Can you post the whole debug, not just snipetts. Are these from the same or from different requests in the exchange? Perhaps you need use_tunneled_reply rather than this.
Here's the complete debug (excluding the server start-up messages). There's rather a lot of it which is why I tried to post the bits relevant to what I'm trying (rather unsuccessfully :-) ) to understand. Leighton rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36, length=148 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x0203000d01636d73786c656967 Message-Authenticator = 0xbc90b1b0b5ceba80a6767ff94c59ed43 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap_staff] performing user authorization for cmsxleig [ldap_staff] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig) [ldap_staff] expand: ou=staff, dc=ad, dc=hud, dc=ac, dc=uk -> ou=staff, dc=ad, dc=hud, dc=ac, dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0 rlm_ldap: bind as cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to burns.hud.ac.uk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=staff, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) rlm_ldap: object not found or got ambiguous search result [ldap_staff] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap_staff] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} [ldap_student] performing user authorization for cmsxleig [ldap_student] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig) [ldap_student] expand: ou=students, dc=ad, dc=hud, dc=ac, dc=uk -> ou=students, dc=ad, dc=hud, dc=ac, dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0 rlm_ldap: bind as cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to burns.hud.ac.uk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) [ldap_student] looking for check items in directory... [ldap_student] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap_student] user cmsxleig authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) -> TRUE +++? if (ok) -> TRUE +++- entering if (ok) {...} ++++[control] returns ok +++- if (ok) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 36 to 10.127.240.217 port 1645 EAP-Message = 0x010400160410d7424da981434c0db858d196aa1331b4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de163455de567c927acd591e49a319b Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=37, length=159 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020400060319 Message-Authenticator = 0x4dbcf0832938a2550152bfdcb815ec8c NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455de567c927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap_staff] performing user authorization for cmsxleig [ldap_staff] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig) [ldap_staff] expand: ou=staff, dc=ad, dc=hud, dc=ac, dc=uk -> ou=staff, dc=ad, dc=hud, dc=ac, dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=staff, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) rlm_ldap: object not found or got ambiguous search result [ldap_staff] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap_staff] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++- entering else else {...} [ldap_student] performing user authorization for cmsxleig [ldap_student] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountName=cmsxleig) [ldap_student] expand: ou=students, dc=ad, dc=hud, dc=ac, dc=uk -> ou=students, dc=ad, dc=hud, dc=ac, dc=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) [ldap_student] looking for check items in directory... [ldap_student] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap_student] user cmsxleig authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) -> TRUE +++? if (ok) -> TRUE +++- entering if (ok) {...} ++++[control] returns ok +++- if (ok) returns ok +++ ... skipping else for request 1: Preceding "if" was taken ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 37 to 10.127.240.217 port 1645 EAP-Message = 0x010500061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de163455ce47ac927acd591e49a319b Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=38, length=265 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x0205007019800000006616030100610100005d030149b7c1aeab2f6dbd3b06e21c6335a864e2b6c1c3aa77dea8567f202a7b06e0f3000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100 Message-Authenticator = 0x6db5036a3ae4bb0b29d1397a150437a8 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455ce47ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 5 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 102 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 084e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 38 to 10.127.240.217 port 1645 EAP-Message = 0x0106040019c00000088b160301002a02000026030149b7c1ac6f4ea7d744b484ea8dccf4252ea401fae4499880c49c39adb8cfd33900002f00160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303330393131353330315a170d3130303330393131353330315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e0f486a32a63ea8c5f3be2dab6e7754cd4040e44619a48776d26127a632b2861ffb099f624a244a369c00d4a7a745f1508321fb0dde8001f47ffabb2baef EAP-Message = 0x4475eb993d9ca3fab222f7778ccce5dddb7f7c64c8dddb7a11a78531638cbfb59d489e2b201f77d4356a225c1dba8245c94f56a5081e79adea5d3624467c7135be351a4d011edc230aa13d0526e25f817ade783433d4b1dfc075dc514252532b27be4bedbc950c25829ce0606629a6a31dd6294304890f737d959542eeccb023666d43df003953b971d5bf1ebbcea37f4912761ea19f914bebad71acb985bce93ec2af6c366e87640db363d1e613cba97d236e5add9ff9eed22e5d4b6ee772edfc7d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010082e17a19587d75cd61 EAP-Message = 0xf93fd77c415b6e117856f4c728a4b787d05d8dfe3e21bd16753db864dd2e1f152688a0574c880fb6b38bb533de26f7267fd9b3477956e5c66d9c9a60f5516642321fde34863335c06b0b344c956a63911707606633a6bb20fcad4eb7b8180e324a32ef4e0f35343d82ad7d2f23848acfe1d9adddd61de8de51159533b5ebe52be9de278593d1cbfbb647a711dd3c930442aaf5a8ce71d31b7bf6162326dcb3be1c601c559d062a1b9e5a79938bd6282492e574a71da3766c8029614c21322945cf420ea1ac171c6769051fc9038e02283a72c7ca64e37ffc21528918a951fcd9a5b1959cfef34aa6fb5606bbfb82623872718bf280538d00049b308204 EAP-Message = 0x973082037fa0030201020201 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de163455fe77ac927acd591e49a319b Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=39, length=159 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020600061900 Message-Authenticator = 0xb1a47b6e94e316447e41877f2a847ed6 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455fe77ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 39 to 10.127.240.217 port 1645 EAP-Message = 0x010703fc194000300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303330393131353330305a170d3130303330393131353330305a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d6577 EAP-Message = 0x6865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b4760f3fe6fe399f5be030fd803543f5958cfd8ae679612b56700ac92f876a34b2aa7e1a1c665bf3f5852977d2fa28126ab3927360676ddeebebdbb7d229ad64b337146ead10468e405f2558d2b9d11e73cbe6a53ee9411775b5f0ea978bac53b78f8572f81aa54fe86bdef98e946e1cab364bd0631763 EAP-Message = 0xed10dba2e049d5f20a1423d1ef5010cc3da9e9b3a3f11c539b11e0c9a4e22cec5c1161598b385db5214dd21f8799c55906f9ef75ce77d9b58ca609664f13c3db7d6c94e168d7d45c54d86e2b8477806570d6302aeba2c2f0f3058f6047a0e24d9b77009e93467144011b475874ea9cc09365d2cb861eb3a7b9d237489746fe59f7076db06bf2e3e30b0203010001a381f33081f0301d0603551d0e04160414abd501507cc9d78a8278093949d47c0c35eb38393081c00603551d230481b83081b58014abd501507cc9d78a8278093949d47c0c35eb3839a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975 EAP-Message = 0x733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101004ae49fb5afa9a0e756198402b0668357d21c879707a9426a0cd2d1d5b57e76d56f3bcb9b6195a5e3f5d20654371234d6a94f3c8ddb836aac3e73f6856b072fe19e3b29e1e3e6bacb5b04bfabbef33fa3033fdac3a6f992edc70efa0593bac9a26577 EAP-Message = 0x39df2f69b8aa23b1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de163455ee67ac927acd591e49a319b Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=40, length=159 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020700061900 Message-Authenticator = 0x014fc3a1d0d55913f78f89a13d8776d1 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455ee67ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 40 to 10.127.240.217 port 1645 EAP-Message = 0x010800a519004c501cf4cabac8631623dbda4db158d1ac52dad5e46001166444635b465ea4b801cc6a60eb9306b4f7e418a95a16b9c0f8dbe94d4673fe8cb5cd9565a3d51d03425ae8171fb37917ee224a648f84b9b0d3d4c6fb2d4bba7cbae284ca0ee09edf3ef60f454eb751316f7df0d3b877b5d9c3f16bab23828fd6935dadb8007d6ecf8a89741fa608c51873c1a1a2db818e3f8bee7d73fd5316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de1634559e97ac927acd591e49a319b Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=41, length=491 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x0208015019800000014616030101061000010201002c95a9c6250c5436c12a1a8a4cab44c1f93ed567306cbc33d37de3d4c13d89310ce71779710ab5229309ee9fb224653da882814609f40f33791749952104bcc025e0f1a0f24c40dfe0de8f8f13f9a3047f3837b6abb3707b294d35c5e5e750b45996a3a6c2e60e3331466cee191731cd9a2c9ae6e3636725fe5de936989cece0e793eacd65904bfb68dba0ed5efc10ed5754838c33fc42878890c81852bd1eefdab8653f0cdaf9a738d2e69fbbe9474f36eac05950ef331f6c4af69d0593125118fa284c8eb920a6768a58979078a159a81dae0ad8fda8b0ec6352b9a474dea41ec69dcc1540f858 EAP-Message = 0xcc65716966474d97f1d09f94e1e7c5dd97700e9a207431e614030100010116030100309f33527bc6c37cc1b398772be7b61bcbd1f7b84656772a339937480ec216eaaac58902a3079c17c5e168f535e65d8cf2 Message-Authenticator = 0x4022f3dcf9eb58a9ab62621ab615cd42 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de1634559e97ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 8 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 41 to 10.127.240.217 port 1645 EAP-Message = 0x0109004119001403010001011603010030361b56b20c41691b4f426dff7f2ad4894816568ad01864f4f67f9cc47f9c6616af70c9c8a11649b30091e576a2da1cb7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de1634558e87ac927acd591e49a319b Finished request 5. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=42, length=159 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020900061900 Message-Authenticator = 0x4808cbbee6269aa33148b8676dda8818 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de1634558e87ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 9 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 42 to 10.127.240.217 port 1645 EAP-Message = 0x010a002b19001703010020a77557a3286e24cac6b15b0aeb79555638904414d9fbd5a819655603459d9a0f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de163455beb7ac927acd591e49a319b Finished request 6. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=43, length=196 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020a002b19001703010020eea35b9513930a5db7b16a7b8feb65acbeac46a368b5de191dafbb3b6d2a25eb Message-Authenticator = 0xaa3b637009406a52001d206bc4b55204 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455beb7ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - cmsxleig [peap] Got tunneled request EAP-Message = 0x020a000d01636d73786c656967 server { PEAP: Got tunneled identity of cmsxleig PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to cmsxleig Sending tunneled request EAP-Message = 0x020a000d01636d73786c656967 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cmsxleig" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 10 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b00221a010b001d10ffb9aa2a11578ce200343aaa418bfec9636d73786c656967 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x774ed13b7745cb6204cdbc439a2405d2 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b00221a010b001d10ffb9aa2a11578ce200343aaa418bfec9636d73786c656967 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x774ed13b7745cb6204cdbc439a2405d2 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 43 to 10.127.240.217 port 1645 EAP-Message = 0x010b004b19001703010040f2043b3eda010e357d940971e35f409540d5919f5fb9ad76d18e77f4ff187dc5292d0bb7f34346fbe2775e56e24e6aa18c3fd39c685328b40cd51ad6b4e0f194 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de163455aea7ac927acd591e49a319b Finished request 7. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=44, length=260 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020b006b190017030100600cc1c638a3d913ce9ae454e7877dae26ab957df3f61b1854e3bb157c0632368ef73804859b340b0163e2367e579279a01fae7d896c73e938132b2624c277e9695721e02704708a31dfafe99089bbeac3570e76f1e0013abaf54458c0ce5d0e55 Message-Authenticator = 0x222c9aae92494ff78b6adb03ccae5c44 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de163455aea7ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 11 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020b00431a020b003e312e204239aed55c69cf85e06acc07e01e0000000000000000efe90dcf578043bbfc1188f4eb3f004b7dd9695559d1ee3900636d73786c656967 server { PEAP: Setting User-Name to cmsxleig Sending tunneled request EAP-Message = 0x020b00431a020b003e312e204239aed55c69cf85e06acc07e01e0000000000000000efe90dcf578043bbfc1188f4eb3f004b7dd9695559d1ee3900636d73786c656967 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cmsxleig" State = 0x774ed13b7745cb6204cdbc439a2405d2 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 11 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for cmsxleig with NT-Password [mschap] expand: --username=%{mschap:User-Name} -> --username=cmsxleig [mschap] mschap2: ff [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=cd174960e64892c4 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=efe90dcf578043bbfc1188f4eb3f004b7dd9695559d1ee39 Exec-Program output: NT_KEY: 35ADC25F14496E3A8B5B3EC7E1D9E2E9 Exec-Program-Wait: plaintext: NT_KEY: 35ADC25F14496E3A8B5B3EC7E1D9E2E9 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010c00331a030b002e533d35424437413739444339353241463641324443353539423733343236453841433734364246343735 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x774ed13b7642cb6204cdbc439a2405d2 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010c00331a030b002e533d35424437413739444339353241463641324443353539423733343236453841433734364246343735 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x774ed13b7642cb6204cdbc439a2405d2 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 44 to 10.127.240.217 port 1645 EAP-Message = 0x010c005b190017030100501c537d1a5a82418315fd235711df9b767768e5b09642bc8f0e20915aa3f018d2b8f6171d8cc02dfde46b8fb44eecd88d9f420d88fb5399de0e217eda274321e48a733969f5d78f750197ad251d6c3ea9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de1634555ed7ac927acd591e49a319b Finished request 8. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=45, length=196 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020c002b19001703010020eeea80c427ae52b88611ecdffbebc327c99f58f5ea94a7c63fcd140576f462d6 Message-Authenticator = 0x2720a841e60e010671b3f15ea60f83bc NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de1634555ed7ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 12 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020c00061a03 server { PEAP: Setting User-Name to cmsxleig Sending tunneled request EAP-Message = 0x020c00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "cmsxleig" State = 0x774ed13b7642cb6204cdbc439a2405d2 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 12 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "cmsxleig" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "cmsxleig" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 45 to 10.127.240.217 port 1645 EAP-Message = 0x010d002b190017030100201a408b6dd31ee818348d93b79251401690a60378f8dbf01292e53f3864354f92 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5de1634554ec7ac927acd591e49a319b Finished request 9. Going to the next request Waking up in 4.2 seconds. rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=46, length=196 User-Name = "cmsxleig" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1B-54-DB-BB-01" Calling-Station-Id = "00-1B-63-B0-C9-E9" EAP-Message = 0x020d002b19001703010020d343176158acf8e2a0e5b7e6603cd4b92b47f02bd41ff6b133e3f09978ac0a09 Message-Authenticator = 0x3eb31b44a57adfaa84fc8cad44729966 NAS-Port-Type = Ethernet NAS-Port = 50001 NAS-Port-Id = "FastEthernet0/1" State = 0x5de1634554ec7ac927acd591e49a319b NAS-IP-Address = 10.127.240.217 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "cmsxleig" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 13 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop ++? if (control:Tmp-String-0 == "ldap-student") (Attribute control:Tmp-String-0 was not found) Sending Access-Accept of id 46 to 10.127.240.217 port 1645 MS-MPPE-Recv-Key = 0xe4a8a039b0329307e40bd293849cffd24a04d4e668d687e7adc4c9fa6340693b MS-MPPE-Send-Key = 0x788fca79956ede0a43ce8bda8458a97a28fcded1a7d55b74d104d727a46b1024 EAP-Message = 0x030d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "cmsxleig" Finished request 10. Going to the next request Waking up in 4.2 seconds. Cleaning up request 0 ID 36 with timestamp +29 Cleaning up request 1 ID 37 with timestamp +29 Cleaning up request 2 ID 38 with timestamp +29 Cleaning up request 3 ID 39 with timestamp +29 Cleaning up request 4 ID 40 with timestamp +29 Waking up in 0.2 seconds. Cleaning up request 5 ID 41 with timestamp +29 Cleaning up request 6 ID 42 with timestamp +30 Cleaning up request 7 ID 43 with timestamp +30 Waking up in 0.1 seconds. Cleaning up request 8 ID 44 with timestamp +30 Cleaning up request 9 ID 45 with timestamp +30 Cleaning up request 10 ID 46 with timestamp +30 Ready to process requests.