Thanks for the pointer. The client is using GTC with TTLS. Having a look at the config files remotely I can see the ssl key password is incorrect in eap tls-common config. This will undoubteldy cause an error but surely it would have caused an error earlier? Or at least a more explicit error? Will test tomorrow when I am back in wifi range :) On 14 September 2017 at 13:42, Alan Buxey <alan.buxey@gmail.com> wrote:
client configured with GTC for EAP TTLS ? it looks like its not happy responding to the GTC challenge..
alan
Hi all,
I have a openldap server with hashed password and am attempting to set up WPA-Enterprise authentication. I have enabled the ldpap module and straight authentication usng ldap and pap works. i.e the proxy server authenticates without any problems.
I have the client configured to use ttls and gtc. I have done the same with the eap configuration file. I don't get any error messages in the log file when trying to connect. (I regengerated the ssl certs as hinted at by a previous message but this took away the ssl cert warning but did not solve the problem.)
Below is the debug log output. Trying to understand radius and the whole EAP protocol requires a large amount of effort. I have already understood a lot more than I did 3 days ago but am not at the end of my concpetual models ability to trouble shoot this problem. I have tried setting the Auth-Type: to LDAP in the gtc configuration in the eap conf file as well but the results are the same.
Any help or hints appreciated. From the log file below it looks like the client is not responding to the final Access-Challenge. The only other idea I have is that the User-Password: field is not being passed to the eap process? Not sure how to fix that or if it is the problem.
Thanks
Ready to process requests (0) Received Access-Request Id 224 from 192.168.45.05:37339 to 192.168.45.74:1812 length 166 (0) User-Name = "bob" (0) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (0) NAS-Port-Type = Wireless-802.11 (0) NAS-Port = 0 (0) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) Acct-Session-Id = "59B902E8-000000EA" (0) Framed-MTU = 1400 (0) EAP-Message = 0x02270009016d61726b (0) Message-Authenticator = 0x4e878ddb529b319d77ea2abfb3131112 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/ 192.168.45.05/auth-detail-20170914 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail- 20170914 (0) auth_log: EXPAND %t (0) auth_log: --> Thu Sep 14 11:19:11 2017 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "bob", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 39 length 9 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_ttls to process data (0) eap_ttls: Initiating new EAP-TLS session (0) eap_ttls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 40 length 6 (0) eap: EAP session adding &reply:State = 0xbdc37936bdeb6cdd (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (0) Sent Access-Challenge Id 224 from 192.168.45.74:1812 to 192.168.45.05:37339 length 0 (0) EAP-Message = 0x012800061520 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xbdc37936bdeb6cdd84932144ea25780b (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 225 from 192.168.45.05:37339 to 192.168.45.74:1812 length 339 (1) User-Name = "bob" (1) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (1) NAS-Port-Type = Wireless-802.11 (1) NAS-Port = 0 (1) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) Acct-Session-Id = "59B902E8-000000EA" (1) Framed-MTU = 1400 (1) EAP-Message = 0x022800a4150016030100990100009503030a1c1c168f1fe7ca21b8e5ee 873c19ba1e777641a3b13e1cca092bfa7fe66fc100003cc02cc030009fc0 2bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c0 07c011009d009c0035003d002f003c00050004000a00ff01000030001700 (1) State = 0xbdc37936bdeb6cdd84932144ea25780b (1) Message-Authenticator = 0xc6c693312fb56f022f47198c94f4c3c7 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (1) auth_log: --> /var/log/freeradius/radacct/ 192.168.45.05/auth-detail-20170914 (1) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail- 20170914 (1) auth_log: EXPAND %t (1) auth_log: --> Thu Sep 14 11:19:11 2017 (1) [auth_log] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "bob", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 40 length 164 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xbdc37936bdeb6cdd (1) eap: Finished EAP session with state 0xbdc37936bdeb6cdd (1) eap: Previous EAP request found for state 0xbdc37936bdeb6cdd, released from the list (1) eap: Peer sent packet with method EAP TTLS (21) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: Authenticate (1) eap_ttls: Continuing EAP-TLS (1) eap_ttls: Got final TLS record fragment (158 bytes) (1) eap_ttls: WARNING: Total received TLS record fragments (158 bytes), does not equal indicated TLS record length (0 bytes) (1) eap_ttls: [eaptls verify] = ok (1) eap_ttls: Done initial handshake (1) eap_ttls: (other): before SSL initialization (1) eap_ttls: TLS_accept: before SSL initialization (1) eap_ttls: TLS_accept: before SSL initialization (1) eap_ttls: <<< recv TLS 1.2 [length 0099] (1) eap_ttls: TLS_accept: SSLv3/TLS read client hello (1) eap_ttls: >>> send TLS 1.2 [length 003d] (1) eap_ttls: TLS_accept: SSLv3/TLS write server hello (1) eap_ttls: >>> send TLS 1.2 [length 08d3] (1) eap_ttls: TLS_accept: SSLv3/TLS write certificate (1) eap_ttls: >>> send TLS 1.2 [length 014d] (1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange (1) eap_ttls: >>> send TLS 1.2 [length 0004] (1) eap_ttls: TLS_accept: SSLv3/TLS write server done (1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done (1) eap_ttls: In SSL Handshake Phase (1) eap_ttls: In SSL Accept mode (1) eap_ttls: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 41 length 1004 (1) eap: EAP session adding &reply:State = 0xbdc37936bcea6cdd (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (1) Sent Access-Challenge Id 225 from 192.168.45.74:1812 to 192.168.45.05:37339 length 0 (1) EAP-Message = 0x012903ec15c000000a75160303003d020000390303bfef2af615bb30a1 795e1502febfbbcfaf0829baff49038576161b0bbe9082d500c030000011 ff01000100000b0004030001020017000016030308d30b0008cf0008cc00 03de308203da308202c2a003020102020101300d06092a864886f70d0101 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xbdc37936bcea6cdd84932144ea25780b (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 226 from 192.168.45.05:37339 to 192.168.45.74:1812 length 181 (2) User-Name = "bob" (2) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (2) NAS-Port-Type = Wireless-802.11 (2) NAS-Port = 0 (2) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) Acct-Session-Id = "59B902E8-000000EA" (2) Framed-MTU = 1400 (2) EAP-Message = 0x022900061500 (2) State = 0xbdc37936bcea6cdd84932144ea25780b (2) Message-Authenticator = 0x5e81d512883c3437d5d7c4b1576509da (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (2) auth_log: --> /var/log/freeradius/radacct/ 192.168.45.05/auth-detail-20170914 (2) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail- 20170914 (2) auth_log: EXPAND %t (2) auth_log: --> Thu Sep 14 11:19:11 2017 (2) [auth_log] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "bob", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 41 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xbdc37936bcea6cdd (2) eap: Finished EAP session with state 0xbdc37936bcea6cdd (2) eap: Previous EAP request found for state 0xbdc37936bcea6cdd, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: Continuing EAP-TLS (2) eap_ttls: Peer ACKed our handshake fragment (2) eap_ttls: [eaptls verify] = request (2) eap_ttls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 42 length 1004 (2) eap: EAP session adding &reply:State = 0xbdc37936bfe96cdd (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (2) Sent Access-Challenge Id 226 from 192.168.45.74:1812 to 192.168.45.05:37339 length 0 (2) EAP-Message = 0x012a03ec15c000000a75318c53693caf5cec07a26c179201b35044f8b0 a36585e88ac8887724d038dace205f76b50f376be76dd9ebe975518e8d82 a931d370995cd79469cd39278883b89faf674e3bc275747a253d0cab0004 e8308204e4308203cca003020102020900acfa1c7c27c4f226300d06092a (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xbdc37936bfe96cdd84932144ea25780b (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 227 from 192.168.45.05:37339 to 192.168.45.74:1812 length 181 (3) User-Name = "bob" (3) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (3) NAS-Port-Type = Wireless-802.11 (3) NAS-Port = 0 (3) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) Acct-Session-Id = "59B902E8-000000EA" (3) Framed-MTU = 1400 (3) EAP-Message = 0x022a00061500 (3) State = 0xbdc37936bfe96cdd84932144ea25780b (3) Message-Authenticator = 0x9fd121549085c6c53071b12b8b96285a (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (3) auth_log: --> /var/log/freeradius/radacct/ 192.168.45.05/auth-detail-20170914 (3) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail- 20170914 (3) auth_log: EXPAND %t (3) auth_log: --> Thu Sep 14 11:19:11 2017 (3) [auth_log] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "bob", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 42 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xbdc37936bfe96cdd (3) eap: Finished EAP session with state 0xbdc37936bfe96cdd (3) eap: Previous EAP request found for state 0xbdc37936bfe96cdd, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: Continuing EAP-TLS (3) eap_ttls: Peer ACKed our handshake fragment (3) eap_ttls: [eaptls verify] = request (3) eap_ttls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 43 length 699 (3) eap: EAP session adding &reply:State = 0xbdc37936bee86cdd (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (3) Sent Access-Challenge Id 227 from 192.168.45.74:1812 to 192.168.45.05:37339 length 0 (3) EAP-Message = 0x012b02bb158000000a750101ff040530030101ff30360603551d1f042f 302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f 72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b 05000382010100e3995c54d00cee2fbbc14478b89b75b38a11643e5c1a51 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xbdc37936bee86cdd84932144ea25780b (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 228 from 192.168.45.05:37339 to 192.168.45.74:1812 length 307 (4) User-Name = "bob" (4) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (4) NAS-Port-Type = Wireless-802.11 (4) NAS-Port = 0 (4) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) Acct-Session-Id = "59B902E8-000000EA" (4) Framed-MTU = 1400 (4) EAP-Message = 0x022b0084150016030300461000004241047d7abad05d5661d82c204f0d 953f0ce6f5b508de608abf44b528fc3897c2f548baacdb60f5cd867ea90d 976f1ad767249c4fc28ba8a810d62bb1102d57fd00e51403030001011603 0300280000000000000000c227b6f946893e02d0eac613069cdc09d93578 (4) State = 0xbdc37936bee86cdd84932144ea25780b (4) Message-Authenticator = 0xb50eb2de770b6149c3752e62afebe833 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (4) auth_log: --> /var/log/freeradius/radacct/ 192.168.45.05/auth-detail-20170914 (4) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail- 20170914 (4) auth_log: EXPAND %t (4) auth_log: --> Thu Sep 14 11:19:11 2017 (4) [auth_log] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "bob", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 43 length 132 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xbdc37936bee86cdd (4) eap: Finished EAP session with state 0xbdc37936bee86cdd (4) eap: Previous EAP request found for state 0xbdc37936bee86cdd, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: Continuing EAP-TLS (4) eap_ttls: [eaptls verify] = ok (4) eap_ttls: Done initial handshake (4) eap_ttls: TLS_accept: SSLv3/TLS write server done (4) eap_ttls: <<< recv TLS 1.2 [length 0046] (4) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange (4) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec (4) eap_ttls: <<< recv TLS 1.2 [length 0010] (4) eap_ttls: TLS_accept: SSLv3/TLS read finished (4) eap_ttls: >>> send TLS 1.2 [length 0001] (4) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec (4) eap_ttls: >>> send TLS 1.2 [length 0010] (4) eap_ttls: TLS_accept: SSLv3/TLS write finished (4) eap_ttls: (other): SSL negotiation finished successfully (4) eap_ttls: SSL Connection Established (4) eap_ttls: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 44 length 61 (4) eap: EAP session adding &reply:State = 0xbdc37936b9ef6cdd (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (4) Sent Access-Challenge Id 228 from 192.168.45.74:1812 to 192.168.45.05:37339 length 0 (4) EAP-Message = 0x012c003d1580000000331403030001011603030028471e30dc08a6d794 f227f69ef0ae81d75a7082e5643ef6c65d9ee2604fcd4f7c55114fc65525a838 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xbdc37936b9ef6cdd84932144ea25780b (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 229 from 192.168.45.05:37339 to 192.168.45.74:1812 length 230 (5) User-Name = "bob" (5) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (5) NAS-Port-Type = Wireless-802.11 (5) NAS-Port = 0 (5) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) Acct-Session-Id = "59B902E8-000000EA" (5) Framed-MTU = 1400 (5) EAP-Message = 0x022c00371500170303002c0000000000000001595cecb3de730e899e84 a9f3e32a5b344f7831ba3a3b08486ae4ed71c158e57359dded07 (5) State = 0xbdc37936b9ef6cdd84932144ea25780b (5) Message-Authenticator = 0x04079a652bd0207cdffa3715b865b41a (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (5) auth_log: --> /var/log/freeradius/radacct/ 192.168.45.05/auth-detail-20170914 (5) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail- 20170914 (5) auth_log: EXPAND %t (5) auth_log: --> Thu Sep 14 11:19:11 2017 (5) [auth_log] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "bob", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 44 length 55 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xbdc37936b9ef6cdd (5) eap: Finished EAP session with state 0xbdc37936b9ef6cdd (5) eap: Previous EAP request found for state 0xbdc37936b9ef6cdd, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: Continuing EAP-TLS (5) eap_ttls: [eaptls verify] = ok (5) eap_ttls: Done initial handshake (5) eap_ttls: [eaptls process] = ok (5) eap_ttls: Session established. Proceeding to decode tunneled attributes (5) eap_ttls: Got tunneled request (5) eap_ttls: EAP-Message = 0x02000009016d61726b (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_ttls: Got tunneled identity of bob (5) eap_ttls: Setting default EAP type for tunneled EAP session (5) eap_ttls: Sending tunneled request (5) Virtual server inner-tunnel received request (5) EAP-Message = 0x02000009016d61726b (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) User-Name = "bob" (5) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (5) NAS-Port-Type = Wireless-802.11 (5) NAS-Port = 0 (5) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) Acct-Session-Id = "59B902E8-000000EA" (5) Framed-MTU = 1400 (5) Event-Timestamp = "Sep 14 2017 11:19:11 SAST" (5) NAS-IP-Address = 192.168.45.05 (5) WARNING: Outer and inner identities are the same. User privacy is compromised. (5) server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "bob", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 0 length 9 (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authenticate { (5) eap: Peer sent packet with method EAP Identity (1) (5) eap: Calling submodule eap_gtc to process data (5) eap_gtc: EXPAND Password: (5) eap_gtc: --> Password: (5) eap: Sending EAP Request (code 1) ID 1 length 15 (5) eap: EAP session adding &reply:State = 0x939300d7939206e6 (5) [eap] = handled (5) } # authenticate = handled (5) } # server inner-tunnel (5) Virtual server sending reply (5) EAP-Message = 0x0101000f0650617373776f72643a20 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x939300d7939206e632565a4a2d1be287 (5) eap_ttls: Got tunneled Access-Challenge (5) eap: Sending EAP Request (code 1) ID 45 length 63 (5) eap: EAP session adding &reply:State = 0xbdc37936b8ee6cdd (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (5) Sent Access-Challenge Id 229 from 192.168.45.74:1812 to 192.168.45.05:37339 length 0 (5) EAP-Message = 0x012d003f1580000000351703030030471e30dc08a6d79553ed6a497780 6816b7ccd9f91d3c7e620176ceb206f3a0d52f0918d696626cf670769ccb64d27449 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xbdc37936b8ee6cdd84932144ea25780b (5) Finished request Waking up in 4.8 seconds. (0) Cleaning up request packet ID 224 with timestamp +10 (1) Cleaning up request packet ID 225 with timestamp +10 (2) Cleaning up request packet ID 226 with timestamp +10 (3) Cleaning up request packet ID 227 with timestamp +10 (4) Cleaning up request packet ID 228 with timestamp +10 (5) Cleaning up request packet ID 229 with timestamp +10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On 14 September 2017 at 10:32, Mark <mclarke4@gmail.com> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html