On 4/19/12 4:18 PM, "Alan DeKok" <aland@deployingradius.com> wrote:
Wassim Zaarour wrote:
Hi Alan, and thanks for your reply, I don't want to paste the output here coz its large, should I attach it or paste here anyways or??
You can follow instructions, or you can be unsubscribed and banned from the list.
When we ask for the debug log TWICE, the response shouldn't be "should I post it?" The response SHOULD be to post it.
Just like everyone else does.
Daily on this list.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Below the output of radiusd -X Appreciate the help. FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Jul 19 2011 at 1 0:16:18 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.1.8 { require_message_authenticator = no secret = "testing123" shortname = "localhost" } client 192.168.0.0/22 { require_message_authenticator = no secret = "testing123" shortname = "private-network-1" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expirati on expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/m odules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap ldap { server = "192.168.1.40" port = 389 password = "Hayalla5" identity = "" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "o=navbey.com, dc=navbey,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-U serDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Ne twork rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group- Id conns: 0x134f7b8 Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preproce ss preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_un ique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NA S-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d " header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/r addb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=211, length= 119 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200000701706b Message-Authenticator = 0x9ae593aebf9c52b1e02301b1b14ad375 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pk [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> pk [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.1.40:389, authentication 0 [ldap] bind as /Hayalla5 to 192.168.1.40:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=p k) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user pk authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 211 to 192.168.1.8 port 1645 EAP-Message = 0x01010016041079a9375f2ecae9fbad432dffd46c8a70 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05d7488505d64c198fb22dc79c936aef Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=212, length= 136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 State = 0x05d7488505d64c198fb22dc79c936aef EAP-Message = 0x020100060315 Message-Authenticator = 0xfce1c51f41d8a8841a47d753a647b272 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pk [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> pk [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=p k) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user pk authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 212 to 192.168.1.8 port 1645 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05d7488504d55d198fb22dc79c936aef Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=213, length= 294 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 State = 0x05d7488504d55d198fb22dc79c936aef EAP-Message = 0x020200a415800000009a16030100950100009103014f901334c909cf 125f752b6d60c7ab2cd4506453387a9225c1a27ad315372805000056c00ac009c007c008c01 3c014 c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000 60032 0033003800390016001500140013001200110034003a0018001b001a0017001900010100001 2000a 00080006001700180019000b00020100 Message-Authenticator = 0x2b8b499cccf5cdd88941980aaef40146 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 164 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 154 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0095], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 085e], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 213 to 192.168.1.8 port 1645 EAP-Message = 0x0103040015c00000089b160301002a0200002603014f9013280467e2 a9849b1aaca60adb81e33c1f390e8934f4d18cf1902014402700002f00160301085e0b00085 a0008 570003a6308203a23082028aa003020102020101300d06092a864886f70d010105050030819 3310b 3009060355040613024652310f300d060355040813065261646975733112301006035504071 30953 6f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092 a8648 86f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d457 8616d 706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3132303431393035323632305a170d313230363138303532 3632305a307c310b3009060355040613024652310f300d06035504081306526164697573311 53013 060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c652 05365 727665722043657274696669636174653120301e06092a864886f70d010901161161646d696 e4065 78616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010 a0282 010100d8e5bb5cefd0db1624fbbcbba0a02f4d2b23a12f9f0ea9d1f96dc0ef3a08536f4096b 8cb43 4aac77b625bb7610ea5eafdcba502cc3c094f74c16743d6ec1 EAP-Message = 0x6f4a8104cc5b98ea30fb86287bf0906ed458604e63412a6339c8bf25 fd7f627131a6219db5e5d5f56460df027982eb5b1ca3b59a2fd27666fb7016df166162fe720 c659f 959cb04266ced87b083b6641a431d002b996fdb4c342b0205c9d2d70878caebee08fc19402b 6867a f343fe3a43a740bc44c66fcf993bc6c9812377983bcee8f5562d0974abc6142d95c3d582403 fcf5d d9d5403fca88bb28eaec1cddafe9d23d1d17e804eb15da303e169756418be76cb204ce0c8bc be428 ceb75995cd2b0203010001a317301530130603551d25040c300a06082b06010505070301300 d0609 2a864886f70d010105050003820101009e6cc83de144237e09 EAP-Message = 0xce61668125af89da7f9d0dc727464fb50a1a8519ba3eed74c9553738 541642751ece1617a2f1f567741ce6ce7e2bec8a2dd7871058ec5c440fc9342fa040dff416c ddda6 1f48137d54fcf6725f487093947b9a02697e2ebf41962618b94e2a4453a1b43f1eacd51657b 54074 00d2404423f719e9b3779d6936d3b739599586f4ee8138bfac0cce760d17db9072576cea1ae 391b9 5968c7ac2563f4f578a0dbee4750ef50e137a2e998ee6d9e7ea5050688e73a971905e1d468a 04f82 29c7fc1736cf8ee216f942a6a08790e49070f85fad784a5220f2ef9c99b0bd281d6486d5e8f 699c8 43af9d57a10bc1a4a3d57bc470785d8736c7860004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05d7488507d45d198fb22dc79c936aef Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=214, length= 136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 State = 0x05d7488507d45d198fb22dc79c936aef EAP-Message = 0x020300061500 Message-Authenticator = 0xe77fe59ab7d1664be0a0eac58fc242d1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 214 to 192.168.1.8 port 1645 EAP-Message = 0x0104040015c00000089b00bcccc1285b561d81300d06092a864886f7 0d0101050500308193310b3009060355040613024652310f300d06035504081306526164697 57331 12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c652 0496e 632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312 63024 0603550403131d4578616d706c6520436572746966696361746520417574686f72697479301 e170d 3132303431393035323632305a170d3132303631383035323632305a308193310b300906035 50406 13024652310f300d0603550408130652616469757331123010 EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c45 78616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616 d706c 652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417 57468 6f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010 0c200 0de5769708aa73a3affa3ae2581583c4882e26f16a18d443e29db8316192c28b219cbb09705 95267 63db5440029da5f07038fb6a904f36e3a41dc25ee2d693730072613aaff090fd98e30623969 bc0d4 3527de8a6e60ecbcfa6672df1f278419f652471cc787c882a1 EAP-Message = 0x34970210e501a5f008bce3abbcd4de1b5c5da2287cf6af098930a2a4 6f6c4c68f2db00dc8b8289dfb961b00fb1b8cec26b996c69e2f2a4207cf29afc6e1e7a95599 78238 8b5a5b5a10f961d816e101fdf26cf6062274aef2b443a5c60787edcd755a986de269abf78fd e55ea e7f450bca4434e6495b264e6db1bce418c8a417739b3bd52739f9ac134c2c9ed6b7bbf4ed47 9cb33 690203010001a381fb3081f8301d0603551d0e0416041410d684dcfea11dfdc1bb500b75937 3530a a6d64b3081c80603551d230481c03081bd801410d684dcfea11dfdc1bb500b759373530aa6d 64ba1 8199a48196308193310b3009060355040613024652310f300d EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65 776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a86488 6f70d 010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d7 06c65 20436572746966696361746520417574686f72697479820900bcccc1285b561d81300c06035 51d13 040530030101ff300d06092a864886f70d010105050003820101002d0d028da27788c0e5d36 23cdb 4cf11f09216955fe7493bfa233ec62bb45d3cb9dd71d61a95ca6e1ddb8aa2f8b80fbfcea5b8 b3577 6bc61c9acab1408bc31daf3cf0f27d531819b600d3ca7a7c33 EAP-Message = 0xf4b1017102971b6ff4eedeea Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05d7488506d35d198fb22dc79c936aef Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=215, length= 136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 State = 0x05d7488506d35d198fb22dc79c936aef EAP-Message = 0x020400061500 Message-Authenticator = 0xc8fc232e0ecdd2755b3a06eb17b5161e # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 215 to 192.168.1.8 port 1645 EAP-Message = 0x010500b915800000089b77cbd7b846662c36009c223bb1dab20d1956 c65d6dfdd68e272a551fae0e5b9066339a0f279041f434256e4aa905eb8dbabc508c2a0771d 29cb0 810ff8a278d32154413350d24a65e9c3cfb9e15e9057d0dce5f2cbd3d523586b6b7f60bf3a6 d92c8 772b862711d539a2412abe6a6c4f79816985453331bc5f8661a99c795b6d6a92fd75d732733 73be4 17324e2b8696ff3d6cb180e1619343b8bf9d39a193cf49a3f008a74e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05d7488501d25d198fb22dc79c936aef Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=216, length= 468 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 State = 0x05d7488501d25d198fb22dc79c936aef EAP-Message = 0x02050150158000000146160301010610000102010072c5fede7f2e7b 230c06cbaa9d64a82ab40b8f1c00f4eb185fd65ac9b5a5aa77f01f72a924b1c0d64299b8b4c 6f1e6 00315be72327a9309c2c09facb390a9a5152a5a54bb9d70da4bb4a8fff41ee237aebcc66fc1 35060 b52f2ae59e0c7f24145b8a5f9bb835e34cca66ec73caf9d6c846606bee9982f48f3152ba97b d60b8 892409fb4c8705c77cb12e0a49e833a64dfc75dd46720b8d01c58c412f7757fecc911837a30 97e2f edfefd010b380fd1ea933172ffb9b622f31291bcb0ffb3bdc07e7cfd89062c3561ac7a426dc c6c6c 321e728572e43e8c6583a7ed9bdb3f0b77768bc3fab2b362b0 EAP-Message = 0x60c40751cbfa2ce5489cb51da39f2bcde8809cc090d288a814030100 01011603010030a88137a19eb3de41455b95e6cf888d69cfefcdc25a9107413546a9d655282 16b90 1dbf1ffbca796cea189c3be7a33fcb Message-Authenticator = 0x79b14a1f2282941539c8ad3f77eedf74 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 326 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 216 to 192.168.1.8 port 1645 EAP-Message = 0x0106004515800000003b1403010001011603010030d036b958b86f93 12a5340cdc63b90eef649553da5f9186dac246185953519a52464d9f3ec98641caa8a9b66c6 baae4 e4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05d7488500d15d198fb22dc79c936aef Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=217, length= 209 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "60-33-4B-9E-BD-AE" Service-Type = Framed-User Framed-MTU = 1500 State = 0x05d7488500d15d198fb22dc79c936aef EAP-Message = 0x0206004f1580000000451703010040b8ec8ac0db69d05575e41855e4 21b91d518d37f9e86e6d54eec8adac3b5ffb88509ff9ede906d8207dff83440fb7937501f9b 3c9bb 4bf91e4947a7fd59ba4a59 Message-Authenticator = 0xa6f6070865d2788011b84396377516fa # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 79 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 69 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "pk" User-Password = "pascal" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "pk" User-Password = "pascal" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the u ser Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> pk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 217 to 192.168.1.8 port 1645 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Cleaning up request 0 ID 211 with timestamp +41 Cleaning up request 1 ID 212 with timestamp +41 Cleaning up request 2 ID 213 with timestamp +41 Cleaning up request 3 ID 214 with timestamp +41 Cleaning up request 4 ID 215 with timestamp +41 Cleaning up request 5 ID 216 with timestamp +41 Waking up in 1.0 seconds. Cleaning up request 6 ID 217 with timestamp +41 Ready to process requests.