Hi,
And when I look at the logs, I see that you’ve gone out of your way to butcher them. Why? You’ve removed the exact information I need to help you.
So you want us to help diagnose EAP issue, but have removed all the EAP data?
Well, I was still hoping that I'd not need to rip apart my entire testbed config. Now I've removed any production configs so here's the full log with just dummy login data (so that I have permission to post full details to a public mailinglist). The AnyConnect NAM module client EAP profile is attached. The switchport on the 3750-X is configured as: interface GigabitEthernet1/0/1 description MACSEC client port test switchport mode access authentication event linksec fail action authorize vlan 465 authentication order dot1x authentication port-control auto authentication violation protect macsec mka policy downlink dot1x pae authenticator spanning-tree portfast end (both of which pretty much go along the default cisco config guides). FreeRADIUS log for TTLS resulting in EAP-Key-Name = "" looks like this: -(snip)- freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/tls_log including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui_log including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/inner_log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/nksvpn including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/asa_log including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/nksusers including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/control-socket including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/soh including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 5 cleanup_delay = 5 max_requests = 2048 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth+acct" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } realm LOCAL { } realm NULL { } realm unistuttgart.de { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client ar30a-y1t-s5 { ipaddr = 172.18.198.32 require_message_authenticator = no secret = "..." nastype = "other" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "1234" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file £Ýç? modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key" certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt" private_key_password = "..." dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server soh-server { # from file /etc/freeradius/sites-enabled/soh modules { Module: Checking authorize {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/freeradius/freeradius.sock" } } ... adding new socket proxy address * port 60291 ... adding new socket proxy address * port 54640 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/freeradius/freeradius.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=179, length=189 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0201001e01616e6f6e796d6f757340756e697374757474676172742e6465 Message-Authenticator = 0x310082a7764857d8fc1b4627379528d3 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 30 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 179 to 172.18.198.32 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8afb7c52e0195bd1096fdf3655 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=180, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020200060315 Message-Authenticator = 0x81bb5b45fb18e1d020e45c97b7f52b49 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8afb7c52e0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 180 to 172.18.198.32 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8afa7d5ee0195bd1096fdf3655 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=181, length=309 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x02030084150016030100790100007503012852a20547b500b7f68ef9d12f94962911f02b9bef08352b7cf3c5b378604e44000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013 Message-Authenticator = 0x586d094023b3133cfbe8bb88d8db5a54 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8afa7d5ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 132 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0079], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0724], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 181 to 172.18.198.32 port 1645 EAP-Message = 0x0104040015c0000009c0160301003902000035030154f0e94fe7a83b762d5667ec882bbfd0f06fd3b2d7ec8535f098b1bf25f8a43b00c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763 EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699 EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132 EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3 EAP-Message = 0x82026630820262304f060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8af97a5ee0195bd1096fdf3655 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=182, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020400061500 Message-Authenticator = 0x5dc3a2d8909ccccd8d90f283d7ace0a9 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8af97a5ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 182 to 172.18.198.32 port 1645 EAP-Message = 0x0105040015c0000009c01d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d06 EAP-Message = 0x03551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d EAP-Message = 0x7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584 EAP-Message = 0xda860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c0002470300174104717306adc73ae2116704979ca012a0f24e3f1c5a663f1337d0876fef21f49fda2d925793bdd86a53aee79fa992bb5867afc8933b06cde83f4b40c884cfcfc88602003512e658ad4b977080325920eef0c3097430c0a576b56392c375d2e6827846f17cb83d60ca1b7366e5 EAP-Message = 0x1f91362636c010688ed0fe86 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8af87b5ee0195bd1096fdf3655 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=183, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020500061500 Message-Authenticator = 0x5f80016ee1ea7aba8ec45ec2ed178c6d NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8af87b5ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 183 to 172.18.198.32 port 1645 EAP-Message = 0x010601de1580000009c07c9d859cae70d8328c134b9fda8e137f6ec1c905d5be1dd040a05d0f5d575cf34135b7a96ae8904e22eb542f477e2656efd2e01ccadf2e8d1771be619f030a616977456985b76163e5cc34321d39f4bf11861dcdf6ffc8cb7d3e83ce799e12ca3a428eb76447d7684a197f6070e57255a414c26b026e0e5c772fceaca1619b5a8c1c1f25ec3bd8648b1d0985ada3e90d499f12b80bf3023f61c5599e89874facb03f90cb0bde981def4a3c6c2e8bf2635948281d59a0665a4f8ebed8a4e875004e8553e1d146278442ed80fa8c80d5694bf207d75e74052bfd22ece2e925a80636bde2f7c127fdd13fe9bb155547b0ccdd5071 EAP-Message = 0xc0bced3abd58bd13e6cbb5e5a7aa65932163b4e0b7a01d27496bc2691b1bd6a7bf02908dcf94d026b2f2fb6713b44d233879b9a7302283d186138a5a5f35c9ddde1a5b70f3ca14d30625404a4b5935f9ce55ef281445070ff13f44353b125978c5ef6869e13e7b2539f8a6edc07bf906237383b0a2e99d97bb3ca5e1cb9e07ba45c5769ac484563b3cd023c873913b7337ea24768110f4874aece2b49aedfdfe429002be68aed02522c49215fe7f3100aa9d17fb4dd9f3a6251e90138716bb6195f6827a4dbf67484f21c1175a3417c909408120b06a766816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8aff785ee0195bd1096fdf3655 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=184, length=317 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0206008c15001603010046100000424104b9b344ce9c80fac0b0e96aa13dc790e0ad7f743a45781697b6af030caf3a8734993a94cf98f6a340fedd7edebe017649fb70c935ea49a0e16fc5be030434f4641403010001011603010030815eac8e8ad4190f3592bf0b2edb5460d9af5ab93eb394e8694eccad4b37b8d3937c04ab91fdc90b8c117a904aafd2fc Message-Authenticator = 0x1c1e7d855458a8d3098fdde3ddf86dc0 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8aff785ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 140 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 184 to 172.18.198.32 port 1645 EAP-Message = 0x0107004515800000003b14030100010116030100308f79d0300c835c8b34ed32b1c2b16b6a50cb533f73eac3e836846a31376fc8d0b49d9ec87daef85bf39ffc61139f6877 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8afe795ee0195bd1096fdf3655 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=185, length=289 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0207007015001703010020ac062c50d9ede2061baa4d36b348d96df9a5bb540f59059247d70ca88ae9b4d817030100408956d3afb078a498124467d3a3275e14be21441c02a8e1a2140b94290b901d7d00c753c43f2054ac67eb21932538dd9751125125fe701e2135f3c53ac2b85d31 Message-Authenticator = 0x002a15f9b831746e7f863fe263159f15 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8afe795ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 112 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x02000019017465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Got tunneled identity of test@unistuttgart.de [ttls] Setting default EAP type for tunneled EAP session. [ttls] Sending tunneled request EAP-Message = 0x02000019017465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 0 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x0101002e1a0101002910b92948814412ee82da1dd2059e68eda17465737440756e697374757474676172742e6465 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbfd4e25fbfd5f86d9adb2c85cd749c1d [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 185 to 172.18.198.32 port 1645 EAP-Message = 0x0108005f1580000000551703010050546db30172f4a30cb78c76bef5907dad160bec9738a88b265033840f78111003c1e87a6255c1051cd178cf5c67e74601a8cf2676d674546fa30010bf35770fe6f6416061b76cd594b6ab40235bb932ae Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8afd765ee0195bd1096fdf3655 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=186, length=337 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020800a0150017030100202ebd61605ed88be0d5136ef1c728e9260c15de503954daad14e4ce66c34dbf4f1703010070f672c15cdff050d2f92ff3170d5b373b61589c468b06602e18adfdf305eebffa265838a5ec04485ebbbf005f9e7366c7c617b7a4c4906b8e95a13f2ac54db9b707b07099eec7138579f023ceb269b543b8d241b8d2791c2a87fc9daf3e4aa595f3fc5098e96c4ec1adc448c74b66feca Message-Authenticator = 0x9a0f2af59d90000cebe3c65ae9a7c7c3 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8afd765ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 160 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0201004f1a0201004a31231ab1b20e9e7266dbb6e9793d6d477d0000000000000000caceb4606f5dbb180f2e167ecd8b16831b100fc6904f5d2c007465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x0201004f1a0201004a31231ab1b20e9e7266dbb6e9793d6d477d0000000000000000caceb4606f5dbb180f2e167ecd8b16831b100fc6904f5d2c007465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" State = 0xbfd4e25fbfd5f86d9adb2c85cd749c1d Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 1 length 79 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test@unistuttgart.de [mschap] Client is using MS-CHAPv2 for test@unistuttgart.de, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x010200331a0301002e533d30313132353741314341354637444534453235414645424435434333383645324639313941393433 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbfd4e25fbed6f86d9adb2c85cd749c1d [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 186 to 172.18.198.32 port 1645 EAP-Message = 0x0109006f15800000006517030100606afa3de81ad95abe95318904055cf5b34717b07bfd90b68e932f300d5e6cf11daa31c36b6b7b1f3848076ecd1a0793d83cfb3ce74484ded2a4e7c44e4ec206b851368a3c83edf6fd3abd20f8b69e7d3a40a3070272901ed4d7db16f5d94d5a37 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8afc775ee0195bd1096fdf3655 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=187, length=273 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x02090060150017030100201780eedd3729128221269f3b3b3a7f58a2d89300ef0830e3d7d7145fe7ba5d4b1703010030327c8d83df420fdccb646b16bb250328f6c6350e17b0e64c0567d116e7f7ee75a1793cc01f8be15934d02d13e7cdf5c4 Message-Authenticator = 0x1edda8ae512f59ece1179f98c15d471d NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8afc775ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 96 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x020200061a03 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x020200061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" State = 0xbfd4e25fbed6f86d9adb2c85cd749c1d Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test@unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [ttls] Got tunneled reply code 2 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x03020004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [ttls] Got tunneled Access-Accept [eap] Freeing handler rlm_eap_ttls: Freeing handler for user test@unistuttgart.de ++[eap] = ok +} # group authenticate = ok Login OK: [anonymous@unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop ++? if (reply:EAP-Session-Id) ? Evaluating (reply:EAP-Session-Id) -> TRUE ++? if (reply:EAP-Session-Id) -> TRUE ++if (reply:EAP-Session-Id) { +++update reply { expand: %{reply:EAP-Session-Id} -> +++} # update reply = noop ++} # if (reply:EAP-Session-Id) = noop +} # group post-auth = noop Sending Access-Accept of id 187 to 172.18.198.32 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "125" Cisco-AVPair = "linksec-policy=must-secure" Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" MS-MPPE-Recv-Key = 0x1a3f17c2d4e9de667dd14ba7b49bc7d9fc0a955ce42e31cdfb0b4440abe6f1f5 MS-MPPE-Send-Key = 0x70ab81030ceb1e3ad83ba5ca90da25d521282d57a85e4d4259ce09beb4fe51bc EAP-Message = 0x03090004 EAP-Key-Name = "" Finished request 8. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 179 with timestamp +9 Cleaning up request 1 ID 180 with timestamp +9 Cleaning up request 2 ID 181 with timestamp +9 Cleaning up request 3 ID 182 with timestamp +9 Cleaning up request 4 ID 183 with timestamp +10 Cleaning up request 5 ID 184 with timestamp +10 Cleaning up request 6 ID 185 with timestamp +10 Cleaning up request 7 ID 186 with timestamp +10 Cleaning up request 8 ID 187 with timestamp +10 Ready to process requests. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=188, length=189 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020a001e01616e6f6e796d6f757340756e697374757474676172742e6465 Message-Authenticator = 0x76855ce7c1ef8e603926873fe80d2a87 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 30 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 188 to 172.18.198.32 port 1645 EAP-Message = 0x010b00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa2002dc0c95b38f2c20d4854 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=189, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020b00060315 Message-Authenticator = 0xc1e04db636efab7c499a294e4c93bfa9 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa2002dc0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 189 to 172.18.198.32 port 1645 EAP-Message = 0x010c00061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa30721c0c95b38f2c20d4854 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=190, length=309 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020c008415001603010079010000750301c2f1b4369136f3777bc4e109387787232dd92fdc245c796ee61018c727854d22000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013 Message-Authenticator = 0x1742a2f140bf698a2c1992fce93c1dd1 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa30721c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 12 length 132 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0079], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0724], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 190 to 172.18.198.32 port 1645 EAP-Message = 0x010d040015c0000009c0160301003902000035030154f0e958a8444f528782eed87574fea205f03a0358a95b68ea2e07199502a63500c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763 EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699 EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132 EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3 EAP-Message = 0x82026630820262304f060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa00621c0c95b38f2c20d4854 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=191, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020d00061500 Message-Authenticator = 0xc4c35c641864cd84c3093628cef924f9 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa00621c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 13 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 191 to 172.18.198.32 port 1645 EAP-Message = 0x010e040015c0000009c01d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d06 EAP-Message = 0x03551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d EAP-Message = 0x7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584 EAP-Message = 0xda860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741045ed75da665b9017435b4038c934abbf5009b4c9f434e0dbeb30cddd33b09a8e60ebaf9f2fbb3db4c6448f4736521d22f6fd8d4799069b9e0a68802e61967d83c0200132563389e87e0d0939a61bc941504e42102ad26102ad7c9ec0262334fe8d5d75fbe837320092c5267 EAP-Message = 0x7ad30d7bf8eaaa6a59cdc965 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa10521c0c95b38f2c20d4854 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=192, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020e00061500 Message-Authenticator = 0x11548231eb4324d6709e5824343e8b14 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa10521c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 14 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 192 to 172.18.198.32 port 1645 EAP-Message = 0x010f01de1580000009c0ddac1d8778aca006f92db8c9b12cf0a3b1728aeeeb14458cd321de258a16854506d2b724202b04d72656c3841d73c78417d2d428525aa458fda37db5f13032ef3d09da5b4ef8cf55930f54c1886e1047c1410f562775ddb0b39bef1c56d2dce25e21c9595361c19c7bb347799cba5bc3640109e4646ba85ad3dae873db1729825d8526af5b6ce008de8cffd161acdb2c335baaf50096eb1c6001e48da87ee9731b8de39364a08a36f1dc69fb143dc91a8b54299f32b9d566f82556d4794e35a522002d8ae2a2eda273552d171c23b373ce1f3bc8fa979ff191ce1dc643ea51bb8232cf65a1b8de03312820c9170e1439f97abc EAP-Message = 0x055efcb625431e5b39e1fbb2e4fd5bda7e8fdc61dcfc2b14ef8650c0e9cd754520f494ba5ed6dcc795bac2c1f8945ea4d5170cb944bf6820d699c4a5c66dc5c6d3d892614ef48b2eeb0b4d39640e313dc453e104608a16b2a83fda6420e64f2f048ced7ea35c331797904c069273e7cff8fb0ebe7e6940a971788e5974f131289298a7a97d582f97c866a343e583592437b7fe850e8a2d00359f40c379b5ff161ee970182c3f10d913b79390a69776b559a85fd7a0cc463a88c565c76063ab51a4fa8ea718481f0441da73c9aecdf5c5eaf02357ee5527f816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa60421c0c95b38f2c20d4854 Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=193, length=317 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020f008c150016030100461000004241047f307f7d8f9130a0e34c02298894e3bd6f51525c7c85d8a035965bcd0044bad7e91c12fdd3fdd263ce4890306f361941c4ee8ea2c5e2201bb78f0b1552400dbd1403010001011603010030a2a4f602103e2801aa9a5cf2f19781dc63b9088011136de288eaf1ec89a14ff7cf7a05186d7f0240f8aa7a6d27c64401 Message-Authenticator = 0x321ca3c9bab12081ad1152823138850c NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa60421c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 15 length 140 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 193 to 172.18.198.32 port 1645 EAP-Message = 0x0110004515800000003b140301000101160301003066454fe53f7ccb6249b2c781509669a56698c3431239e22d750db4784a40f465ce4b7fc7ef593302478ea171eb51a7a4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa71b21c0c95b38f2c20d4854 Finished request 14. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=194, length=289 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0210007015001703010020d41a723e20f08fd833f559bfc02c8d95e82b6db9878674bea608b72dcd5f310017030100407b127a702f6bf9f8798715abdf3a06b99e8494ad2009cd3533868a3ca0f1a86d2d40f34460f0fc2390494ab7684bc86b1831f9da729d0f0632a282218b8fe6fc Message-Authenticator = 0xaf4226d5916ec0201e978f55ced154e8 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa71b21c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 16 length 112 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x02000019017465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Got tunneled identity of test@unistuttgart.de [ttls] Setting default EAP type for tunneled EAP session. [ttls] Sending tunneled request EAP-Message = 0x02000019017465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 0 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x0101002e1a0101002910d6ef0301cbc00cff6103ebb5c86581607465737440756e697374757474676172742e6465 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x090ccac9090dd0e190c6fcc2517b50c6 [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 194 to 172.18.198.32 port 1645 EAP-Message = 0x0111005f158000000055170301005084bc197827291a3343a677a84740837595f94d9652cd844e62e73fa180aaad7f105dc6e8b3192a3586993d481bc1e80ee96a559dcd7d9b299efd904fbf5f497276650b0cee0b01603615a96e7790092c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa41a21c0c95b38f2c20d4854 Finished request 15. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=195, length=337 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021100a015001703010020944874392600ca218d37dd4e8340f39557384fd2d060582e9f50c4a8831103ec170301007024105b6ba4d7f64a40685b11753d739090b183ab748615101a334e5f06a138bba9cf34f19ae39dd6ef043784c700fc59db759aa8c1f546cff06549be5033a32df868401c06d5c27a6ce31041d6fbcef03b479b6ac42b0458f793cc18e4a33e57f8a56c74ddf6f20c54bce8e665b74616 Message-Authenticator = 0x10cabb6de4f1bde23da154f301913900 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa41a21c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 17 length 160 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0201004f1a0201004a311dfd5207dab8f60e950878b079426b08000000000000000048a5d83eaa13c552bf4eed4ed859f479bf795f9cf8ad98be007465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x0201004f1a0201004a311dfd5207dab8f60e950878b079426b08000000000000000048a5d83eaa13c552bf4eed4ed859f479bf795f9cf8ad98be007465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" State = 0x090ccac9090dd0e190c6fcc2517b50c6 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 1 length 79 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test@unistuttgart.de [mschap] Client is using MS-CHAPv2 for test@unistuttgart.de, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x010200331a0301002e533d39433037323344364432423141343843353843334544354334323838453239424437354234444141 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x090ccac9080ed0e190c6fcc2517b50c6 [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 195 to 172.18.198.32 port 1645 EAP-Message = 0x0112006f15800000006517030100604804557fe41292cc5ddb41c7d68f1d3f0e7779cacfc23348eaf8900d91d57487bab0bbdfbe809cf5fba67328b954b56646118db9404c13c2d01f3f7fe1604f6301399b95e176f99f120d2ffe283b2cab70f27364bab3ed467d944a04c22d82c3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa51921c0c95b38f2c20d4854 Finished request 16. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=196, length=273 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021200601500170301002086c674dd2ffefa8889234702e7a8c8e06d5f9213c48b03ba4e2c0f4f6975f34617030100304ec807b42268cb18c83c767893d28b586714315a19969117ad3f9691358042bdf78b7c5d19e2fe62a757edbecb2bb42b Message-Authenticator = 0x45d412d1a225a1bbda13a465655b1b1c NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa51921c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 18 length 96 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x020200061a03 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x020200061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" State = 0x090ccac9080ed0e190c6fcc2517b50c6 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test@unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [ttls] Got tunneled reply code 2 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x03020004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [ttls] Got tunneled Access-Accept [eap] Freeing handler rlm_eap_ttls: Freeing handler for user test@unistuttgart.de ++[eap] = ok +} # group authenticate = ok Login OK: [anonymous@unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop ++? if (reply:EAP-Session-Id) ? Evaluating (reply:EAP-Session-Id) -> TRUE ++? if (reply:EAP-Session-Id) -> TRUE ++if (reply:EAP-Session-Id) { +++update reply { expand: %{reply:EAP-Session-Id} -> +++} # update reply = noop ++} # if (reply:EAP-Session-Id) = noop +} # group post-auth = noop Sending Access-Accept of id 196 to 172.18.198.32 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "125" Cisco-AVPair = "linksec-policy=must-secure" Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" MS-MPPE-Recv-Key = 0x38cb476a152fb9548a6e8a3dd8c81434daa51847991fee6057e2e50df8e35be5 MS-MPPE-Send-Key = 0xf67728f2b63ebde0609ad4454aaeb497fbc28fe626b36f3c012c40f5dc86f7e1 EAP-Message = 0x03120004 EAP-Key-Name = "" Finished request 17. Going to the next request Waking up in 4.8 seconds. Cleaning up request 9 ID 188 with timestamp +18 Cleaning up request 10 ID 189 with timestamp +18 Cleaning up request 11 ID 190 with timestamp +18 Cleaning up request 12 ID 191 with timestamp +18 Cleaning up request 13 ID 192 with timestamp +18 Cleaning up request 14 ID 193 with timestamp +18 Cleaning up request 15 ID 194 with timestamp +18 Cleaning up request 16 ID 195 with timestamp +18 Cleaning up request 17 ID 196 with timestamp +18 Ready to process requests. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=197, length=189 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0201001e01616e6f6e796d6f757340756e697374757474676172742e6465 Message-Authenticator = 0x6348de93c52371a9fc759d6806f31df9 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 30 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 197 to 172.18.198.32 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1ed8d3f6e25cc3ffac739f7417 Finished request 18. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=198, length=309 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x02020084190016030100790100007503017622f9a142432084cd76856e66189134748597535fbcdb94ed3231bdd7c43069000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013 Message-Authenticator = 0x9351c781d5324661757a70de6384969d NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1ed8d3f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 132 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0724], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 198 to 172.18.198.32 port 1645 EAP-Message = 0x0103040019c0000009c0160301003902000035030154f0e969eb79a220dfb3ee8b751449ac1315d25bffcade44a1b7f7d50e844fc500c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763 EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699 EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132 EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3 EAP-Message = 0x82026630820262304f060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1ed9d2f6e25cc3ffac739f7417 Finished request 19. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=199, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020300061900 Message-Authenticator = 0xce71e8303414b0a99057a2a4b575b414 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1ed9d2f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 199 to 172.18.198.32 port 1645 EAP-Message = 0x010403fc19401d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d0603551d1f EAP-Message = 0x048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d73747574 EAP-Message = 0x74676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584da860e15 EAP-Message = 0x39435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c0002470300174104d620da594729e91fb5dd14047bf01144bc82b2b6cce056d8ab88630b710a2a5359e42df193f81106bd76cfd2d46a0c30b4c7f2c85ca2306672fd6dc9abc42272020085bc64c68b9224bf7e1cf56db8542f6e94629af3897afceb313e4a9e5952219e1d657d7f83ef8bb392ab359ee9 EAP-Message = 0x8d39d9cc53c2045d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1edad5f6e25cc3ffac739f7417 Finished request 20. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=200, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020400061900 Message-Authenticator = 0x5cb3757710a9e1aa840f98a82e0cd4ac NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1edad5f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 200 to 172.18.198.32 port 1645 EAP-Message = 0x010501da19009bea571da19c1199373837e252180d6597e0a925ea6b6e65dbf6b44a1b55fb9f89cbd8b6905580c1b0d90404d29d1fb170e1b52a9a9d6f61667f99967745f2195115aaed93b622d1e8a4998789a8045935726cc9405d2da7757f940b5c7eecc445d4099a37978369e6ee69843e183ee779fc2099b002fa94b619b9f51f1e37db4f289aee4f990a2515b5b449df99ac7cdf2c52c9183cf05eaef42acec2109f34d3a7a1e2cd2a1ef9b0ac8f76e531bb2167611ae990f2902a768dd4747a4fe84c2cfbb79e689d64497b8065c87448635201943eeb04d39f8b1754209c78037e50cf5619806cce2f71f55e40e7af4e6c70306cea855a86da EAP-Message = 0x62b5a5f51d575c728e77200cc821911ca0a471cea55af9a7f1e82f6456e072c3372804fac2f37bdc819b3ba5d9577218f5f2d1261fb11473a47c3eb334bb06755b7089f353f55a331f52162546e53d43c472f7ef1e5c054053ab5808e9ab9a4ecc8b410219ee742af25c0ca87ef90a4e1bdbdfc8e2c009a0fd4a039cd1cc8fee81b24213c57d37e2496f55441fdcb40235ccc48af7ff6bbb3502c0a71e25762dd6d6aaf5e342a261abc0bb3451b7df7925f2bac8d52368d948046406b2ff6481607135ecb684ec3665e4c5bc3abb955dfc90090b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1edbd4f6e25cc3ffac739f7417 Finished request 21. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=201, length=317 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0205008c19001603010046100000424104c920e896bbdfb7b30714655ff17a0b5f26fca20f71c89b3847654bc60f16226f1c377af37c9941cc4b6bd52e1bec5605d7ef9fcf2f22a58e9c70e26cac5d90d714030100010116030100302d906f12f1aaa192ce35c8698ef5c1e533a66aea1911314665e7e68856e7b993b98701624db7317f7891d7ddd8215065 Message-Authenticator = 0x245c49b0c78d717defad473ea4995519 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1edbd4f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 140 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 201 to 172.18.198.32 port 1645 EAP-Message = 0x010600411900140301000101160301003009aa5d4cf397842d682fffb1858ce9ea3c66a41b1d97d004f6ccfae16f183cbfbcd52e43881fbe31c76f0b1713e1b148 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1edcd7f6e25cc3ffac739f7417 Finished request 22. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=202, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020600061900 Message-Authenticator = 0xdcc682b2f47b466deb0a7bbf385835e5 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1edcd7f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 202 to 172.18.198.32 port 1645 EAP-Message = 0x0107002b1900170301002021ad645902073d2033c2fa10a4b57dcd8a3c3920f23ccef4c5a28f494c7b3f3e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1eddd6f6e25cc3ffac739f7417 Finished request 23. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=203, length=273 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x02070060190017030100201556be55b047693bdf7ac1b410e42b9646e9b88d479c4f5b2544f5ce7d9e3cc11703010030e74b08c5ea2ebdebe3cb70ec39de0b36691903de2eca9725792d43d318f04ce76777955b0986b9c286e4a59762990074 Message-Authenticator = 0x9b6f8a5c745b216a6a50bfdbba7dc115 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1eddd6f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 96 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test@unistuttgart.de [peap] Got inner identity 'test@unistuttgart.de' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02070019017465737440756e697374757474676172742e6465 server { [peap] Setting User-Name to test@unistuttgart.de Sending tunneled request EAP-Message = 0x02070019017465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x0108002e1a01080029105e86fe5270171c649fe7f47a59cfea9f7465737440756e697374757474676172742e6465 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6abbdc356ab3c6f49b248f333ecdfdd5 [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x0108002e1a01080029105e86fe5270171c649fe7f47a59cfea9f7465737440756e697374757474676172742e6465 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6abbdc356ab3c6f49b248f333ecdfdd5 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 203 to 172.18.198.32 port 1645 EAP-Message = 0x0108004b19001703010040397ebeacf4e455642e30eabd8219feff7872e3b1a8bfd14648f54cefb93dfe0bd84cc1c4a1bb7b18a53a245e87535aec16f4ff5778a61d0424f581a45e824199 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1eded9f6e25cc3ffac739f7417 Finished request 24. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=204, length=321 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x02080090190017030100202f4572bb50e17a435043848d867990437567c3f6492396aceeed491eb2a9b8e417030100603e7cae95cdd47e2c3f743414227bf71d16222ecb5916e7259e9afe6e63abdd5689a10ccba4070f4cf89eefcbce73d30a9b55f2cbe473828ba57f8d049525e300fcb4ef8049e7dfb9d627c2c2e2ced9ad4356f77789e3231132a7a6c9b0d2bc80 Message-Authenticator = 0x91e6a98a90553c5c25810947357b2a55 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1eded9f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208004f1a0208004a317f04d58271cddee5b3b9ca7da908a1e4000000000000000092b8ad0318ad8053c26c7d83615c8d71b6b9c82db3a308ba007465737440756e697374757474676172742e6465 server { [peap] Setting User-Name to test@unistuttgart.de Sending tunneled request EAP-Message = 0x0208004f1a0208004a317f04d58271cddee5b3b9ca7da908a1e4000000000000000092b8ad0318ad8053c26c7d83615c8d71b6b9c82db3a308ba007465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" State = 0x6abbdc356ab3c6f49b248f333ecdfdd5 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 79 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test@unistuttgart.de [mschap] Client is using MS-CHAPv2 for test@unistuttgart.de, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x010900331a0308002e533d32443234454533424334363741333242393939363246373841433442363541444135434244463342 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6abbdc356bb2c6f49b248f333ecdfdd5 [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x010900331a0308002e533d32443234454533424334363741333242393939363246373841433442363541444135434244463342 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6abbdc356bb2c6f49b248f333ecdfdd5 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 204 to 172.18.198.32 port 1645 EAP-Message = 0x0109005b19001703010050ae7e8a81d91b5f11d34ba15bd0bab19aba25d742f03341ad33f4f49820c729255b0f8d928130a067432cdce260da9fa2e08aeeabfa72bbbc710ede11cb0c0080d11cdc60e3ed5469a049675d7c6c8e21 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1edfd8f6e25cc3ffac739f7417 Finished request 25. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=205, length=257 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0209005019001703010020124448bbc9d32dc7684cfc084ad76fa4b0f28f4b8c90d5b1d4da59790bbc076a170301002037708ae0e37268260ebbc556d9a3808d960807a3cf7af6731a3ef88c13fa68bd Message-Authenticator = 0x8dc62f26b9cb8cf28f604e372ab31131 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1edfd8f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { [peap] Setting User-Name to test@unistuttgart.de Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" State = 0x6abbdc356bb2c6f49b248f333ecdfdd5 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test@unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [peap] Got tunneled reply RADIUS code 2 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 205 to 172.18.198.32 port 1645 EAP-Message = 0x010a002b190017030100206d5bcfbdd0061220771b5ff0707bd0b82144de71932c2bcabb08eda4cbb6b789 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1ed0dbf6e25cc3ffac739f7417 Finished request 26. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=206, length=257 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020a0050190017030100203b456f64e3ca70184d51b4fea6b118d82507cd740db868aaefd3bb3d855beaf41703010020657e7167a49b2260b3b59ea624d86b20e08bb64ccad18849adb7b82c359fe290 Message-Authenticator = 0xb85f02b163b10e348a035b1ee458cc72 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1ed0dbf6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" User-Name = "test" [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [anonymous@unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop ++? if (reply:EAP-Session-Id) ? Evaluating (reply:EAP-Session-Id) -> TRUE ++? if (reply:EAP-Session-Id) -> TRUE ++if (reply:EAP-Session-Id) { +++update reply { expand: %{reply:EAP-Session-Id} -> +++} # update reply = noop ++} # if (reply:EAP-Session-Id) = noop +} # group post-auth = noop Sending Access-Accept of id 206 to 172.18.198.32 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "125" Cisco-AVPair = "linksec-policy=must-secure" User-Name = "test" MS-MPPE-Recv-Key = 0x3c0aab819095f1282469005cc7f2e24e5c37a32a95c8b9b2784f784a881e59a5 MS-MPPE-Send-Key = 0x79674abf7fb0ed91dbec1190e36e9b677236bbaaeef59c63820b22eb0f9b271c EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 EAP-Key-Name = "" Finished request 27. Going to the next request Waking up in 4.7 seconds. Cleaning up request 18 ID 197 with timestamp +35 Cleaning up request 19 ID 198 with timestamp +35 Cleaning up request 20 ID 199 with timestamp +35 Cleaning up request 21 ID 200 with timestamp +35 Cleaning up request 22 ID 201 with timestamp +35 Cleaning up request 23 ID 202 with timestamp +35 Cleaning up request 24 ID 203 with timestamp +35 Cleaning up request 25 ID 204 with timestamp +35 Cleaning up request 26 ID 205 with timestamp +35 Cleaning up request 27 ID 206 with timestamp +35 Ready to process requests. -(snip)- Thus, both TTLS-MSCHAPv2 and PEAP-MSCHAPv2 result in empty EAP-Key-Name. Best regards, Kilian