831e1133b00c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763 EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699 EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132 EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3 EAP-Message = 0x82026630820262304f060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0ba29acbdb91ce7a2572b723f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=97, length=162 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020300061900 Message-Authenticator = 0x2e9d9c56d3626bc077576f071ca511f9 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0ba29acbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 97 to 172.18.198.32 port 1645 EAP-Message = 0x010403fc19401d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d0603551d1f EAP-Message = 0x048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d73747574 EAP-Message = 0x74676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584da860e15 EAP-Message = 0x39435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741049239ef7b5dad25bdccc15f8ffc96e172a71e1b1bfac95d4104dd9d1690ac4284a3896c05f48e7149dd6a70637be6b4cf7d86d3d6367b5bae36c5ddc3afd10de302003499e8e993f66f7c60f0ade1eac13f3cf752f8863c0be1c2610f9bfa4dbf2742e813abeec3b133ef0911179abd EAP-Message = 0x399aab8286647ada Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0b92eacbdb91ce7a2572b723f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=98, length=162 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020400061900 Message-Authenticator = 0x9f50561dcab7188f23d46bab5248d97a NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0b92eacbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 98 to 172.18.198.32 port 1645 EAP-Message = 0x010501da1900ab7ac0c1eacb373203d5dd89f7fd4dff3e96c660155171c53db5c062e59b18fad7755d7c74c59af81a54c0df081e8e92a7512523da3a9257432bd93d336fbb74c0b1605d733abd24417f40da6d5da702576b793061b5fe0059f5bd5c21bb302b3301255eec8c68b3c011557f4b47926fcdf83a3b81d31c90af7f04ac19bb683ada446d4388c824ef671ccc17ece411ad95203bdf8eaf9685a899cc914b869ccbd909874c65c323d01fcbe894b6e029d971d8021195143bd6648c358baf06a9144e12985289ae3fe2788ed22fc25890c43fb50727c593a512dde2226fc9dd720a85b13681acd7213f0bfa03e47ba5fb2df2a3af6862ba44 EAP-Message = 0xeedcdf04878099c6fef854ed9514a571f92599447d319dc68ffab977649eab30c785a1cf8ba584c035930da6a2d4cbd7f10a2e322b505dafd201ab975c6a1203e698af1685fb8f330fdfab1f5f2f3248d63fb2c7468af2f59dac1fc505c290b90ae948f0a862a29d9418c04e6bcc059246ebbe50fea5a8a1ed1975f788cf06044dad87e52436b4d35d04621b921caf486494623d8b4b5e1d5b02b8279b3703e60b5efcbaa489894bf2d3b6ef874749697b987bf15d31bf1fa246d0bc72d80555e956edf8d2ff7c4ac33691cbd2eebe60dccd7e3716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0b82facbdb91ce7a2572b723f Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=99, length=296 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0205008c190016030100461000004241046a740362e0d616de772c72d41ee5ea386a53be3e206d45b0651521e238a8b7226cf8af3f85aed5878d8a72960291b2199aa1805bce5da3f035ead6f067de8f1b1403010001011603010030b21c85083a266af718d1e69d85719af3a916c5c840e3f17ffdfce8c1fa9c3e85644dd6a1886850ba2196ef6eb28c64c2 Message-Authenticator = 0x2d33ae480ec38fdf618635dba1779b40 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0b82facbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 140 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 99 to 172.18.198.32 port 1645 EAP-Message = 0x010600411900140301000101160301003090b81f39df590362caf2d99dfe9fe368235406a26c5c6eb4818d890c785e40361beb223f2639a968c9b7dd6d2ac51101 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0bf2cacbdb91ce7a2572b723f Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=100, length=162 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020600061900 Message-Authenticator = 0x16572769069b79c9ba629f078a6d1e6a NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0bf2cacbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 100 to 172.18.198.32 port 1645 EAP-Message = 0x0107002b19001703010020b31358b537b7134e57360dcd37eae6c2d38196d58b611edec302fa3fec68d2df Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0be2dacbdb91ce7a2572b723f Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=101, length=236 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020700501900170301002018a664b19a325ea049be4c621e8049cfd4426244ca5c959a65a73588b34abb4b1703010020c37fbc749595c99a78ce484d6f1db9650b66645dcf7fb2f5840f5b61cb3748aa Message-Authenticator = 0xc8b6fc92af307b8e8ca068d23965cb51 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0be2dacbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test [peap] Got inner identity 'test' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020700090174657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020700090174657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0108001e1a010800191084ba62722c03c483a91352c175f1529a74657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0efe69570ef6732709c3b87ea131e257 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001e1a010800191084ba62722c03c483a91352c175f1529a74657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0efe69570ef6732709c3b87ea131e257 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 101 to 172.18.198.32 port 1645 EAP-Message = 0x0108003b190017030100306026b403c13a55239766d3fadfc4a98dbabf1fc11a639a64c85d2cf3560ec75a3531c2f5de861846995088eafdac1abf Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0bd22acbdb91ce7a2572b723f Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=102, length=284 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0208008019001703010020b92988ae427d6241a55df5ecc6399406855790402a55c456b90c855c20f97fc71703010050ca8b6f23a8e3550b072d3ba37051e12f40abfc7dbce03d6457aadad81c4800de2b7bcca9efd6d3bd85f593263532176a1fc3b26084752dd271021a523cddd79456560c499314b05c79168d3d75aa47ef Message-Authenticator = 0x8affbffffe30400d59c4008936563b33 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0bd22acbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 128 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208003f1a0208003a31a48840d1a1de4d77d87cb99559c6573e000000000000000047cb2e79d82abd625e4009b419a149727c649c1481dc49130074657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x0208003f1a0208003a31a48840d1a1de4d77d87cb99559c6573e000000000000000047cb2e79d82abd625e4009b419a149727c649c1481dc49130074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0x0efe69570ef6732709c3b87ea131e257 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test [mschap] Client is using MS-CHAPv2 for test, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d45374337383938423944303331353531304534323842383635324336373830433431384230373645 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0efe69570ff7732709c3b87ea131e257 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d45374337383938423944303331353531304534323842383635324336373830433431384230373645 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0efe69570ff7732709c3b87ea131e257 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 102 to 172.18.198.32 port 1645 EAP-Message = 0x0109005b190017030100505d1a5a1287bc8a2e9d94aaa3eb4e89db49e3afead1d6bfee2303378554aae9bc65c7678f104be1be2cb9831ff282efba9eaf6440be14992bcca1be885b15a0011675bb686dff0e79e1de15ab3f34db28 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0bc23acbdb91ce7a2572b723f Finished request 8. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=103, length=236 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0209005019001703010020fdfdcbe62f4be282f11da86e1a120de98815b0fc7ba7dcedeba9ebffe2e228a01703010020abbbb9d0d4c938049351af3bfa3950a2c86dece773cb047c260cc7a469fc9b91 Message-Authenticator = 0x5571d4907711c404122993abfe28206b NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0bc23acbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0x0efe69570ff7732709c3b87ea131e257 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 103 to 172.18.198.32 port 1645 EAP-Message = 0x010a002b1900170301002065bf7fda742db5bef2bc180d98a0cad8ae421ae976ff065e10e5a055b7036415 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0b320acbdb91ce7a2572b723f Finished request 9. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=104, length=236 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020a005019001703010020fca0a033a16be8e163cf06002f5c82354dcf37a8585a45feb83579bfa09db8bf170301002069f53585cc685ef8d9f83e833001f3e53d5d655d46787c4d53d87c9cad1ab42c Message-Authenticator = 0x0d4dc553d712677f0b5cbc388facbff3 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0b320acbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) ? Evaluating (NAS-Port-Type == "Ethernet" ) -> TRUE ? Evaluating (reply:EAP-Session-Id) -> TRUE ++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) -> TRUE ++if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) { +++update reply { expand: %{reply:EAP-Session-Id} -> 0x197401bf61c33a106003371a11bf11ef4d828d67f3f3aa766f637112fc8d05c63754f593aaca21a8214b1ea7b2d9bc7f421f1f749c48797ed4c804ed7831e1133b +++} # update reply = noop ++} # if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) = noop +} # group post-auth = noop Sending Access-Accept of id 104 to 172.18.198.32 port 1645 MS-MPPE-Recv-Key = 0xacf9fb54eef637d542208e760604e0c0bd8d3d86ab97d6285a841fed54adbd60 MS-MPPE-Send-Key = 0x186ffb2f33e99465cd5f3fb12e063993f2870c0ecea47fb36c822608ea2791fd EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" EAP-Key-Name = 0x197401bf61c33a106003371a11bf11ef4d828d67f3f3aa766f637112fc8d05c63754f593aaca21a8214b1ea7b2d9bc7f421f1f749c48797ed4c804ed7831e1133b Finished request 10. Going to the next request Waking up in 4.7 seconds. -(snip)- -(snip:CUI with use_tunneled)- freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/tls_log including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui_log including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/inner_log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/asa_log including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/nksusers including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/soh including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 5 cleanup_delay = 5 max_requests = 2048 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth+acct" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } realm LOCAL { } realm NULL { } realm unistuttgart.de { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "..." nastype = "other" } client test { ipaddr = 127.0.0.2 require_message_authenticator = no secret = "..." nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file £Ýç? modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 4096 dh_key_length = 1024 verify_depth = 3 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key" certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt" private_key_password = "..." dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "HIGH:ALL:!ADH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = yes soh_virtual_server = "soh-server" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_challenge { attrsfile = "/etc/freeradius/attrs.access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_challenge Module: Linked to module rlm_always Module: Instantiating module "handled" from file /etc/freeradius/modules/always always handled { rcode = "handled" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Loading virtual module cui_authorize Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Loading virtual module cui_pre_proxy Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Creating Auth-Type = LDAP Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" allow_retry = yes } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "server1" port = 389 password = "..." expect_password = yes identity = "CN=..." net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes cacertfile = "/usr/share/ca-certificates/uni-stuttgart.de/chain-with-dtag.crt" require_cert = "demand" } basedn = "DC=rus,DC=uni-stuttgart,DC=de" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectClass=inetOrgPerson)" auto_header = no access_attr = "msNPAllowDialin" access_attr_used_for_allow = yes chase_referrals = no rebind = no groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 20 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x822350 Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Loading virtual module cui_postauth } # modules } # server server soh-server { # from file /etc/freeradius/sites-enabled/soh modules { Module: Checking authorize {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } ... adding new socket proxy address * port 49737 ... adding new socket proxy address * port 59974 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=0, length=116 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0x595808a6df0d257c137a38998ee79867 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 127.0.0.2 port 48345 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb9327e829e357b5a5436a16c14 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=1, length=343 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020100df1980000000d516030100d0010000cc0301ca8a04aa540107592620c2160bb3f42a71ca744eae937a7f978658051d66c46400005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101 State = 0x327f9bb9327e829e357b5a5436a16c14 Message-Authenticator = 0x75898035e58e5ebf1cf694cd4a1589c9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 223 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 213 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00d0], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 003e], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0724], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to 127.0.0.2 port 48345 EAP-Message = 0x0102040019c0000009c5160301003e0200003a030154f5a9f1fbadff28d111817a7356bb5e640f5877637303569e4a40c74eae7bdb00c014000012ff01000100000b000403000102000f00010116030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d01 EAP-Message = 0x0901161763612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a EAP-Message = 0x677f7fb69954c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8 EAP-Message = 0xde531e313244d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d4756502 EAP-Message = 0x03010001a382026630820262 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb9337d829e357b5a5436a16c14 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=2, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020200061900 State = 0x327f9bb9337d829e357b5a5436a16c14 Message-Authenticator = 0x6888dcbbe8be13f63b3df1c04b6dfd6d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to 127.0.0.2 port 48345 EAP-Message = 0x010303fc1940304f0603551d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d EAP-Message = 0x0603551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e69 EAP-Message = 0x2d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de543255 EAP-Message = 0x84da860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741043350173df39886cda2ba626e72d0bb364421fba1ac14e9dc8415ce6fa0cb59cf6b70e8ad3fa5802c4383429ad5b0b766b4fe9518b419d2343cf6f8920b7a77110200076ed54647aa04e0eb8d4e7803d6f2f222476b9674e6568465e7ba8c0e34a6c4cef8499d99e98d23 EAP-Message = 0x3203586c9cf439fa Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb9307c829e357b5a5436a16c14 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=3, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020300061900 State = 0x327f9bb9307c829e357b5a5436a16c14 Message-Authenticator = 0x1561f30102839d5ed3a896c12567b963 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 3 to 127.0.0.2 port 48345 EAP-Message = 0x010401df1900fa7891981190bf2f119fb40b3416fd090e14f909d165e083ae92734b047cba30c2f8510867efa7124f9a4326f167a31c5e1ab60873d347d5de5c408af0c4cfa4f2c2c362903afe81d259396a1f9e975c2e708d9b5189d9d770b713154cfe3f560c0af05470be922b258b13478e0384c5ff9a5f7f5b6f879db9e6f3971c872ec5cddfe5de8a84f46db338bad448b149eb6c99b66d65f7fababb729531edbe3755d0336e27b29ffa8c4dc29bfca80ff52231948da48fd7b9d6dff3e362d474c5083210964b888339fc806721ca6be613b165a672eb6454b824127b69259f5179fc0b2155bea71ce4d8dcc367f8e40371aedf3ae5bf010c9f EAP-Message = 0x77b4a27e51ecbeeae358d881edac32a3ca3350aa6e00c8b3d085f68984e05a772e08567bffda2463aab7d6962f0333bcbddbf3730ac7855b3ef3363595e45375b294a3af25b05f71694aa716a0b9df5ccd64feede13eedbed6f32a34aeeb06536391bedb7ae65540ea7d90a9016f97b681e067462daa43cce69c9e9fbd9ff3c6f208f424f15b33278a2efedcb42724752bf2bf3e3429d9943a57c217ab6370aa22bac7b0b8a7b21f9a2582987adab826631552fe6d54fb8b5d0737c83a98292a154e82d4768c55698be87264db35b9dbd87410c67c96476c9616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb9317b829e357b5a5436a16c14 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=4, length=264 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020400901980000000861603010046100000424104589f028d91f777f472a23572e0aba0709612be1b08b00c37382d019982a382afef0bc2bffbd08baacbfd4ee670c436f119fa9b0d7854205a5e6c14f221152d241403010001011603010030ff55a8bd146331235a47ee466bd285fa6b5a2cb812cbd6226938423e1394a38987a51e9a970d0d0b7e0e2080b1a32a3f State = 0x327f9bb9317b829e357b5a5436a16c14 Message-Authenticator = 0xb6826a8549005cbb13d2a5d93e9ef5bf # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to 127.0.0.2 port 48345 EAP-Message = 0x010500411900140301000101160301003020c85b82b0cdd61ffd9d232b616ef15501eecdcdc9a2e638f53272c3b4c35fdd3706f7e2ff607d3f62c4ae312320e0f6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb9367a829e357b5a5436a16c14 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=5, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020500061900 State = 0x327f9bb9367a829e357b5a5436a16c14 Message-Authenticator = 0x2a17af58815712ca7799486235a92194 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 5 to 127.0.0.2 port 48345 EAP-Message = 0x0106002b19001703010020796f17cf42b173edbcd5c862efda9644b27249be5bd78eaa15d51a0d81b142b8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb93779829e357b5a5436a16c14 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=6, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0206005019001703010020aaced0418f9e6417d8b95954962ddb186629d82d0d8e48beeb27c1e9e56a4a9b17030100201d39a2a010f2500aea7914b27e981cdc89444fe1c0119fa44c3478f9cfa16036 State = 0x327f9bb93779829e357b5a5436a16c14 Message-Authenticator = 0xdff535226abc38dcd6fbf58b691496b0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test [peap] Got inner identity 'test' [peap] Requesting SoH from client ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 6 to 127.0.0.2 port 48345 EAP-Message = 0x0107003b19001703010030385a62c266b4e84f5d7314abe491ed7337b994237ac4924d1b7a3711a67fe2cb2968fefa0a866d2fed02ec5419a88053 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb93478829e357b5a5436a16c14 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=7, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x02070050190017030100202b9d5178effeb43bf275a261b88440e9c8f7339b32c61ec34258e6e8d8d180bf1703010020c031353e552be39b85f17d864810468242c50424853dc6f49e5f80708ff9d5b8 State = 0x327f9bb93478829e357b5a5436a16c14 Message-Authenticator = 0x3aa4730e7f8cf83347b70b810447761d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR SOH RESPONSE [peap] EAP type nak [peap] SoH - client NAKed [peap] Setting User-Name to test [peap] Processing SoH request SoH-Supported = no FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" [peap] server soh-server { # Executing section authorize from file /etc/freeradius/sites-enabled/soh +group authorize { ++update config { ++} # update config = noop +} # group authorize = noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [test] (from client test port 0 cli 70-6F-6C-69-73-68 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. [peap] } # server soh-server [peap] Got SoH reply [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020700090174657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020700090174657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0108001e1a0108001910447ffc937bb419ef8d909103306fa47474657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf5f48388f5fc994d57120af492298399 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001e1a0108001910447ffc937bb419ef8d909103306fa47474657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf5f48388f5fc994d57120af492298399 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 7 to 127.0.0.2 port 48345 EAP-Message = 0x0108003b19001703010030cbd22509077e7f0738f486fe3b48f54b28395fdfcf38bfb08d7297a73ae86d66f6bcda9f0371005bd03911234fdd79c9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb93577829e357b5a5436a16c14 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=8, length=248 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0208008019001703010020d17355b4f52a17aab27bcd9516dbf9aaa53c31ae42a062c31d548933b5f5d5d7170301005068f143add5db659dc0eef2e44bdaa9431a341c1ef520812a57513effdab568fb7c2a4ce9094161b3ac8ef8e0f756b7f12c5c91feebf5d7bf03d81e2ac0996d1185420363e0be1530f79c0200d443f08a State = 0x327f9bb93577829e357b5a5436a16c14 Message-Authenticator = 0x097a2b9db2824b1513e6c0d123798106 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 128 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208003f1a0208003a31fd9a39d29b1c1c3b1824248ba4b4376d0000000000000000ec5c20d426f710215334d3f7055202c3562c4c8bcd8b385c0074657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x0208003f1a0208003a31fd9a39d29b1c1c3b1824248ba4b4376d0000000000000000ec5c20d426f710215334d3f7055202c3562c4c8bcd8b385c0074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0xf5f48388f5fc994d57120af492298399 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test [mschap] Client is using MS-CHAPv2 for test, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d31363833413530383845423132443942413842433430374539383245433845383541414344324631 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf5f48388f4fd994d57120af492298399 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d31363833413530383845423132443942413842433430374539383245433845383541414344324631 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf5f48388f4fd994d57120af492298399 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 8 to 127.0.0.2 port 48345 EAP-Message = 0x0109005b19001703010050d2b789718fcffbb9b674b1b69efe450b340e44e565663a223cbe31748804495e229923ad790f976fcc3cf03ff97135ee6111f49775c0ab5e3e97e9a344194b5573465a1fd499760bfc84e31e06c28207 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb93a76829e357b5a5436a16c14 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=9, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0209005019001703010020143d851aff8ba8edda8f418f7cab68b6d96eaa43b450a21b5d72972d32ca01e0170301002041fbab48b6aefd1744b4b3b9b02f14fb3819ddd9ee38f967206781fb058864e7 State = 0x327f9bb93a76829e357b5a5436a16c14 Message-Authenticator = 0x8aba2461edf6d7465a8b18632ef4cdf9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0xf5f48388f4fd994d57120af492298399 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test] (from client test port 0 cli 70-6F-6C-69-73-68 via TLS tunnel) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel +group post-auth { ++policy cui_postauth { +++? if (FreeRadius-Proxied-To == 127.0.0.1) ? Evaluating (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE +++? if (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE +++if (FreeRadius-Proxied-To == 127.0.0.1) { ++++? if (outer.request:Chargeable-User-Identity) ? Evaluating (outer.request:Chargeable-User-Identity) -> TRUE ++++? if (outer.request:Chargeable-User-Identity) -> TRUE ++++if (outer.request:Chargeable-User-Identity) { +++++update reply { expand: test%{User-Name} -> testtest expand: %{md5:test%{User-Name}} -> 05a671c66aefea124cc08b76ea6d30bb +++++} # update reply = noop ++++} # if (outer.request:Chargeable-User-Identity) = noop +++} # if (FreeRadius-Proxied-To == 127.0.0.1) = noop +++ ... skipping else for request 9: Preceding "if" was taken ++} # policy cui_postauth = noop ++update outer.reply { expand: %{reply:Chargeable-User-Identity} -> 05a671c66aefea124cc08b76ea6d30bb ++} # update outer.reply = noop +} # group post-auth = noop } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 9 to 127.0.0.2 port 48345 Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" EAP-Message = 0x010a002b190017030100205c705bc6233aadd22c12d903313e62e73d03df9b06bd6014b4f0035496d6503b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb93b75829e357b5a5436a16c14 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=10, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020a005019001703010020fefd838dfd4ce0af03b1937450f77bc5b42b6a51a2eb2b13d4c2b86ad4a9cd341703010020d9380f0721001bc78a4e0db195a850084989147c97ed73847723ca8c01dd6b8d State = 0x327f9bb93b75829e357b5a5436a16c14 Message-Authenticator = 0xb2384825a42489e30bbe8e57aecbdc2d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = "test" Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [anonymous] (from client test port 0 cli 70-6F-6C-69-73-68) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) ? Evaluating (NAS-Port-Type == "Ethernet" ) -> FALSE ? Skipping (reply:EAP-Session-Id) ++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) -> FALSE +} # group post-auth = noop Sending Access-Accept of id 10 to 127.0.0.2 port 48345 User-Name = "test" Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" MS-MPPE-Recv-Key = 0x2e4a9f0cd8626d474e58aad77fceec68cf3b758b43fd8822c565a5ac0634dc28 MS-MPPE-Send-Key = 0x9d2033bd45afc4a0ab7c6b34877c6738236104e245e9006fb464d44ade3ac38c EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 10. Going to the next request Waking up in 4.9 seconds. -(snip)- -(snip:CUI without use_tunneled)- freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/tls_log including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui_log including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/inner_log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/asa_log including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/nksusers including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/soh including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 5 cleanup_delay = 5 max_requests = 2048 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth+acct" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } realm LOCAL { } realm NULL { } realm unistuttgart.de { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "..." nastype = "other" } client test { ipaddr = 127.0.0.2 require_message_authenticator = no secret = "..." nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file £Ýç? modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 4096 dh_key_length = 1024 verify_depth = 3 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key" certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt" private_key_password = "..." dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "HIGH:ALL:!ADH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = yes soh_virtual_server = "soh-server" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_challenge { attrsfile = "/etc/freeradius/attrs.access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_challenge Module: Linked to module rlm_always Module: Instantiating module "handled" from file /etc/freeradius/modules/always always handled { rcode = "handled" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Loading virtual module cui_authorize Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Loading virtual module cui_pre_proxy Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Creating Auth-Type = LDAP Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" allow_retry = yes } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "server1" port = 389 password = "..." expect_password = yes identity = "CN=..." net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes cacertfile = "/usr/share/ca-certificates/uni-stuttgart.de/chain-with-dtag.crt" require_cert = "demand" } basedn = "DC=rus,DC=uni-stuttgart,DC=de" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectClass=inetOrgPerson)" auto_header = no access_attr = "msNPAllowDialin" access_attr_used_for_allow = yes chase_referrals = no rebind = no groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 20 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x822350 Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Loading virtual module cui_postauth } # modules } # server server soh-server { # from file /etc/freeradius/sites-enabled/soh modules { Module: Checking authorize {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } ... adding new socket proxy address * port 53498 ... adding new socket proxy address * port 35227 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=0, length=116 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0xc1d8c1f9918fe9f74d3e7f0652520b47 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 127.0.0.2 port 46747 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29847a6bb36a3141a09bb27535f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=1, length=343 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020100df1980000000d516030100d0010000cc03014e5372569e41097f511647c09e8f8a82ae426474b808ce1b7353ae5af2e385b600005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101 State = 0x47a7a29847a6bb36a3141a09bb27535f Message-Authenticator = 0xcd9e4c715d9cab478d82437f863bf8b2 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 223 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 213 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00d0], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 003e], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0724], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to 127.0.0.2 port 46747 EAP-Message = 0x0102040019c0000009c5160301003e0200003a030154f5a9cfded1c635e5d68dd42f9b1299be58d8c967cef9e796ddbcd1eb5f80ea00c014000012ff01000100000b000403000102000f00010116030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d01 EAP-Message = 0x0901161763612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a EAP-Message = 0x677f7fb69954c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8 EAP-Message = 0xde531e313244d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d4756502 EAP-Message = 0x03010001a382026630820262 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29846a5bb36a3141a09bb27535f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=2, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020200061900 State = 0x47a7a29846a5bb36a3141a09bb27535f Message-Authenticator = 0xff7ec8eca5b28ca4c328ab0c59f3d41d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to 127.0.0.2 port 46747 EAP-Message = 0x010303fc1940304f0603551d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d EAP-Message = 0x0603551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e69 EAP-Message = 0x2d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de543255 EAP-Message = 0x84da860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741040d5ab8d92cc943c20461b24109474096cb9cb046603bded117a3fbaa550064d179ac857278a13d3c99a6e910a07cff4bdba05f0b0a2dba4ef1bae09a45ec01450200a757ff1882ea9f267e2687abe6bd0b7a1678e9395314285c173ccee3c57bc2044a0be32b213c9430 EAP-Message = 0xb86c9bfedba48fc3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29845a4bb36a3141a09bb27535f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=3, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020300061900 State = 0x47a7a29845a4bb36a3141a09bb27535f Message-Authenticator = 0xf178932508d31a8e7ee7dfa71734d78c # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 3 to 127.0.0.2 port 46747 EAP-Message = 0x010401df19003eacb85bdc7ad59cf2ab0898347620842bc010ca4e35da72a99bd91ddbf23ad77cac9a28d0f35aa9c2937c132c79f0b368bd46a80aa0e3229a85169f889322553b18d046303558def383d661ce9cc5b52588b6bc80019adcf9ec5b4458f52357349dade5c2c7b07a1b7f545553c8b9aa819e3ab50bb00ce839ce6f8e5714558cbd6796c7026a9b52ee7d3fa17cf22753eee4ffc652055df0fc073d4590cd3f52c29ff731f13af5271e6a976bf58ab92bdb699fbb9cebc3b7f2856c8612c8b4fae51b526e091e747d8d2b13fdf62bc09dd52a73cf48c25f6cd3f07972824b82010981c62c7961288b59e89c6270ee6967ac46c63931cdf6 EAP-Message = 0xd39cf8db89498fe9e450008d7c2878cb4af1b11760a30edaa8afeb4f361e8240a1a2f69a7d1faddd0ce9e5773774f6c4a08869fbb53c2dbca08fcad63ef5cfbe64dfb76705409a0db515962a719381e1e0a9526b9b6e30d95fd18674b3ea03c16cef14165c839e20a32d16a191916691c51510d120bfaccad741435a37c892f1724b1d4f63ce75b54485568540670567a8aa5a78675b23fd334d0095f64c02187c7653c797ed42ff581efc6f3144204fe74c8acc2c1a629a04851282285dc6acb0888ba747fa7a957f7a5d1277fd3c45229e15c10d5d5a3d5d16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29844a3bb36a3141a09bb27535f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=4, length=264 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020400901980000000861603010046100000424104a53cd65b9d4c9b62ba16fed564a7073a1d0940bc94df4f19bbc71f12dc25e4ab97dce539002a220a5b162f9ea6d731e9352c295fc6cc1dae070fee40e8716dbb140301000101160301003049714ea65b278e5ab8e12a1efc49b51c54a8bf71c73181f5d9ff7d4462eda3e94feecc34d12036061efd9523aea20cc2 State = 0x47a7a29844a3bb36a3141a09bb27535f Message-Authenticator = 0x5d2cedfdfc76d9ddc3edefc72f5697db # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to 127.0.0.2 port 46747 EAP-Message = 0x0105004119001403010001011603010030ced84c9f8f7661ff4ba1aa6d2a12e97e81dd732a62986264024bcc2b3a59de6183284c44093187250018a1d60d2f668b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29843a2bb36a3141a09bb27535f Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=5, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020500061900 State = 0x47a7a29843a2bb36a3141a09bb27535f Message-Authenticator = 0x9390873444c6efd79f22cc756e0aca74 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 5 to 127.0.0.2 port 46747 EAP-Message = 0x0106002b190017030100201ffd3457ccf3c8c3f7391b3b213ca493cb4f1d0fd56d65e1ae675eebc0bcd5e9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29842a1bb36a3141a09bb27535f Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=6, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0206005019001703010020628e42e32a5eecb574db53436501efe8f62bfbf269019acf64874644c064a9131703010020993efe26ff0ae8e9b30d8aad412b28fb868621a64d7b73ac1678bce52eee6487 State = 0x47a7a29842a1bb36a3141a09bb27535f Message-Authenticator = 0xee04c891296aec22b84cd3f09ddf0023 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test [peap] Got inner identity 'test' [peap] Requesting SoH from client ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 6 to 127.0.0.2 port 46747 EAP-Message = 0x0107003b1900170301003018479e6c86733c71a3964c56a1a4b70d68f87f73fe1eb759a4b5908edc0cc98a201d7064cb6c525efc5c9a8e1bc78fa0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29841a0bb36a3141a09bb27535f Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=7, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x02070050190017030100209edbe10bbc7ebad0ac19675bdef35a9a57e54ab1cb9bb7c7075b9882b03c76db1703010020b1a41c440b3f247fb43bd456df9bf28b806df68a3e2ed76df2d514090c4b42e1 State = 0x47a7a29841a0bb36a3141a09bb27535f Message-Authenticator = 0x734a84af43cdba5fcd136e6482be380f # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR SOH RESPONSE [peap] EAP type nak [peap] SoH - client NAKed [peap] Setting User-Name to test [peap] Processing SoH request SoH-Supported = no FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" [peap] server soh-server { # Executing section authorize from file /etc/freeradius/sites-enabled/soh +group authorize { ++update config { ++} # update config = noop +} # group authorize = noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [test] (from client test port 0 cli 70-6F-6C-69-73-68 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. [peap] } # server soh-server [peap] Got SoH reply [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020700090174657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020700090174657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0108001e1a010800191004d013b4340898feb940894e75e41bca74657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd7e55c2dd7ed46da256bf8042f7c4267 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001e1a010800191004d013b4340898feb940894e75e41bca74657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd7e55c2dd7ed46da256bf8042f7c4267 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 7 to 127.0.0.2 port 46747 EAP-Message = 0x0108003b190017030100308f813e433eda61a76b72a06a528cafe050a4dcf3846527db9c4ab9819ed216854cd7ed0d98c22c36ac54ef43939d5f62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29840afbb36a3141a09bb27535f Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=8, length=248 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0208008019001703010020737188bad62e44d0d634a0741a3fbf2be5898be0c8d1282629e4e8f22d86221017030100504200e28c7bf4ae7994e38a2b2aa3c35bd802d5e05f9d5b665813bd20c49061371e980503f5ff25d059b51e111b751f45bda3d5fdafe87d20b1eb564a43d7b347a8f1627f7c6dcc3b48b1767e7f5aad85 State = 0x47a7a29840afbb36a3141a09bb27535f Message-Authenticator = 0x4f0d7bce4c38e0e809eb09894f8bee27 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 128 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208003f1a0208003a31bf797748352ee9eba1ff4c7c721fd8820000000000000000a0bda344c23a528656263dc511689f77cc2809f6acdde5180074657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x0208003f1a0208003a31bf797748352ee9eba1ff4c7c721fd8820000000000000000a0bda344c23a528656263dc511689f77cc2809f6acdde5180074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0xd7e55c2dd7ed46da256bf8042f7c4267 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test [mschap] Client is using MS-CHAPv2 for test, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d33323339443539333646393837454134384642353136344332344537373746303641434437454235 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd7e55c2dd6ec46da256bf8042f7c4267 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d33323339443539333646393837454134384642353136344332344537373746303641434437454235 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd7e55c2dd6ec46da256bf8042f7c4267 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 8 to 127.0.0.2 port 46747 EAP-Message = 0x0109005b190017030100500353f8f7c812c78b8f0248ce22e1f9a232aa0d6d84a42b9491dc5999d119aa40d5ab5d4d4962193e84a824f754dfb25f6438a10795fb78b3b28982f271dfaf88d5bf982f2b74c3ed9db322fb2e113a02 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a2984faebb36a3141a09bb27535f Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=9, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x02090050190017030100202427cc3deb8133ce9e988163efd7fdfd95c7ca1abf8b5fc6cca6e6c6b7ada3e917030100201d6cf9ee3566285549d9fefcc44f4f96eaaf85451313e2db1871a7ad8379dced State = 0x47a7a2984faebb36a3141a09bb27535f Message-Authenticator = 0xb8d7d9b1340fba44b99222a17476f5b5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0xd7e55c2dd6ec46da256bf8042f7c4267 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test] (from client test port 0 cli 70-6F-6C-69-73-68 via TLS tunnel) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel +group post-auth { ++policy cui_postauth { +++? if (FreeRadius-Proxied-To == 127.0.0.1) ? Evaluating (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE +++? if (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE +++if (FreeRadius-Proxied-To == 127.0.0.1) { ++++? if (outer.request:Chargeable-User-Identity) ? Evaluating (outer.request:Chargeable-User-Identity) -> TRUE ++++? if (outer.request:Chargeable-User-Identity) -> TRUE ++++if (outer.request:Chargeable-User-Identity) { +++++update reply { expand: test%{User-Name} -> testtest expand: %{md5:test%{User-Name}} -> 05a671c66aefea124cc08b76ea6d30bb +++++} # update reply = noop ++++} # if (outer.request:Chargeable-User-Identity) = noop +++} # if (FreeRadius-Proxied-To == 127.0.0.1) = noop +++ ... skipping else for request 9: Preceding "if" was taken ++} # policy cui_postauth = noop ++update outer.reply { expand: %{reply:Chargeable-User-Identity} -> 05a671c66aefea124cc08b76ea6d30bb ++} # update outer.reply = noop +} # group post-auth = noop } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 9 to 127.0.0.2 port 46747 Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" EAP-Message = 0x010a002b1900170301002062204f03a60637a99d252a241d7f3905e63d3285a853906eb95155fe9486e1ed Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a2984eadbb36a3141a09bb27535f Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=10, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020a00501900170301002039fb116920fb3139a8cd97a0d24307ea4083e23dd0a74ed263ce72400080bbaf1703010020826cf4e6bd5e35794a7e151ed2810a457026d563b61c692ad5d4c2c5e891aceb State = 0x47a7a2984eadbb36a3141a09bb27535f Message-Authenticator = 0x5ea7b26d7593d52f3b153b0683089900 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [anonymous] (from client test port 0 cli 70-6F-6C-69-73-68) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) ? Evaluating (NAS-Port-Type == "Ethernet" ) -> FALSE ? Skipping (reply:EAP-Session-Id) ++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) -> FALSE +} # group post-auth = noop Sending Access-Accept of id 10 to 127.0.0.2 port 46747 MS-MPPE-Recv-Key = 0x7c11a8f4ae35bf92ddb6df2e6606ea67079d67b55aa241a7dd0bc485077b884f MS-MPPE-Send-Key = 0x7713dc5356bb73cd722eeefa6dd73ff7e81d8db357d53d8b6ec84e1df4b574c9 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" Finished request 10. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +1 Cleaning up request 1 ID 1 with timestamp +1 Cleaning up request 2 ID 2 with timestamp +1 Cleaning up request 3 ID 3 with timestamp +1 Cleaning up request 4 ID 4 with timestamp +1 Cleaning up request 5 ID 5 with timestamp +1 Cleaning up request 6 ID 6 with timestamp +1 Cleaning up request 7 ID 7 with timestamp +1 Cleaning up request 8 ID 8 with timestamp +1 Cleaning up request 9 ID 9 with timestamp +1 Cleaning up request 10 ID 10 with timestamp +1 Ready to process requests. -(snip)- Best, Kilian