Hi there list, After getting (p)eap an mschap working I'm faced with the following problem: The client gets authenticated through mschap and receives an Access-Accept but the rlm_perl added pair which where added in request 0 are not send to the client. Resulting in a client ending up in the wrong vlan. I've tried several things to resolve this but with no result. One of which was running the perl code in a post-auth event. This resulted in something like 250 requests and the client not connecting., Two things strike me as odd: - There is a warning about 2 auth-types - perl and eap - Why does the authorization run first? I would have thought authentication comes first. Below the trace and versions. Peter FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24 2011 at 07:53:12 Ubuntu 64bit 12.04 (wheezy/sid) FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24 2011 at 07:53:12 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client sysop-2 { ipaddr = 10.0.0.20 require_message_authenticator = no secret = "testing123" nastype = "other" } client ap { ipaddr = 10.0.9.48 require_message_authenticator = no secret = "testing123" nastype = "cisco" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Instantiating module "ntlm_auth" from file /etc/freeradius/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=ATLAS --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-ATLAS} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Linked to module rlm_perl Module: Instantiating module "perl" from file /etc/freeradius/modules/perl perl { module = "/etc/freeradius/example.pl" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" func_recv_coa = "recv_coa" func_send_coa = "send_coa" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=202, length=210 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0xe29cf9a9ecd3cbce938b7d4917ea7286 EAP-Message = 0x0202002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765 2e6e6c NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 38 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 209 ++[files] returns ok rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Calling-Station-Id = 0016.eae4.d5aa rlm_perl: Added pair Called-Station-Id = 0019.070a.a011 rlm_perl: Added pair Message-Authenticator = 0xe29cf9a9ecd3cbce938b7d4917ea7286 rlm_perl: Added pair Cisco-AVPair = ssid=geengast rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl rlm_perl: Added pair NAS-Identifier = radtest rlm_perl: Added pair EAP-Message = 0x0202002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765 2e6e6c rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.0.9.48 rlm_perl: Added pair NAS-Port = 389 rlm_perl: Added pair NAS-Port-Id = 389 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Tunnel-Private-Group-ID = 101 rlm_perl: Added pair Session-Timeout = 250 rlm_perl: Added pair Tunnel-Type = 13 rlm_perl: Added pair Tunnel-Medium-Type = 6 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 202 to 10.0.9.48 port 1645 Tunnel-Private-Group-Id:0 = "101" Session-Timeout = 250 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288efa8831bb8df0c9954079019a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=203, length=295 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0xb1f4bca9888d29b9737e493878e3d421 EAP-Message = 0x0203006919800000005f160301005a0100005603014fc73361cfa763a813cd492895c4 7eaa37aedcae0683cf4fad46d7cfdbfe1f5a000018002f00350005000ac013c014c009c0 0a003200380013000401000015ff01000100000a0006000400170018000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288efa8831bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02ae], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 203 to 10.0.9.48 port 1645 EAP-Message = 0x010402f8190016030100310200002d03014fc7334922ea9802ba6fd82e47b9eb5abed5 e3075ad553d92a0502656236500000002f000005ff0100010016030102ae0b0002aa0002 a70002a4308202a03082018802090093612d39d755e4c6300d06092a864886f70d010105 050030123110300e0603550403130772616474657374301e170d31323035323231313430 33325a170d3232303532303131343033325a30123110300e060355040313077261647465 737430820122300d06092a864886f70d01010105000382010f003082010a0282010100ad 3ae0a6b058a19f697fd586bbbabf66f43779ad771cde66d4dbdbf2b824510c485ab969b8 8ac7 EAP-Message = 0x6a7ba5b8d15fd768890756ef6e606f27d21623f0fa9bfc07dc282a4db2de57fe048773 02e4d91bb921dba6fbafd77da8f8b5eb2082949a8b522092418771ff67d4a186c80b3bd7 d84a89da318eef50b16c931948ef882001269f33d39a0b3644b09125668e4423124eb7ca b5b85a6b92428edfe4ee1c789b9add3f478b718f4665737afe87a85a7f6580db9c42d204 6aa5263bba39ec6c455dbb80702244dfe3f50a361cb29b66eba17e668cfd860a0ec28f05 b70cc2cc5eea96c4520ea1dd5a237e26034e7ef0a3c82d42ae455c15c9d5a5149d568c13 346f0203010001300d06092a864886f70d010105050003820101000c9d1ae5dbcc0b4fae fe91 EAP-Message = 0x9f91d3e971823a0df53cf3783498064e1dbac81a510fcc1162bc2f3e7ab14958d208d1 4653a210430589233379b05bc27611322d9c636da1c6ba154e1f10d6bd4afadfed812e50 4811a8c0b9301a3303cce719f2f78828beaf92d08d21c43cbb001ddf6ea3e57c0c0e24c0 f1a11db8d2d90779dd4860af589161db5633cd1618a87e56500834601697b4eaab460907 d3305686421ab9912d14f33589f1ea98fe2da40497047c35a9436721d0a6703b0fd074c4 3d5673d48706ebd00aaf5efc94f31b5407b43278871a2e56822173ff21811f03657a640b d912d1b52f4844976c13658655ebab73bcc79299df2830a2f8b1a984d85716030100040e 0000 EAP-Message = 0x00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288efb8f31bb8df0c9954079019a Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=204, length=528 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0x8297464cc5d683623a7610651854dd3e EAP-Message = 0x0204015019800000014616030101061000010201003984f63af6565c1a71d6ca259f81 dbf2194e47cae6f46c5e3c802bea536c17bbad61ea61a89102f672aa22601466e46bb1a7 83d41759125f8ba1174ce7a55b0032997e2606cdfa1e6c015d51a2e1ac6e5751ca48a26c 33df07d8d3fa2327c5dbe2c39f09b688850a06a45ffb1dd46718cf620e5a583393b450fb 66e0a64bb618f84b45292940cceeb1a79907374125d7aed6070943cc9557613ee9bff5db c0efdc61145238e349b343bce6e8032fe69b9f769100b021819cd532e66a4dbab9decdd0 adec15598a86993cc9105aafcb937d62229d5b02d530d66e49875a6ce6b0061ffb20b2c1 13d8 EAP-Message = 0x465df29cbfb7867a6e326bc5833ab5619c421643e0976b8d1403010001011603010030 7409547395973a8f1dd53ca88878b699e118d5042d0ec13681f7bce17fd6af272e2053cf c663c966a8dd362722af3684 NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288efb8f31bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 204 to 10.0.9.48 port 1645 EAP-Message = 0x0105004119001403010001011603010030b44fd787ae0d0ad9df11ad9e7c34e5309ff1 4efaaf30a8f24eccb23a628bde5320bbe9d461ce50186a0d260a5450d9e1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288ef88e31bb8df0c9954079019a Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=205, length=196 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0x43082862e1ec75cac73daf2685e9089a EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288ef88e31bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 205 to 10.0.9.48 port 1645 EAP-Message = 0x0106002b19001703010020054299ee7054795987b8ffa05baf241e11bf2cfbd8a59fb7 dfa152855b2b9010 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288ef98d31bb8df0c9954079019a Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=206, length=265 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0x68aa7f1b7c3e6edd8a86f5d00dbcf8a0 EAP-Message = 0x0206004b19001703010040e4a88b3269302d6cfce6b1a7989d18617e49499b98d34f06 845ebb556174a44eddc8752ae1709c96aa0501fdbb077d31f706ac32123100731f075910 02136df9 NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288ef98d31bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 75 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - host/lt-pkn.atlas.atlascollege.nl [peap] Got inner identity 'host/lt-pkn.atlas.atlascollege.nl' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765 2e6e6c server { PEAP: Setting User-Name to host/lt-pkn.atlas.atlascollege.nl Sending tunneled request EAP-Message = 0x0206002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765 2e6e6c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/lt-pkn.atlas.atlascollege.nl" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [files] users: Matched entry DEFAULT at line 209 ++[files] returns ok rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl rlm_perl: Added pair EAP-Message = 0x0206002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765 2e6e6c rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2 ++[perl] returns noop [eap] EAP packet type response id 6 length 38 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'host/lt-pkn.atlas.atlascollege.nl' # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107003b1a010700361052c2c92bbd0e87883b4b4f0274aba0d2686f73742f6c742d70 6b6e2e61746c61732e61746c6173636f6c6c6567652e6e6c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed1f2576ed183f556982a467baafe64e [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107003b1a010700361052c2c92bbd0e87883b4b4f0274aba0d2686f73742f6c742d70 6b6e2e61746c61732e61746c6173636f6c6c6567652e6e6c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed1f2576ed183f556982a467baafe64e [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 206 to 10.0.9.48 port 1645 EAP-Message = 0x0107005b190017030100506963cc9b3e61da63080f3f4649e097ce960af7145c127858 b6e32f795b6a8768628888fc569f050c4e9ff7581b993f91c83610dcebc1f97097dd1385 520f0e66cd7d6c63c0b4afe5a0d526f13917e99e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288efe8c31bb8df0c9954079019a Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=207, length=313 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0xe33f0b004c2ca6563de0b3ad8040eed7 EAP-Message = 0x0207007b19001703010070beb17e8fe13c07a0d805fe4183f700b885c5f9204faa53ff 1cec4bc5774926082432d9443b371b83f91e3d73770c20a875836cad6a362464c52fd450 4f9522a09e6c2d7602f94a0130fce57149e9ba16f55da6cfe6a1946e4b9565975b423dc0 fd31defda2dcbeea261dcbd9faf9938e NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288efe8c31bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 123 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207005c1a0207005731f4a74198ac9707e6d2e2de480af77ddc000000000000000074 9aed48b37215d879a819b543c8230fc1ea904c861be95000686f73742f6c742d706b6e2e 61746c61732e61746c6173636f6c6c6567652e6e6c server { PEAP: Setting User-Name to host/lt-pkn.atlas.atlascollege.nl Sending tunneled request EAP-Message = 0x0207005c1a0207005731f4a74198ac9707e6d2e2de480af77ddc000000000000000074 9aed48b37215d879a819b543c8230fc1ea904c861be95000686f73742f6c742d706b6e2e 61746c61732e61746c6173636f6c6c6567652e6e6c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/lt-pkn.atlas.atlascollege.nl" State = 0xed1f2576ed183f556982a467baafe64e server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [files] users: Matched entry DEFAULT at line 209 ++[files] returns ok rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl rlm_perl: Added pair EAP-Message = 0x0207005c1a0207005731f4a74198ac9707e6d2e2de480af77ddc000000000000000074 9aed48b37215d879a819b543c8230fc1ea904c861be95000686f73742f6c742d706b6e2e 61746c61732e61746c6173636f6c6c6567652e6e6c rlm_perl: Added pair State = 0xed1f2576ed183f556982a467baafe64e rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl rlm_perl: Added pair Proxy-To-Realm = LOCAL ++[perl] returns noop [eap] EAP packet type response id 7 length 92 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'host/lt-pkn.atlas.atlascollege.nl' # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/lt-pkn.atlas.atlascollege.nl [mschap] Told to do MS-CHAPv2 for host/lt-pkn.atlas.atlascollege.nl with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=lt-pkn$ [mschap] expand: %{mschap:NT-Domain} -> atlas [mschap] expand: --domain=%{%{mschap:NT-Domain}:-ATLAS} -> --domain=atlas [mschap] mschap2: 52 [mschap] Creating challenge hash with username: host/lt-pkn.atlas.atlascollege.nl [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2a115578878d4bc4 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=749aed48b37215d879a819b543c8230fc1ea904c861be950 Exec-Program output: NT_KEY: 0E4B3AC71048637A22E975629A7E708B Exec-Program-Wait: plaintext: NT_KEY: 0E4B3AC71048637A22E975629A7E708B Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800331a0307002e533d333044303431353546324430383542393832454638463339 44443846343330393345394445304230 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed1f2576ec173f556982a467baafe64e [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800331a0307002e533d333044303431353546324430383542393832454638463339 44443846343330393345394445304230 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed1f2576ec173f556982a467baafe64e [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 207 to 10.0.9.48 port 1645 EAP-Message = 0x0108005b190017030100502098e038ea3dda0988810bd213735cf28e6dc3a3d5669105 0ce3d24d50dd9e3c25b5dabc315f20b0c5cfdb599016c1875de725cd2c9be6206065cd5e 50d49ce05630243c395e4d6c8df6c9b770f41992 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288eff8331bb8df0c9954079019a Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=208, length=233 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0x01f97cbd1a55a4b5d3c343a8bff50e32 EAP-Message = 0x0208002b19001703010020195414ca1d196ee92e32583f8298b7ea67f168be12401176 4e2561105941cb00 NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288eff8331bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800061a03 server { PEAP: Setting User-Name to host/lt-pkn.atlas.atlascollege.nl Sending tunneled request EAP-Message = 0x020800061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/lt-pkn.atlas.atlascollege.nl" State = 0xed1f2576ec173f556982a467baafe64e server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [files] users: Matched entry DEFAULT at line 209 ++[files] returns ok rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl rlm_perl: Added pair EAP-Message = 0x020800061a03 rlm_perl: Added pair State = 0xed1f2576ec173f556982a467baafe64e rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl rlm_perl: Added pair Proxy-To-Realm = LOCAL ++[perl] returns noop [eap] EAP packet type response id 8 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'host/lt-pkn.atlas.atlascollege.nl' # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xa2a8dbf6f2cfb9fdbd0b000663af7c62 MS-MPPE-Recv-Key = 0x2288dd50426a86ee2dca3737658de57c EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/lt-pkn.atlas.atlascollege.nl" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xa2a8dbf6f2cfb9fdbd0b000663af7c62 MS-MPPE-Recv-Key = 0x2288dd50426a86ee2dca3737658de57c EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/lt-pkn.atlas.atlascollege.nl" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 208 to 10.0.9.48 port 1645 EAP-Message = 0x0109002b19001703010020dc05ca7cb6357d0b606833914286d4570c9be8b49d0fb0e5 5712e1f7d1ee6020 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa8b288efc8231bb8df0c9954079019a Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=209, length=233 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Framed-MTU = 1400 Called-Station-Id = "0019.070a.a011" Calling-Station-Id = "0016.eae4.d5aa" Cisco-AVPair = "ssid=geengast" Service-Type = Login-User Message-Authenticator = 0x810f84840491233963bd54edd7cd489d EAP-Message = 0x0209002b190017030100209393b67c4b83a3c60c318cbe352bac2f864b5fb9a1fe6a37 34b682ea4f6fa775 NAS-Port-Type = Wireless-802.11 NAS-Port = 389 NAS-Port-Id = "389" State = 0xfa8b288efc8231bb8df0c9954079019a NAS-IP-Address = 10.0.9.48 NAS-Identifier = "radtest" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 209 to 10.0.9.48 port 1645 MS-MPPE-Recv-Key = 0x33ecfbf5652ce567309f5f2b1710989bd8c1c1ef2e68386139e7c94f2eb06a75 MS-MPPE-Send-Key = 0x5c0639908bded95e2a61821743bf72ea714a6acc829016d7c4ce07edfdba4223 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/lt-pkn.atlas.atlascollege.nl" Finished request 7. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 202 with timestamp +10 Cleaning up request 1 ID 203 with timestamp +10 Cleaning up request 2 ID 204 with timestamp +10 Cleaning up request 3 ID 205 with timestamp +10 Cleaning up request 4 ID 206 with timestamp +10 Cleaning up request 5 ID 207 with timestamp +10 Cleaning up request 6 ID 208 with timestamp +10 Cleaning up request 7 ID 209 with timestamp +10 Ready to process requests.