client configured with GTC for EAP TTLS ? it looks like its not happy responding to the GTC challenge.. alan On 14 September 2017 at 10:32, Mark <mclarke4@gmail.com> wrote:
Hi all,
I have a openldap server with hashed password and am attempting to set up WPA-Enterprise authentication. I have enabled the ldpap module and straight authentication usng ldap and pap works. i.e the proxy server authenticates without any problems.
I have the client configured to use ttls and gtc. I have done the same with the eap configuration file. I don't get any error messages in the log file when trying to connect. (I regengerated the ssl certs as hinted at by a previous message but this took away the ssl cert warning but did not solve the problem.)
Below is the debug log output. Trying to understand radius and the whole EAP protocol requires a large amount of effort. I have already understood a lot more than I did 3 days ago but am not at the end of my concpetual models ability to trouble shoot this problem. I have tried setting the Auth-Type: to LDAP in the gtc configuration in the eap conf file as well but the results are the same.
Any help or hints appreciated. From the log file below it looks like the client is not responding to the final Access-Challenge. The only other idea I have is that the User-Password: field is not being passed to the eap process? Not sure how to fix that or if it is the problem.
Thanks
Ready to process requests (0) Received Access-Request Id 224 from 192.168.45.05:37339 to 192.168.45.74:1812 length 166 (0) User-Name = "bob" (0) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (0) NAS-Port-Type = Wireless-802.11 (0) NAS-Port = 0 (0) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) Acct-Session-Id = "59B902E8-000000EA" (0) Framed-MTU = 1400 (0) EAP-Message = 0x02270009016d61726b (0) Message-Authenticator = 0x4e878ddb529b319d77ea2abfb3131112 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/ 192.168.45.05/auth-detail-20170914 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914 (0) auth_log: EXPAND %t (0) auth_log: --> Thu Sep 14 11:19:11 2017 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "bob", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 39 length 9 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_ttls to process data (0) eap_ttls: Initiating new EAP-TLS session (0) eap_ttls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 40 length 6 (0) eap: EAP session adding &reply:State = 0xbdc37936bdeb6cdd (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 224 from 192.168.45.74:1812 to 192.168.45.05:37339 length 0 (0) EAP-Message = 0x012800061520 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xbdc37936bdeb6cdd84932144ea25780b (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 225 from 192.168.45.05:37339 to 192.168.45.74:1812 length 339 (1) User-Name = "bob" (1) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (1) NAS-Port-Type = Wireless-802.11 (1) NAS-Port = 0 (1) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) Acct-Session-Id = "59B902E8-000000EA" (1) Framed-MTU = 1400 (1) EAP-Message = 0x022800a4150016030100990100009503030a1c1c168f1fe7ca21b8e5ee873c19ba1e777641a3b13e1cca092bfa7fe66fc100003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff01000030001700 (1) State = 0xbdc37936bdeb6cdd84932144ea25780b (1) Message-Authenticator = 0xc6c693312fb56f022f47198c94f4c3c7 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (1) auth_log: --> /var/log/freeradius/radacct/ 192.168.45.05/auth-detail-20170914 (1) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914 (1) auth_log: EXPAND %t (1) auth_log: --> Thu Sep 14 11:19:11 2017 (1) [auth_log] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "bob", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 40 length 164 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xbdc37936bdeb6cdd (1) eap: Finished EAP session with state 0xbdc37936bdeb6cdd (1) eap: Previous EAP request found for state 0xbdc37936bdeb6cdd, released from the list (1) eap: Peer sent packet with method EAP TTLS (21) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: Authenticate (1) eap_ttls: Continuing EAP-TLS (1) eap_ttls: Got final TLS record fragment (158 bytes) (1) eap_ttls: WARNING: Total received TLS record fragments (158 bytes), does not equal indicated TLS record length (0 bytes) (1) eap_ttls: [eaptls verify] = ok (1) eap_ttls: Done initial handshake (1) eap_ttls: (other): before SSL initialization (1) eap_ttls: TLS_accept: before SSL initialization (1) eap_ttls: TLS_accept: before SSL initialization (1) eap_ttls: <<< recv TLS 1.2 [length 0099] (1) eap_ttls: TLS_accept: SSLv3/TLS read client hello (1) eap_ttls: >>> send TLS 1.2 [length 003d] (1) eap_ttls: TLS_accept: SSLv3/TLS write server hello (1) eap_ttls: >>> send TLS 1.2 [length 08d3] (1) eap_ttls: TLS_accept: SSLv3/TLS write certificate (1) eap_ttls: >>> send TLS 1.2 [length 014d] (1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange (1) eap_ttls: >>> send TLS 1.2 [length 0004] (1) eap_ttls: TLS_accept: SSLv3/TLS write server done (1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done (1) eap_ttls: In SSL Handshake Phase (1) eap_ttls: In SSL Accept mode (1) eap_ttls: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 41 length 1004 (1) eap: EAP session adding &reply:State = 0xbdc37936bcea6cdd (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 225 from 192.168.45.74:1812 to 192.168.45.05:37339 length 0 (1) EAP-Message = 0x012903ec15c000000a75160303003d020000390303bfef2af615bb30a1795e1502febfbbcfaf0829baff49038576161b0bbe9082d500c030000011ff01000100000b0004030001020017000016030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d0101 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xbdc37936bcea6cdd84932144ea25780b (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 226 from 192.168.45.05:37339 to 192.168.45.74:1812 length 181 (2) User-Name = "bob" (2) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (2) NAS-Port-Type = Wireless-802.11 (2) NAS-Port = 0 (2) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) Acct-Session-Id = "59B902E8-000000EA" (2) Framed-MTU = 1400 (2) EAP-Message = 0x022900061500 (2) State = 0xbdc37936bcea6cdd84932144ea25780b (2) Message-Authenticator = 0x5e81d512883c3437d5d7c4b1576509da (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (2) auth_log: --> /var/log/freeradius/radacct/ 192.168.45.05/auth-detail-20170914 (2) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914 (2) auth_log: EXPAND %t (2) auth_log: --> Thu Sep 14 11:19:11 2017 (2) [auth_log] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "bob", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 41 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xbdc37936bcea6cdd (2) eap: Finished EAP session with state 0xbdc37936bcea6cdd (2) eap: Previous EAP request found for state 0xbdc37936bcea6cdd, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: Continuing EAP-TLS (2) eap_ttls: Peer ACKed our handshake fragment (2) eap_ttls: [eaptls verify] = request (2) eap_ttls: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 42 length 1004 (2) eap: EAP session adding &reply:State = 0xbdc37936bfe96cdd (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Sent Access-Challenge Id 226 from 192.168.45.74:1812 to 192.168.45.05:37339 length 0 (2) EAP-Message = 0x012a03ec15c000000a75318c53693caf5cec07a26c179201b35044f8b0a36585e88ac8887724d038dace205f76b50f376be76dd9ebe975518e8d82a931d370995cd79469cd39278883b89faf674e3bc275747a253d0cab0004e8308204e4308203cca003020102020900acfa1c7c27c4f226300d06092a (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xbdc37936bfe96cdd84932144ea25780b (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 227 from 192.168.45.05:37339 to 192.168.45.74:1812 length 181 (3) User-Name = "bob" (3) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (3) NAS-Port-Type = Wireless-802.11 (3) NAS-Port = 0 (3) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) Acct-Session-Id = "59B902E8-000000EA" (3) Framed-MTU = 1400 (3) EAP-Message = 0x022a00061500 (3) State = 0xbdc37936bfe96cdd84932144ea25780b (3) Message-Authenticator = 0x9fd121549085c6c53071b12b8b96285a (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (3) auth_log: --> /var/log/freeradius/radacct/ 192.168.45.05/auth-detail-20170914 (3) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914 (3) auth_log: EXPAND %t (3) auth_log: --> Thu Sep 14 11:19:11 2017 (3) [auth_log] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "bob", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 42 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xbdc37936bfe96cdd (3) eap: Finished EAP session with state 0xbdc37936bfe96cdd (3) eap: Previous EAP request found for state 0xbdc37936bfe96cdd, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: Continuing EAP-TLS (3) eap_ttls: Peer ACKed our handshake fragment (3) eap_ttls: [eaptls verify] = request (3) eap_ttls: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 43 length 699 (3) eap: EAP session adding &reply:State = 0xbdc37936bee86cdd (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Sent Access-Challenge Id 227 from 192.168.45.74:1812 to 192.168.45.05:37339 length 0 (3) EAP-Message = 0x012b02bb158000000a750101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100e3995c54d00cee2fbbc14478b89b75b38a11643e5c1a51 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xbdc37936bee86cdd84932144ea25780b (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 228 from 192.168.45.05:37339 to 192.168.45.74:1812 length 307 (4) User-Name = "bob" (4) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (4) NAS-Port-Type = Wireless-802.11 (4) NAS-Port = 0 (4) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) Acct-Session-Id = "59B902E8-000000EA" (4) Framed-MTU = 1400 (4) EAP-Message = 0x022b0084150016030300461000004241047d7abad05d5661d82c204f0d953f0ce6f5b508de608abf44b528fc3897c2f548baacdb60f5cd867ea90d976f1ad767249c4fc28ba8a810d62bb1102d57fd00e514030300010116030300280000000000000000c227b6f946893e02d0eac613069cdc09d93578 (4) State = 0xbdc37936bee86cdd84932144ea25780b (4) Message-Authenticator = 0xb50eb2de770b6149c3752e62afebe833 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (4) auth_log: --> /var/log/freeradius/radacct/ 192.168.45.05/auth-detail-20170914 (4) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914 (4) auth_log: EXPAND %t (4) auth_log: --> Thu Sep 14 11:19:11 2017 (4) [auth_log] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "bob", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 43 length 132 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xbdc37936bee86cdd (4) eap: Finished EAP session with state 0xbdc37936bee86cdd (4) eap: Previous EAP request found for state 0xbdc37936bee86cdd, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: Continuing EAP-TLS (4) eap_ttls: [eaptls verify] = ok (4) eap_ttls: Done initial handshake (4) eap_ttls: TLS_accept: SSLv3/TLS write server done (4) eap_ttls: <<< recv TLS 1.2 [length 0046] (4) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange (4) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec (4) eap_ttls: <<< recv TLS 1.2 [length 0010] (4) eap_ttls: TLS_accept: SSLv3/TLS read finished (4) eap_ttls: >>> send TLS 1.2 [length 0001] (4) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec (4) eap_ttls: >>> send TLS 1.2 [length 0010] (4) eap_ttls: TLS_accept: SSLv3/TLS write finished (4) eap_ttls: (other): SSL negotiation finished successfully (4) eap_ttls: SSL Connection Established (4) eap_ttls: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 44 length 61 (4) eap: EAP session adding &reply:State = 0xbdc37936b9ef6cdd (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Sent Access-Challenge Id 228 from 192.168.45.74:1812 to 192.168.45.05:37339 length 0 (4) EAP-Message = 0x012c003d1580000000331403030001011603030028471e30dc08a6d794f227f69ef0ae81d75a7082e5643ef6c65d9ee2604fcd4f7c55114fc65525a838 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xbdc37936b9ef6cdd84932144ea25780b (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 229 from 192.168.45.05:37339 to 192.168.45.74:1812 length 230 (5) User-Name = "bob" (5) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (5) NAS-Port-Type = Wireless-802.11 (5) NAS-Port = 0 (5) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) Acct-Session-Id = "59B902E8-000000EA" (5) Framed-MTU = 1400 (5) EAP-Message = 0x022c00371500170303002c0000000000000001595cecb3de730e899e84a9f3e32a5b344f7831ba3a3b08486ae4ed71c158e57359dded07 (5) State = 0xbdc37936b9ef6cdd84932144ea25780b (5) Message-Authenticator = 0x04079a652bd0207cdffa3715b865b41a (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (5) auth_log: --> /var/log/freeradius/radacct/ 192.168.45.05/auth-detail-20170914 (5) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.45.05/auth-detail-20170914 (5) auth_log: EXPAND %t (5) auth_log: --> Thu Sep 14 11:19:11 2017 (5) [auth_log] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "bob", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 44 length 55 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xbdc37936b9ef6cdd (5) eap: Finished EAP session with state 0xbdc37936b9ef6cdd (5) eap: Previous EAP request found for state 0xbdc37936b9ef6cdd, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: Continuing EAP-TLS (5) eap_ttls: [eaptls verify] = ok (5) eap_ttls: Done initial handshake (5) eap_ttls: [eaptls process] = ok (5) eap_ttls: Session established. Proceeding to decode tunneled attributes (5) eap_ttls: Got tunneled request (5) eap_ttls: EAP-Message = 0x02000009016d61726b (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_ttls: Got tunneled identity of bob (5) eap_ttls: Setting default EAP type for tunneled EAP session (5) eap_ttls: Sending tunneled request (5) Virtual server inner-tunnel received request (5) EAP-Message = 0x02000009016d61726b (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) User-Name = "bob" (5) Called-Station-Id = "54-27-1E-4C-F9-E4:Jumping Bean" (5) NAS-Port-Type = Wireless-802.11 (5) NAS-Port = 0 (5) Calling-Station-Id = "60-FE-1E-A0-4F-C4" (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) Acct-Session-Id = "59B902E8-000000EA" (5) Framed-MTU = 1400 (5) Event-Timestamp = "Sep 14 2017 11:19:11 SAST" (5) NAS-IP-Address = 192.168.45.05 (5) WARNING: Outer and inner identities are the same. User privacy is compromised. (5) server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "bob", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 0 length 9 (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authenticate { (5) eap: Peer sent packet with method EAP Identity (1) (5) eap: Calling submodule eap_gtc to process data (5) eap_gtc: EXPAND Password: (5) eap_gtc: --> Password: (5) eap: Sending EAP Request (code 1) ID 1 length 15 (5) eap: EAP session adding &reply:State = 0x939300d7939206e6 (5) [eap] = handled (5) } # authenticate = handled (5) } # server inner-tunnel (5) Virtual server sending reply (5) EAP-Message = 0x0101000f0650617373776f72643a20 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x939300d7939206e632565a4a2d1be287 (5) eap_ttls: Got tunneled Access-Challenge (5) eap: Sending EAP Request (code 1) ID 45 length 63 (5) eap: EAP session adding &reply:State = 0xbdc37936b8ee6cdd (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Sent Access-Challenge Id 229 from 192.168.45.74:1812 to 192.168.45.05:37339 length 0 (5) EAP-Message = 0x012d003f1580000000351703030030471e30dc08a6d79553ed6a4977806816b7ccd9f91d3c7e620176ceb206f3a0d52f0918d696626cf670769ccb64d27449 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xbdc37936b8ee6cdd84932144ea25780b (5) Finished request Waking up in 4.8 seconds. (0) Cleaning up request packet ID 224 with timestamp +10 (1) Cleaning up request packet ID 225 with timestamp +10 (2) Cleaning up request packet ID 226 with timestamp +10 (3) Cleaning up request packet ID 227 with timestamp +10 (4) Cleaning up request packet ID 228 with timestamp +10 (5) Cleaning up request packet ID 229 with timestamp +10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html