On 06/07/2011 11:20 AM, Nitin Bhardwaj wrote:
On 07/05/2011 06:03 PM, Nitin Bhardwaj wrote:
Hello All,
I'm using FreeRADIUS 2.1.11 as a proxy for authenticating PEAP clients with RADIUS server not supporting EAP.
All is working well except that when I use "proxy_tunneled_request_as_eap = no" in eap.conf, FreeRADIUS is not passing back all the AVPs sent by RADIUS server in Access-Accept(MSCHAPv2) to the Client, only few ones.
Be specific. Which ones?
Better yet, show a debug of it not working.
But when I set it as "proxy_tunneled_request_as_eap = yes", FreeRADIUS is relaying back all the AVPs received from the RADIUS server properly.
eap.conf: ------------ eap { peap { copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" } }
Hence, in spite of setting "use_tunneled_reply = yes", why isnt FR copying all attributes in Access-Accept back to client ? Is this some bug, fixed in 3.x ?
3.x is not released yet.
I don't think there are any fixed related to this in "master" (to become 3.x) but there might be; please provide more details as above, so we can try to reproduce.
Sorry, I was not clear enough earlier. This is an issue same as the one mentioned in this query: http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-September/ms...
The RADIUS server is sending the following extra AVPs in Access-Accept to FR: Session-Timeout = 300 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" Tunnel-Type:0 = VLAN
But FR is eating them up while relaying the Access-Accept back to Client.
The Access-Accept from RADIUS server is as follows: ---------------------------------- rad_recv: Access-Accept packet from host 172.19.6.4 port 1812, id=61, length=252 Proxy-State = 0x323036 Session-Timeout = 300 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" Tunnel-Type:0 = VLAN Framed-Protocol = PPP Service-Type = Framed-User Class = 0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375 MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63 MS-CHAP2-Success = 0x09533d45443743394537393743444439334244463930453946394243393236363844304543394330423537 MS-CHAP-Domain = "\tDEV" ----------------------------------
But the relayed Access-Accept to client is: ---------------------------------- Sending Access-Accept of id 208 to 172.18.10.13 port 48852 User-Name = "meru" MS-MPPE-Recv-Key = 0x6c6c3b63a0c60545b9838c0cc766db98987516f92c12bac6bb6694acd4defe16 MS-MPPE-Send-Key = 0xbcb242cdac92ca3620e6a660d60e3838acbeddaef9b8766121730c7a4f2f0f79 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 ----------------------------------
My settings are as follows: eap.conf: -------------- eap { tls{ //Usual stuff <snip....> } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" }
mchapv2 { } }
sites-enabled/proxy-inner-tunnel: ----------------------------------------------- server proxy-inner-tunnel { authorize { update control { # You should update this to be one of your realms. Proxy-To-Realm := "DEVLAB" }
authenticate { eap } post-proxy { eap } }
FR relays all packets properly back to Client when I use "proxy_tunneled_request_as_eap = yes" in eap.conf. But I cannot do that way because the RADIUS server doesn't understand EAP at all - I need to send a plain MSCHAPv2 in the inner request. I thought using "use_tunneled_reply = yes" should have caused FR to relay back all the AVPs back to outer tunnel, but its not working.
The full log is as follows: ------------------------------------------------ [root@nitin-centos ~]# radiusd -X FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jul 5 2011 at 19:03:48 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { name = "radiusd" prefix = "/usr/local" localstatedir = "/usr/local/var" sbindir = "/usr/local/sbin" logdir = "/usr/local/var/log/radius" run_dir = "/usr/local/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm DEVLAB { authhost = 172.19.6.4 secret = meru2002 } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 172.18.10.13 { require_message_authenticator = no secret = "meru2002" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "proxy-inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server proxy-inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking post-proxy {...} for more modules to load } # modules } # server server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/usr/local/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 44579 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852, id=198, length=152 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" EAP-Message = 0x02010009016d657275 Message-Authenticator = 0x960d94c0685c6dd5ba509de67f73d37a # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "meru", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 198 to 172.18.10.13 port 48852 EAP-Message = 0x0102001604109fe03af8d36fe702cf4550cf1f8c0622 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfde30c7afde108730ebe85102c777b46 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.10.13 port 48852, id=199, length=167 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" EAP-Message = 0x020200060319 State = 0xfde30c7afde108730ebe85102c777b46 Message-Authenticator = 0x9f1b4526ff2f96a96aae56daf8c0c317 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "meru", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 199 to 172.18.10.13 port 48852 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfde30c7afce015730ebe85102c777b46 Finished request 1. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.10.13 port 48852, id=200, length=243 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" EAP-Message = 0x0203005219800000004816030100430100003f03014c32bfcfbdd3039d0bcab75c921dd349c355de3f12bc41174c7fdd579d1e3c9200001800390038003300320016001300660035002f000a000500040100 State = 0xfde30c7afce015730ebe85102c777b46 Message-Authenticator = 0xcb652a53a53fcfdfa58375d9b220dd1f # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "meru", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 82 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 72 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0043], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 200 to 172.18.10.13 port 48852 EAP-Message = 0x0104040019c000000aad160301002a0200002603014e13f11e0d4506fb9ff964758407af4d4a824f4f4b5ece856b606e06258e0c2800003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3131303730353133343634375a170d3132303730343133343634375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c62489fe8f25360bcf54e00e5504239ff4a63a0527f6a6a3056b6c5acee49a33fa8876b189c35a2995c50e04c5228612d1d4786d0ae26d91876ecc895ccb EAP-Message = 0x32872a0bbdd7c8b7c1a174e096e7b018f8f0bf7baf0ae841dd934974f5bcfff09a0183ced606e5862cb0c306cedc7d566f0433d59da9b782dbdd5200473b793b5f54672bc83e38ff345224996e3f80bc10162ebd81809ac1eb27c50cfd44d5a25268be450b5c3bc19d2a7213a0210f6a98d0a4b2bc9b8bdb7b13c20d93fe5e502d4a54483cdf5f0cea7dbd00f94247418293b57d04dfb3b950afb1d1a537b72e4e61f88cb4983152cf0e9aa6f6137a870a7dea3061c504af04f0f328cc63e1cff4550203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101007b97bb0db325b70a48 EAP-Message = 0xa3020e155a9b286a8b9bcc15ae1bd01a59f947bb34d6ac55d476e54d8aae86184368e2d6050a2cc11d3bfd2f10330799cf718a5288efa67c70957413f721eada58a5241ed0638b9ce2c183d991857700090a54bc7aad25922184a1df1d632b344994c97ed658089f518ed19a8c19a806c1c17787a753c2c36be6f69d9a414498114cab4dcf2b71bfa17392586bcabfbd2769afd2a947d79ff582a6668dd3421dad3721fd8fd39c20232336a39da35d0f5a90ab49f992246413c4dd695ab1d341246454f08d62dfcdfd351c55c0b60e5be5ca56cd2418ff42733dcc8c58ce26e28af04e4d9cbaec3bdb6741e393d3c7a79613b5df9fe4390004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfde30c7affe715730ebe85102c777b46 Finished request 2. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.10.13 port 48852, id=201, length=167 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" EAP-Message = 0x020400061900 State = 0xfde30c7affe715730ebe85102c777b46 Message-Authenticator = 0xb44bb5aa230ad5e60d13eddafd1dbe7c # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "meru", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 201 to 172.18.10.13 port 48852 EAP-Message = 0x010503fc194000938269734f3cf5bf300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303730353133343634375a170d3132303730343133343634375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a90f1b4e1a7a1f8b41485334f6fcb4be169ba9f5fe114d0b0a1bc70eef1462c110b6e20ce17292c98beb45757e3b9b936eacbd0125080b244f9d776f0f0406abcc2fd33fd75c72fa4fe73532404acc189f8b663bd94ffecb37ad0a83f0a510e92b35ad219ac275d4fae60a8cbe47d8 EAP-Message = 0xf8eadd6536322afb14b2540c9345f8a02f099b3453a28a0392d140bd4764c75880bd5db3be5c3117438d9400bcfdca3be386526fb8f618411c1a2fbe56c52ddb0cbdfc118d0912bd1883228832306baaa83b8e8672a3ecefcdd3d9a745d1d4424cfef46993103704d12820497b57f3e94df7cb5d887cae556cdc46f992bf3f1d757d45cb94aed0d70dc4fc949256fa1c4b0203010001a381fb3081f8301d0603551d0e04160414f565b2f3ff7d52b7d92e678d3843de8ac3b371ee3081c80603551d230481c03081bd8014f565b2f3ff7d52b7d92e678d3843de8ac3b371eea18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900938269734f3cf5bf300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009f7c151e0351bf12ef597651afcf6e5f732ebf175e33af8e2adbc6c8ff64078592e069b00a5e1fcece5d05331068acd01e78d0a65ea5eca85a41b7a948a4073a2e7baec6f88652eeec66a47c8d73f77f6fd2 EAP-Message = 0xe005f788e24cb66e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfde30c7afee615730ebe85102c777b46 Finished request 3. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 172.18.10.13 port 48852, id=202, length=167 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" EAP-Message = 0x020500061900 State = 0xfde30c7afee615730ebe85102c777b46 Message-Authenticator = 0xe812ebc412f80a25bd7498462aa6e62b # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "meru", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 202 to 172.18.10.13 port 48852 EAP-Message = 0x010602c719008ed1e209185a65d79ce3ef916051889d7bdaeb3525ffc5107d08ca060e538707279d6c7c4d00bd7e2cd644f85b28e438ef74ff013334cc24decd6b574a1df5f73441a4d7b07cf0e5ea79111f624a738780e8bc2564e305a43e8ad9df004a59d0e07b4f5a177c45ca420b747f76ad21feec38781f5164e77d33c6e27a51073ec20c671d919da22056a657f540198bea9e10816a61c4a3f7c8e4f210b734fabf9c012baca0786d160301020d0c0002090080bb53fc5d6c82b9ab4ed79feb313de75ac8e65c23fdb6bd4a6662e6b46bfd437f4f52e12048d2b6e3755cf5e2714aac141168d560132d2b4764c9e36e9ac301c108e84436571a EAP-Message = 0xf39b55d3596d9bc06850cc9c280dbf6d24f184fe467b90eefb82ae300805a960cd120caeb2b25d9cc64ec6a159c8bc689297e0f7e839ae89defb0001020080b9306e9f87fa00bb87ab9eaa2de2397c994a34a022fafc638aa95eb6e027a8b7ce8388e02d2059a8fcb2a166325998c894cef051b5a5fb688119391fc6ff5a9252191c6ffbdf22762b1b4f3bd5351bb1e94e04e9b71ac318acc8d993140cd8c54e50f583db0dd6c717123d98bb965470aea9eda8dda4bf76717d9f6db1dae8b60100ad862e37923fd73a6b93a8e135f62aa075a591f7ff6b5b147499e74a5895975e758ec48330cc84ea86cda010de172c7438d4fb7bf7f4bb1c28e82575 EAP-Message = 0x3f7656fad6b6db3b6aabdf97a039bc944b257676000e58f16d041545e8fe965412ce2178d6a7ae69499986dfe99ff955bfb985a49e9d05107ad218622a99f5d29a5bfe8d3acfc5f156e04d700d611c1d5cb3e00e6ba986f8bf5b236c8741b5fa3293ddae6e0279c613fdd72d68af1f6ad512d9b858f59dae29a4b945235c89fe55ce40e14b58dc51c80f253c9a3e8ecfdf22fab4d162dbc87ebb06093cd02e3dd6bae646050ab8642ecf14213423f142f8ea4d35243dd51660446270dbdf7fd2ef48280b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfde30c7af9e515730ebe85102c777b46 Finished request 4. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 172.18.10.13 port 48852, id=203, length=369 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" EAP-Message = 0x020600d01980000000c616030100861000008200809a0c1bb68594ead0d108df37ab090c5ae82bbe69eee7b73f693f11bc68cd29f637eb8f4faf9a272f513c954cfcea094707e2af32c4e2b55d3a646126d249fd5fb7e1bd4e8288bf086aae28b808135864eb005218ea8d9a54481f4d43c7fb5368814aaac3a63100a32249d7e68f3b9dccf0d922c2d12c9c2b146232e496fe0bc81403010001011603010030840c77df284213f438f3551d62a3d4c9470e0ea6366e1b39d34f137f5c78d2891eb30875669d688fccf0e61e1da243c6 State = 0xfde30c7af9e515730ebe85102c777b46 Message-Authenticator = 0x88bb2bb9ca1a313aee2de681d281f0c3 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "meru", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 203 to 172.18.10.13 port 48852 EAP-Message = 0x01070041190014030100010116030100303b23c31a29c705c25db0839a53e947b05d465fbd30c13653d3b8352bd088325b17a3151fd321e457c5d469e8ca818560 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfde30c7af8e415730ebe85102c777b46 Finished request 5. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 172.18.10.13 port 48852, id=204, length=167 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" EAP-Message = 0x020700061900 State = 0xfde30c7af8e415730ebe85102c777b46 Message-Authenticator = 0xb1f44972992610c36bf8c5898b636d38 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "meru", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 204 to 172.18.10.13 port 48852 EAP-Message = 0x0108002b190017030100206d1d6355f7e57d3754317857539e1a39325b6ecef30c90efef64a20af81c024f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfde30c7afbeb15730ebe85102c777b46 Finished request 6. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 172.18.10.13 port 48852, id=205, length=204 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" EAP-Message = 0x0208002b19001703010020625a119fe356dba5d6f7cf76e4d054c2241fb52f16778532b4f8004d14d1d4a6 State = 0xfde30c7afbeb15730ebe85102c777b46 Message-Authenticator = 0x2c2cd6601cd01b1317d2dc7594348bc0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "meru", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - meru [peap] Got inner identity 'meru' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02080009016d657275 server { [peap] Setting User-Name to meru Sending tunneled request EAP-Message = 0x02080009016d657275 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" server proxy-inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel +- entering group authorize {...} ++[control] returns notfound } # server proxy-inner-tunnel [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. # Executing group from file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled PEAP: Cancelling proxy to realm DEVLAB until the tunneled EAP session has been established [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0109001e1a01090019105ba435e766423f0a72c901045f0a25886d657275 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd4dbdf6bd4d2c5452b3f3ec10bc32a7c [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 205 to 172.18.10.13 port 48852 EAP-Message = 0x0109003b1900170301003089452af1f3e64ab01e961a4b2dc9b0c13a90fc86e1da452b46c781c6c3aa4e465324742d29a8a5983bddf45bec669947 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfde30c7afaea15730ebe85102c777b46 Finished request 7. Going to the next request Waking up in 4.2 seconds. rad_recv: Access-Request packet from host 172.18.10.13 port 48852, id=206, length=252 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" EAP-Message = 0x0209005b19001703010050934ee8273bff98e2ce4cd7af01b43419b36b17024edcb9e1f3fb99cb52c22c03c0b565e7a69dbe1424a68753ec8c2f2a596ac4a666a04d1dc85112f833bda916d4fcec71ffe2ee65140c2e8d059be1b0 State = 0xfde30c7afaea15730ebe85102c777b46 Message-Authenticator = 0x891db7ed9a95c5ffd9b0b427cac19ead # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "meru", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0209003f1a0209003a3189b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8006d657275 server { [peap] Setting User-Name to meru Sending tunneled request EAP-Message = 0x0209003f1a0209003a3189b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8006d657275 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "meru" State = 0xd4dbdf6bd4d2c5452b3f3ec10bc32a7c NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" server proxy-inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel +- entering group authorize {...} ++[control] returns notfound } # server proxy-inner-tunnel [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. # Executing group from file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Not-EAP proxy set. Not composing EAP ++[eap] returns handled PEAP: Tunneled authentication will be proxied to DEVLAB PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. [eap] Tunneled session will be proxied. Not doing EAP. ++[eap] returns handled WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 61 to 172.19.6.4 port 1812 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" MS-CHAP-Challenge = 0x5ba435e766423f0a72c901045f0a2588 MS-CHAP2-Response = 0x096589b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8 Proxy-State = 0x323036 Proxying request 8 to home server 172.19.6.4 port 1812 Sending Access-Request of id 61 to 172.19.6.4 port 1812 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" MS-CHAP-Challenge = 0x5ba435e766423f0a72c901045f0a2588 MS-CHAP2-Response = 0x096589b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8 Proxy-State = 0x323036 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 172.19.6.4 port 1812, id=61, length=252 Proxy-State = 0x323036 Session-Timeout = 300 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" Tunnel-Type:0 = VLAN Framed-Protocol = PPP Service-Type = Framed-User Class = 0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375 MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63 MS-CHAP2-Success = 0x09533d45443743394537393743444439334244463930453946394243393236363844304543394330423537 MS-CHAP-Domain = "\tDEV" # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] Doing post-proxy callback [eap] Passing reply from proxy back into the tunnel. server proxy-inner-tunnel { [eap] Passing reply back for EAP-MS-CHAP-V2 # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel +- entering group post-proxy {...} [eap] Doing post-proxy callback rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x8c91600 2. rlm_eap_mschapv2: Authentication succeeded. MSCHAP Success ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. } # server proxy-inner-tunnel [eap] Final reply from tunneled session code 11 Proxy-State = 0x323036 Session-Timeout = 300 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" Tunnel-Type:0 = VLAN Framed-Protocol = PPP Service-Type = Framed-User Class = 0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375 MS-CHAP-Domain = "\tDEV" EAP-Message = 0x010a00331a0309002e533d45443743394537393743444439334244463930453946394243393236363844304543394330423537 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c [eap] Got reply 11 [eap] Got tunneled reply RADIUS code 11 Proxy-State = 0x323036 Session-Timeout = 300 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "12" Tunnel-Type:0 = VLAN Framed-Protocol = PPP Service-Type = Framed-User Class = 0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375 MS-CHAP-Domain = "\tDEV" EAP-Message = 0x010a00331a0309002e533d45443743394537393743444439334244463930453946394243393236363844304543394330423537 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c [eap] Got tunneled Access-Challenge [eap] Saving tunneled attributes for later [eap] Reply was handled ++[eap] returns ok Sending Access-Challenge of id 206 to 172.18.10.13 port 48852 EAP-Message = 0x010a005b1900170301005017c5dbce0bb69cfd09fd41a5773d61f811bcf2ce164c32346899a98a231010fef71b89c1aed9412bc615a0d2c86595e420e4bd7f3538b748e8825b5f7c275e51bab5a82ae5c4c15e303ccdbd9e909e1a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfde30c7af5e915730ebe85102c777b46 Finished request 8. Going to the next request Waking up in 4.1 seconds. rad_recv: Access-Request packet from host 172.18.10.13 port 48852, id=207, length=204 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" EAP-Message = 0x020a002b1900170301002010d201aca04a28ed500660ad0ea279183cf64cf8c3a2e5946a86d43567c9b7f7 State = 0xfde30c7af5e915730ebe85102c777b46 Message-Authenticator = 0xab4fe0c669c7850b88ad0a2ede3087e2 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "meru", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00061a03 server { [peap] Setting User-Name to meru Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "meru" State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" server proxy-inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel +- entering group authorize {...} ++[control] returns notfound } # server proxy-inner-tunnel [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. # Executing group from file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63 MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "meru" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 207 to 172.18.10.13 port 48852 EAP-Message = 0x010b002b19001703010020972594e10347244aac063470d19ff9c07f0b89472a6262ae06b555a8f266d39c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfde30c7af4e815730ebe85102c777b46 Finished request 9. Going to the next request Waking up in 4.0 seconds. rad_recv: Access-Request packet from host 172.18.10.13 port 48852, id=208, length=204 User-Name = "meru" NAS-IP-Address = 172.18.10.13 NAS-Port = 2049 Called-Station-Id = "00-90-0B-0A-9A-90:Starnet" Calling-Station-Id = "00-1A-73-9D-9D-02" Framed-MTU = 1250 NAS-Port-Type = Wireless-802.11 Framed-Compression = None Connect-Info = "CONNECT 802.11a" Chargeable-User-Identity = "\\0" EAP-Message = 0x020b002b1900170301002079ae2531cb0c20ac94b1150652cc1a83e2ebe697fe10e6d64b4a03ffd8f8bae1 State = 0xfde30c7af4e815730ebe85102c777b46 Message-Authenticator = 0xc8d498ff15ea96988f74edada8e319c1 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "meru", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = "meru" [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 208 to 172.18.10.13 port 48852 User-Name = "meru" MS-MPPE-Recv-Key = 0x6c6c3b63a0c60545b9838c0cc766db98987516f92c12bac6bb6694acd4defe16 MS-MPPE-Send-Key = 0xbcb242cdac92ca3620e6a660d60e3838acbeddaef9b8766121730c7a4f2f0f79 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 10. Going to the next request Waking up in 3.9 seconds. Cleaning up request 0 ID 198 with timestamp +37 Waking up in 0.1 seconds. Cleaning up request 1 ID 199 with timestamp +37 Waking up in 0.1 seconds. Cleaning up request 2 ID 200 with timestamp +38 Cleaning up request 3 ID 201 with timestamp +38 Waking up in 0.1 seconds. Cleaning up request 4 ID 202 with timestamp +38 Waking up in 0.1 seconds. Cleaning up request 5 ID 203 with timestamp +38 Cleaning up request 6 ID 204 with timestamp +38 Waking up in 0.1 seconds. Cleaning up request 7 ID 205 with timestamp +38 Waking up in 0.1 seconds. Cleaning up request 8 ID 206 with timestamp +38 Cleaning up request 9 ID 207 with timestamp +38 Waking up in 0.1 seconds. Cleaning up request 10 ID 208 with timestamp +38 Ready to process requests. -----------------------------------------------
Please help.
-- Nitin.
Hi, Found out that this works perfectly fine in freeradius 3.0.0 (master git branch). Can anyone please suggest which patches I need to back-port to 2.1.11 to make this work in 2.1.x branch too ? -- Thanks, Nitin.