Thank you for answering, Alan. I changed the settings in the eap file and inner-tunnel. In the eap it's now eap_type = ttls. I'm still having problems with the PAM-IMAP module though. Looking around the internet I found that there was a type in setting the users with PAM. So I have them in my users file as DEFAULT Virtual-Server == inner-tunnel, Pam-Auth = "pam-imap-radius", Auth-Type = PAM Reading the output, these lines are causing the problem. (7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup (7) pam: ERROR: pam_authenticate failed: Module is unknown For some reason it doesn't recognize that with the realm "ucn.cl" should be using pam-imap-radius and not pam-imap-radius2. The output: (0) Received Access-Request Id 110 from 192.168.128.34:39957 to 146.83.124.26:1812 length 402 (0) User-Name = "wifi@ucn.cl" (0) NAS-IP-Address = 192.168.128.34 (0) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 1 (0) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (0) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 61 / Channel: 11" (0) Acct-Session-Id = "1265B3D4CA450401" (0) Acct-Multi-Session-Id = "E27A7A7004BD7B9C" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027074 (0) WLAN-AKM-Suite = 1027073 (0) WLAN-Group-Mgmt-Cipher = 1027078 (0) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (0) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (0) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (0) Meraki-Device-Name = "AP-V1-Soporte" (0) Framed-MTU = 1400 (0) EAP-Message = 0x025a001001776966694075636e2e636c (0) Message-Authenticator = 0x04cce3d3d9c3a62938bf82ea2abc2b9c (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/ 192.168.128.34/auth-detail-20200901 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901 (0) auth_log: EXPAND %t (0) auth_log: --> Tue Sep 1 11:52:23 2020 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (0) suffix: Found realm "ucn.cl" (0) suffix: Adding Stripped-User-Name = "wifi" (0) suffix: Adding Realm = "ucn.cl" (0) suffix: Authentication realm is LOCAL (0) [suffix] = ok (0) eap: Peer sent EAP Response (code 2) ID 90 length 16 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_ttls to process data (0) eap_ttls: Initiating new EAP-TLS session (0) eap_ttls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 91 length 6 (0) eap: EAP session adding &reply:State = 0xfc98dff8fcc3cadd (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 110 from 146.83.124.26:1812 to 192.168.128.34:39957 length 0 (0) EAP-Message = 0x015b00061520 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xfc98dff8fcc3cadd585a7c0a5256b1cb (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 111 from 192.168.128.34:39957 to 146.83.124.26:1812 length 561 (1) User-Name = "wifi@ucn.cl" (1) NAS-IP-Address = 192.168.128.34 (1) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) NAS-Port = 1 (1) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (1) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 57 / Channel: 11" (1) Acct-Session-Id = "1265B3D4CA450401" (1) Acct-Multi-Session-Id = "E27A7A7004BD7B9C" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027074 (1) WLAN-AKM-Suite = 1027073 (1) WLAN-Group-Mgmt-Cipher = 1027078 (1) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (1) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (1) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (1) Meraki-Device-Name = "AP-V1-Soporte" (1) Framed-MTU = 1400 (1) EAP-Message = 0x025b009d158000000093160303008e0100008a03035f4e6e39d543bdbe262325b01665d7fc0cecf99af68741b25deddf25a63780f100002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000037000a00080006001d00170018000b000201 (1) State = 0xfc98dff8fcc3cadd585a7c0a5256b1cb (1) Message-Authenticator = 0x068dc765eda5d55a72a56d19ed80cc5a (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (1) auth_log: --> /var/log/freeradius/radacct/ 192.168.128.34/auth-detail-20200901 (1) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901 (1) auth_log: EXPAND %t (1) auth_log: --> Tue Sep 1 11:52:23 2020 (1) [auth_log] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (1) suffix: Found realm "ucn.cl" (1) suffix: Adding Stripped-User-Name = "wifi" (1) suffix: Adding Realm = "ucn.cl" (1) suffix: Authentication realm is LOCAL (1) [suffix] = ok (1) eap: Peer sent EAP Response (code 2) ID 91 length 157 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xfc98dff8fcc3cadd (1) eap: Finished EAP session with state 0xfc98dff8fcc3cadd (1) eap: Previous EAP request found for state 0xfc98dff8fcc3cadd, released from the list (1) eap: Peer sent packet with method EAP TTLS (21) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: Authenticate (1) eap_ttls: Continuing EAP-TLS (1) eap_ttls: Peer indicated complete TLS record size will be 147 bytes (1) eap_ttls: Got complete TLS record (147 bytes) (1) eap_ttls: [eaptls verify] = length included (1) eap_ttls: (other): before SSL initialization (1) eap_ttls: TLS_accept: before SSL initialization (1) eap_ttls: TLS_accept: before SSL initialization (1) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 008e] (1) eap_ttls: TLS_accept: SSLv3/TLS read client hello (1) eap_ttls: >>> send TLS 1.2 [length 003d] (1) eap_ttls: TLS_accept: SSLv3/TLS write server hello (1) eap_ttls: >>> send TLS 1.2 [length 0d45] (1) eap_ttls: TLS_accept: SSLv3/TLS write certificate (1) eap_ttls: >>> send TLS 1.2 [length 024d] (1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange (1) eap_ttls: >>> send TLS 1.2 [length 0004] (1) eap_ttls: TLS_accept: SSLv3/TLS write server done (1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done (1) eap_ttls: In SSL Handshake Phase (1) eap_ttls: In SSL Accept mode (1) eap_ttls: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 92 length 1004 (1) eap: EAP session adding &reply:State = 0xfc98dff8fdc4cadd (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 111 from 146.83.124.26:1812 to 192.168.128.34:39957 length 0 (1) EAP-Message = 0x015c03ec15c000000fe7160303003d02000039030359d5354da526f46e73734ac9b4c806147b7bae612ec9e7fd6fe58961ef56e6ff00c030000011ff01000100000b000403000102001700001603030d450b000d41000d3e000601308205fd308203e5a003020102020101300d06092a864886f70d0101 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xfc98dff8fdc4cadd585a7c0a5256b1cb (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 112 from 192.168.128.34:39957 to 146.83.124.26:1812 length 410 (2) User-Name = "wifi@ucn.cl" (2) NAS-IP-Address = 192.168.128.34 (2) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) NAS-Port = 1 (2) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (2) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 62 / Channel: 11" (2) Acct-Session-Id = "1265B3D4CA450401" (2) Acct-Multi-Session-Id = "E27A7A7004BD7B9C" (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027074 (2) WLAN-AKM-Suite = 1027073 (2) WLAN-Group-Mgmt-Cipher = 1027078 (2) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (2) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (2) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (2) Meraki-Device-Name = "AP-V1-Soporte" (2) Framed-MTU = 1400 (2) EAP-Message = 0x025c00061500 (2) State = 0xfc98dff8fdc4cadd585a7c0a5256b1cb (2) Message-Authenticator = 0x83b5967ebe5b37e7447be803e0d0a7cc (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (2) auth_log: --> /var/log/freeradius/radacct/ 192.168.128.34/auth-detail-20200901 (2) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901 (2) auth_log: EXPAND %t (2) auth_log: --> Tue Sep 1 11:52:23 2020 (2) [auth_log] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (2) suffix: Found realm "ucn.cl" (2) suffix: Adding Stripped-User-Name = "wifi" (2) suffix: Adding Realm = "ucn.cl" (2) suffix: Authentication realm is LOCAL (2) [suffix] = ok (2) eap: Peer sent EAP Response (code 2) ID 92 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xfc98dff8fdc4cadd (2) eap: Finished EAP session with state 0xfc98dff8fdc4cadd (2) eap: Previous EAP request found for state 0xfc98dff8fdc4cadd, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: Continuing EAP-TLS (2) eap_ttls: Peer ACKed our handshake fragment (2) eap_ttls: [eaptls verify] = request (2) eap_ttls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 93 length 1004 (2) eap: EAP session adding &reply:State = 0xfc98dff8fec5cadd (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 112 from 146.83.124.26:1812 to 192.168.128.34:39957 length 0 (2) EAP-Message = 0x015d03ec15c000000fe7209dba66581b0203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xfc98dff8fec5cadd585a7c0a5256b1cb (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 113 from 192.168.128.34:39957 to 146.83.124.26:1812 length 410 (3) User-Name = "wifi@ucn.cl" (3) NAS-IP-Address = 192.168.128.34 (3) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) NAS-Port = 1 (3) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (3) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 64 / Channel: 11" (3) Acct-Session-Id = "1265B3D4CA450401" (3) Acct-Multi-Session-Id = "E27A7A7004BD7B9C" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027074 (3) WLAN-AKM-Suite = 1027073 (3) WLAN-Group-Mgmt-Cipher = 1027078 (3) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (3) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (3) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (3) Meraki-Device-Name = "AP-V1-Soporte" (3) Framed-MTU = 1400 (3) EAP-Message = 0x025d00061500 (3) State = 0xfc98dff8fec5cadd585a7c0a5256b1cb (3) Message-Authenticator = 0x87ee959791b647ce6c381a68cb941141 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (3) auth_log: --> /var/log/freeradius/radacct/ 192.168.128.34/auth-detail-20200901 (3) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901 (3) auth_log: EXPAND %t (3) auth_log: --> Tue Sep 1 11:52:23 2020 (3) [auth_log] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (3) suffix: Found realm "ucn.cl" (3) suffix: Adding Stripped-User-Name = "wifi" (3) suffix: Adding Realm = "ucn.cl" (3) suffix: Authentication realm is LOCAL (3) [suffix] = ok (3) eap: Peer sent EAP Response (code 2) ID 93 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xfc98dff8fec5cadd (3) eap: Finished EAP session with state 0xfc98dff8fec5cadd (3) eap: Previous EAP request found for state 0xfc98dff8fec5cadd, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: Continuing EAP-TLS (3) eap_ttls: Peer ACKed our handshake fragment (3) eap_ttls: [eaptls verify] = request (3) eap_ttls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 94 length 1004 (3) eap: EAP session adding &reply:State = 0xfc98dff8ffc6cadd (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 113 from 146.83.124.26:1812 to 192.168.128.34:39957 length 0 (3) EAP-Message = 0x015e03ec15c000000fe7303140616c756d6e6f732e75636e2e636c3122302006035504030c19456e746964616420636572746966696361646f72612055434e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bac4e13cd8c7fa57371bce6d41f22a26bcad2ffba6e97d (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xfc98dff8ffc6cadd585a7c0a5256b1cb (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 114 from 192.168.128.34:39957 to 146.83.124.26:1812 length 410 (4) User-Name = "wifi@ucn.cl" (4) NAS-IP-Address = 192.168.128.34 (4) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) NAS-Port = 1 (4) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (4) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 62 / Channel: 11" (4) Acct-Session-Id = "1265B3D4CA450401" (4) Acct-Multi-Session-Id = "E27A7A7004BD7B9C" (4) WLAN-Pairwise-Cipher = 1027076 (4) WLAN-Group-Cipher = 1027074 (4) WLAN-AKM-Suite = 1027073 (4) WLAN-Group-Mgmt-Cipher = 1027078 (4) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (4) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (4) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (4) Meraki-Device-Name = "AP-V1-Soporte" (4) Framed-MTU = 1400 (4) EAP-Message = 0x025e00061500 (4) State = 0xfc98dff8ffc6cadd585a7c0a5256b1cb (4) Message-Authenticator = 0xe30e38a9050dd13905814ea8672728b8 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (4) auth_log: --> /var/log/freeradius/radacct/ 192.168.128.34/auth-detail-20200901 (4) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901 (4) auth_log: EXPAND %t (4) auth_log: --> Tue Sep 1 11:52:23 2020 (4) [auth_log] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (4) suffix: Found realm "ucn.cl" (4) suffix: Adding Stripped-User-Name = "wifi" (4) suffix: Adding Realm = "ucn.cl" (4) suffix: Authentication realm is LOCAL (4) [suffix] = ok (4) eap: Peer sent EAP Response (code 2) ID 94 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xfc98dff8ffc6cadd (4) eap: Finished EAP session with state 0xfc98dff8ffc6cadd (4) eap: Previous EAP request found for state 0xfc98dff8ffc6cadd, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: Continuing EAP-TLS (4) eap_ttls: Peer ACKed our handshake fragment (4) eap_ttls: [eaptls verify] = request (4) eap_ttls: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 95 length 1004 (4) eap: EAP session adding &reply:State = 0xfc98dff8f8c7cadd (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 114 from 146.83.124.26:1812 to 192.168.128.34:39957 length 0 (4) EAP-Message = 0x015f03ec15c000000fe7c77251950fa0fe126a12332e02a8771ae735a0577b0809945f2151bb00b8f395f3f54573f94c87a0ad1afb624ea621c50e5cd9581e9bd0b5cc20a6f0c9bdbbbe326850002220a5b201f4bee09362a04c3dea95c4263c7c8ae9852a2a4c882975dc2cf44699206592149806fb22 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xfc98dff8f8c7cadd585a7c0a5256b1cb (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 115 from 192.168.128.34:39957 to 146.83.124.26:1812 length 410 (5) User-Name = "wifi@ucn.cl" (5) NAS-IP-Address = 192.168.128.34 (5) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) NAS-Port = 1 (5) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (5) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 61 / Channel: 11" (5) Acct-Session-Id = "1265B3D4CA450401" (5) Acct-Multi-Session-Id = "E27A7A7004BD7B9C" (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027074 (5) WLAN-AKM-Suite = 1027073 (5) WLAN-Group-Mgmt-Cipher = 1027078 (5) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (5) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (5) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (5) Meraki-Device-Name = "AP-V1-Soporte" (5) Framed-MTU = 1400 (5) EAP-Message = 0x025f00061500 (5) State = 0xfc98dff8f8c7cadd585a7c0a5256b1cb (5) Message-Authenticator = 0xaff5d23d6d7f617ed2f417cf8fc6b64a (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (5) auth_log: --> /var/log/freeradius/radacct/ 192.168.128.34/auth-detail-20200901 (5) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901 (5) auth_log: EXPAND %t (5) auth_log: --> Tue Sep 1 11:52:23 2020 (5) [auth_log] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (5) suffix: Found realm "ucn.cl" (5) suffix: Adding Stripped-User-Name = "wifi" (5) suffix: Adding Realm = "ucn.cl" (5) suffix: Authentication realm is LOCAL (5) [suffix] = ok (5) eap: Peer sent EAP Response (code 2) ID 95 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xfc98dff8f8c7cadd (5) eap: Finished EAP session with state 0xfc98dff8f8c7cadd (5) eap: Previous EAP request found for state 0xfc98dff8f8c7cadd, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: Continuing EAP-TLS (5) eap_ttls: Peer ACKed our handshake fragment (5) eap_ttls: [eaptls verify] = request (5) eap_ttls: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 96 length 105 (5) eap: EAP session adding &reply:State = 0xfc98dff8f9f8cadd (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 115 from 146.83.124.26:1812 to 192.168.128.34:39957 length 0 (5) EAP-Message = 0x01600069158000000fe7dd02213dc082bf9030b18c868edd995a7861437222487c7d98135b10166d927771216da0a1f38f13952517a5b10fd057e10f81b1d606ac8ad24ac5f91c5598c268b6720be6ca68e3ccbd62d209eada0c2fbdbcd6bac416030300040e000000 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xfc98dff8f9f8cadd585a7c0a5256b1cb (5) Finished request Waking up in 4.8 seconds. (6) Received Access-Request Id 116 from 192.168.128.34:39957 to 146.83.124.26:1812 length 540 (6) User-Name = "wifi@ucn.cl" (6) NAS-IP-Address = 192.168.128.34 (6) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) NAS-Port = 1 (6) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (6) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 54 / Channel: 11" (6) Acct-Session-Id = "1265B3D4CA450401" (6) Acct-Multi-Session-Id = "E27A7A7004BD7B9C" (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027074 (6) WLAN-AKM-Suite = 1027073 (6) WLAN-Group-Mgmt-Cipher = 1027078 (6) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (6) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (6) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (6) Meraki-Device-Name = "AP-V1-Soporte" (6) Framed-MTU = 1400 (6) EAP-Message = 0x0260008815800000007e1603030046100000424104163f372687eb80d249bb061304fc52817ba0e4862fd5f6c419a118480627b974461bb79fb895d856f47fd3242fb08d24956729ee640f4880b162d4ab1d6c83f914030300010116030300280000000000000000fcf6e3d255b1273d62447e0e0cb40f (6) State = 0xfc98dff8f9f8cadd585a7c0a5256b1cb (6) Message-Authenticator = 0x419fc3b739475b963f44b66a473e4c5a (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (6) auth_log: --> /var/log/freeradius/radacct/ 192.168.128.34/auth-detail-20200901 (6) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901 (6) auth_log: EXPAND %t (6) auth_log: --> Tue Sep 1 11:52:23 2020 (6) [auth_log] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (6) suffix: Found realm "ucn.cl" (6) suffix: Adding Stripped-User-Name = "wifi" (6) suffix: Adding Realm = "ucn.cl" (6) suffix: Authentication realm is LOCAL (6) [suffix] = ok (6) eap: Peer sent EAP Response (code 2) ID 96 length 136 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xfc98dff8f9f8cadd (6) eap: Finished EAP session with state 0xfc98dff8f9f8cadd (6) eap: Previous EAP request found for state 0xfc98dff8f9f8cadd, released from the list (6) eap: Peer sent packet with method EAP TTLS (21) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: Authenticate (6) eap_ttls: Continuing EAP-TLS (6) eap_ttls: Peer indicated complete TLS record size will be 126 bytes (6) eap_ttls: Got complete TLS record (126 bytes) (6) eap_ttls: [eaptls verify] = length included (6) eap_ttls: TLS_accept: SSLv3/TLS write server done (6) eap_ttls: <<< recv TLS 1.2 [length 0046] (6) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange (6) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec (6) eap_ttls: <<< recv TLS 1.2 [length 0010] (6) eap_ttls: TLS_accept: SSLv3/TLS read finished (6) eap_ttls: >>> send TLS 1.2 [length 0001] (6) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec (6) eap_ttls: >>> send TLS 1.2 [length 0010] (6) eap_ttls: TLS_accept: SSLv3/TLS write finished (6) eap_ttls: (other): SSL negotiation finished successfully (6) eap_ttls: SSL Connection Established (6) eap_ttls: [eaptls process] = handled (6) eap: Sending EAP Request (code 1) ID 97 length 61 (6) eap: EAP session adding &reply:State = 0xfc98dff8faf9cadd (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 116 from 146.83.124.26:1812 to 192.168.128.34:39957 length 0 (6) EAP-Message = 0x0161003d158000000033140303000101160303002886804395e9752affc89dde1b411debdf4e3c00db259a47945801253f950c3be9826f2ce57374f1bb (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xfc98dff8faf9cadd585a7c0a5256b1cb (6) Finished request Waking up in 4.8 seconds. (7) Received Access-Request Id 117 from 192.168.128.34:39957 to 146.83.124.26:1812 length 483 (7) User-Name = "wifi@ucn.cl" (7) NAS-IP-Address = 192.168.128.34 (7) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) NAS-Port = 1 (7) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (7) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 58 / Channel: 11" (7) Acct-Session-Id = "1265B3D4CA450401" (7) Acct-Multi-Session-Id = "E27A7A7004BD7B9C" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027074 (7) WLAN-AKM-Suite = 1027073 (7) WLAN-Group-Mgmt-Cipher = 1027078 (7) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (7) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (7) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (7) Meraki-Device-Name = "AP-V1-Soporte" (7) Framed-MTU = 1400 (7) EAP-Message = 0x0261004f15800000004517030300400000000000000001b98cb06ad5a33b6d61e62a62728f25a6b571d54f423fc79aae25f51af5e30b1fdafb12a2506c68349dcdb3bd12e99f5dacbbcc1e8760a817 (7) State = 0xfc98dff8faf9cadd585a7c0a5256b1cb (7) Message-Authenticator = 0xe7d95b4aa7b635f28e7f7014ad5e69d5 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (7) auth_log: --> /var/log/freeradius/radacct/ 192.168.128.34/auth-detail-20200901 (7) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.128.34/auth-detail-20200901 (7) auth_log: EXPAND %t (7) auth_log: --> Tue Sep 1 11:52:25 2020 (7) [auth_log] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (7) suffix: Found realm "ucn.cl" (7) suffix: Adding Stripped-User-Name = "wifi" (7) suffix: Adding Realm = "ucn.cl" (7) suffix: Authentication realm is LOCAL (7) [suffix] = ok (7) eap: Peer sent EAP Response (code 2) ID 97 length 79 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xfc98dff8faf9cadd (7) eap: Finished EAP session with state 0xfc98dff8faf9cadd (7) eap: Previous EAP request found for state 0xfc98dff8faf9cadd, released from the list (7) eap: Peer sent packet with method EAP TTLS (21) (7) eap: Calling submodule eap_ttls to process data (7) eap_ttls: Authenticate (7) eap_ttls: Continuing EAP-TLS (7) eap_ttls: Peer indicated complete TLS record size will be 69 bytes (7) eap_ttls: Got complete TLS record (69 bytes) (7) eap_ttls: [eaptls verify] = length included (7) eap_ttls: [eaptls process] = ok (7) eap_ttls: Session established. Proceeding to decode tunneled attributes (7) eap_ttls: Got tunneled request (7) eap_ttls: User-Name = "wifi@ucn.cl" (7) eap_ttls: User-Password = "SoporteUcn" (7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_ttls: Sending tunneled request (7) Virtual server inner-tunnel received request (7) User-Name = "wifi@ucn.cl" (7) User-Password = "SoporteUcn" (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) NAS-IP-Address = 192.168.128.34 (7) Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) NAS-Port = 1 (7) Calling-Station-Id = "E4-6F-13-2C-A4-C3" (7) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 58 / Channel: 11" (7) Acct-Session-Id = "1265B3D4CA450401" (7) Acct-Multi-Session-Id = "E27A7A7004BD7B9C" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027074 (7) WLAN-AKM-Suite = 1027073 (7) WLAN-Group-Mgmt-Cipher = 1027078 (7) Attr-26.29671.2 = 0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373 (7) Attr-26.29671.3 = 0x41502d56312d536f706f727465 (7) Attr-26.29671.4 = 0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649 (7) Meraki-Device-Name = "AP-V1-Soporte" (7) Framed-MTU = 1400 (7) Event-Timestamp = "Sep 1 2020 11:52:25 -04" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: Looking up realm "ucn.cl" for User-Name = "wifi@ucn.cl" (7) suffix: Found realm "ucn.cl" (7) suffix: Adding Stripped-User-Name = "wifi" (7) suffix: Adding Realm = "ucn.cl" (7) suffix: Authentication realm is LOCAL (7) [suffix] = ok (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: No EAP-Message, not doing EAP (7) [eap] = noop (7) if (Realm == 'ucn.cl') { (7) if (Realm == 'ucn.cl') -> TRUE (7) if (Realm == 'ucn.cl') { (7) first_files: EXPAND %{Virtual-Server} (7) first_files: --> inner-tunnel (7) first_files: users: Matched entry DEFAULT at line 93 (7) [first_files] = ok (7) } # if (Realm == 'ucn.cl') = ok (7) if (Realm == 'alumnos.ucn.cl') { (7) if (Realm == 'alumnos.ucn.cl') -> FALSE (7) files: EXPAND %{Virtual-Server} (7) files: --> inner-tunnel (7) [files] = noop (7) first_files: EXPAND %{Virtual-Server} (7) first_files: --> inner-tunnel (7) first_files: users: Matched entry DEFAULT at line 93 (7) [first_files] = ok (7) second_files: EXPAND %{Virtual-Server} (7) second_files: --> inner-tunnel (7) second_files: users: Matched entry DEFAULT at line 93 (7) [second_files] = ok (7) [expiration] = noop (7) [logintime] = noop (7) [pap] = noop (7) } # authorize = ok (7) Found Auth-Type = pam (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) pam: Using pamauth string "pam-imap-radius2" for pam.conf lookup (7) pam: ERROR: pam_authenticate failed: Module is unknown (7) [pam] = reject (7) } # authenticate = reject (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) Post-Auth-Type REJECT { (7) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (7) reply_log: --> /var/log/freeradius/radacct/ 192.168.128.34/reply-detail-20200901 (7) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.128.34/reply-detail-20200901 (7) reply_log: WARNING: Skipping empty packet (7) [reply_log] = ok (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> wifi@ucn.cl (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) update outer.session-state { (7) &Module-Failure-Message := &request:Module-Failure-Message -> 'pam: pam_authenticate failed: Module is unknown' (7) } # update outer.session-state = noop (7) } # Post-Auth-Type REJECT = updated (7) } # server inner-tunnel (7) Virtual server sending reply (7) eap_ttls: Got tunneled Access-Reject (7) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (7) eap: Sending EAP Failure (code 4) ID 97 length 4 (7) eap: Failed in EAP select (7) [eap] = invalid (7) } # authenticate = invalid (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> wifi@ucn.cl (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) [eap] = noop (7) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (7) reply_log: --> /var/log/freeradius/radacct/ 192.168.128.34/reply-detail-20200901 (7) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.128.34/reply-detail-20200901 (7) reply_log: EXPAND %t (7) reply_log: --> Tue Sep 1 11:52:25 2020 (7) [reply_log] = ok (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # Post-Auth-Type REJECT = updated (7) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (7) Sending delayed response (7) Sent Access-Reject Id 117 from 146.83.124.26:1812 to 192.168.128.34:39957 length 44 (7) EAP-Message = 0x04610004 (7) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.0 seconds. (0) Cleaning up request packet ID 110 with timestamp +23 (1) Cleaning up request packet ID 111 with timestamp +23 (2) Cleaning up request packet ID 112 with timestamp +23 (3) Cleaning up request packet ID 113 with timestamp +23 (4) Cleaning up request packet ID 114 with timestamp +23 (5) Cleaning up request packet ID 115 with timestamp +23 (6) Cleaning up request packet ID 116 with timestamp +23 Waking up in 1.8 seconds. (7) Cleaning up request packet ID 117 with timestamp +25 I apologize if I failed in properly doing your instructions but I'm at loss here. Thank in advance. El sáb., 29 ago. 2020 a las 6:20, Alan DeKok (<aland@deployingradius.com>) escribió:
On Aug 28, 2020, at 7:18 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA < bhp001@alumnos.ucn.cl> wrote:
Greetings, I'm a Freeradius newbie and I apologize if I make mistakes
with
some concepts or get my point across (english is not my first language).
It's fine.
Anyway, I'm setting up freeradius in Ubuntu server 18.04 to authenticate users (teachers, students) through their google accounts (we have a couple of domains for each one), so I was adviced to use the PAM-IMAP module. When trying to authenticate however, it fails going through the eap-peap authentication. I read the output and checked that authentication is invalid in the pam module however I do not know how to fix it.
PAM needs a clear-text password in the RADIUS request. PEAP does not supply one. You need to configure the clients to use TTLS with PAP inside of the tunnel.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html