Matthew Thank you for the observations. Mea cupla - the password was wrong. Having corrected that I am getting a WICED 1064 error back on the device which I believe means EAPOL_KEY_FAILURE. I am really struggling the read the full debug and understand why it is not working. I can’t see anything in the output that says it is not working in fact I see at the end SUCCESS - so is this a device issue? (36) Received Access-Request Id 208 from 192.168.1.38:55602 to 192.168.1.33:1812 length 174 (36) User-Name = "anonymous" (36) NAS-IP-Address = 192.168.1.38 (36) NAS-Identifier = "b4fbe4c348ab" (36) NAS-Port = 0 (36) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (36) Calling-Station-Id = "E0-4F-43-36-B1-F1" (36) Framed-MTU = 1400 (36) NAS-Port-Type = Wireless-802.11 (36) Connect-Info = "CONNECT 0Mbps 802.11b" (36) EAP-Message = 0x02b5000e01616e6f6e796d6f7573 (36) Message-Authenticator = 0x25509f16a2da40b886f964a9fb289b2a (36) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (36) authorize { (36) policy filter_username { (36) if (&User-Name) { (36) if (&User-Name) -> TRUE (36) if (&User-Name) { (36) if (&User-Name =~ / /) { (36) if (&User-Name =~ / /) -> FALSE (36) if (&User-Name =~ /@[^@]*@/ ) { (36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (36) if (&User-Name =~ /\.\./ ) { (36) if (&User-Name =~ /\.\./ ) -> FALSE (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (36) if (&User-Name =~ /\.$/) { (36) if (&User-Name =~ /\.$/) -> FALSE (36) if (&User-Name =~ /@\./) { (36) if (&User-Name =~ /@\./) -> FALSE (36) } # if (&User-Name) = notfound (36) } # policy filter_username = notfound (36) [preprocess] = ok (36) [chap] = noop (36) [mschap] = noop (36) [digest] = noop (36) suffix: Checking for suffix after "@" (36) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (36) suffix: No such realm "NULL" (36) [suffix] = noop (36) eap: Peer sent EAP Response (code 2) ID 181 length 14 (36) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (36) [eap] = ok (36) } # authorize = ok (36) Found Auth-Type = eap (36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (36) authenticate { (36) eap: Peer sent packet with method EAP Identity (1) (36) eap: Calling submodule eap_md5 to process data (36) eap_md5: Issuing MD5 Challenge (36) eap: Sending EAP Request (code 1) ID 182 length 22 (36) eap: EAP session adding &reply:State = 0x2a8581bd2a3385df (36) [eap] = handled (36) } # authenticate = handled (36) Using Post-Auth-Type Challenge (36) Post-Auth-Type sub-section not found. Ignoring. (36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (36) Sent Access-Challenge Id 208 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (36) EAP-Message = 0x01b600160410ff129213cf36dc9899010133da42091f (36) Message-Authenticator = 0x00000000000000000000000000000000 (36) State = 0x2a8581bd2a3385df1e814808369ac970 (36) Finished request Waking up in 4.9 seconds. (37) Received Access-Request Id 209 from 192.168.1.38:55602 to 192.168.1.33:1812 length 184 (37) User-Name = "anonymous" (37) NAS-IP-Address = 192.168.1.38 (37) NAS-Identifier = "b4fbe4c348ab" (37) NAS-Port = 0 (37) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (37) Calling-Station-Id = "E0-4F-43-36-B1-F1" (37) Framed-MTU = 1400 (37) NAS-Port-Type = Wireless-802.11 (37) Connect-Info = "CONNECT 0Mbps 802.11b" (37) EAP-Message = 0x02b600060319 (37) State = 0x2a8581bd2a3385df1e814808369ac970 (37) Message-Authenticator = 0x8119d40b649a68faa58453efa4c195eb (37) session-state: No cached attributes (37) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (37) authorize { (37) policy filter_username { (37) if (&User-Name) { (37) if (&User-Name) -> TRUE (37) if (&User-Name) { (37) if (&User-Name =~ / /) { (37) if (&User-Name =~ / /) -> FALSE (37) if (&User-Name =~ /@[^@]*@/ ) { (37) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (37) if (&User-Name =~ /\.\./ ) { (37) if (&User-Name =~ /\.\./ ) -> FALSE (37) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (37) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (37) if (&User-Name =~ /\.$/) { (37) if (&User-Name =~ /\.$/) -> FALSE (37) if (&User-Name =~ /@\./) { (37) if (&User-Name =~ /@\./) -> FALSE (37) } # if (&User-Name) = notfound (37) } # policy filter_username = notfound (37) [preprocess] = ok (37) [chap] = noop (37) [mschap] = noop (37) [digest] = noop (37) suffix: Checking for suffix after "@" (37) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (37) suffix: No such realm "NULL" (37) [suffix] = noop (37) eap: Peer sent EAP Response (code 2) ID 182 length 6 (37) eap: No EAP Start, assuming it's an on-going EAP conversation (37) [eap] = updated (37) [files] = noop (37) [expiration] = noop (37) [logintime] = noop (37) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (37) pap: WARNING: Authentication will fail unless a "known good" password is available (37) [pap] = noop (37) } # authorize = updated (37) Found Auth-Type = eap (37) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (37) authenticate { (37) eap: Expiring EAP session with state 0x2a8581bd2a3385df (37) eap: Finished EAP session with state 0x2a8581bd2a3385df (37) eap: Previous EAP request found for state 0x2a8581bd2a3385df, released from the list (37) eap: Peer sent packet with method EAP NAK (3) (37) eap: Found mutually acceptable type PEAP (25) (37) eap: Calling submodule eap_peap to process data (37) eap_peap: Initiating new EAP-TLS session (37) eap_peap: [eaptls start] = request (37) eap: Sending EAP Request (code 1) ID 183 length 6 (37) eap: EAP session adding &reply:State = 0x2a8581bd2b3298df (37) [eap] = handled (37) } # authenticate = handled (37) Using Post-Auth-Type Challenge (37) Post-Auth-Type sub-section not found. Ignoring. (37) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (37) Sent Access-Challenge Id 209 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (37) EAP-Message = 0x01b700061920 (37) Message-Authenticator = 0x00000000000000000000000000000000 (37) State = 0x2a8581bd2b3298df1e814808369ac970 (37) Finished request Waking up in 4.9 seconds. (38) Received Access-Request Id 210 from 192.168.1.38:55602 to 192.168.1.33:1812 length 274 (38) User-Name = "anonymous" (38) NAS-IP-Address = 192.168.1.38 (38) NAS-Identifier = "b4fbe4c348ab" (38) NAS-Port = 0 (38) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (38) Calling-Station-Id = "E0-4F-43-36-B1-F1" (38) Framed-MTU = 1400 (38) NAS-Port-Type = Wireless-802.11 (38) Connect-Info = "CONNECT 0Mbps 802.11b" (38) EAP-Message = 0x02b7006019800000005616030300510100004d0303000000281cdc9b2252c07aa2864276d5d684b9f771cff5a17b5c280169d1bf8a000004003c002f01000020000a000400020017000b00020100000d000e000c020102030301030304010403 (38) State = 0x2a8581bd2b3298df1e814808369ac970 (38) Message-Authenticator = 0xb616b97bb086ec34a2c8ef9911d0ea09 (38) session-state: No cached attributes (38) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (38) authorize { (38) policy filter_username { (38) if (&User-Name) { (38) if (&User-Name) -> TRUE (38) if (&User-Name) { (38) if (&User-Name =~ / /) { (38) if (&User-Name =~ / /) -> FALSE (38) if (&User-Name =~ /@[^@]*@/ ) { (38) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (38) if (&User-Name =~ /\.\./ ) { (38) if (&User-Name =~ /\.\./ ) -> FALSE (38) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (38) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (38) if (&User-Name =~ /\.$/) { (38) if (&User-Name =~ /\.$/) -> FALSE (38) if (&User-Name =~ /@\./) { (38) if (&User-Name =~ /@\./) -> FALSE (38) } # if (&User-Name) = notfound (38) } # policy filter_username = notfound (38) [preprocess] = ok (38) [chap] = noop (38) [mschap] = noop (38) [digest] = noop (38) suffix: Checking for suffix after "@" (38) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (38) suffix: No such realm "NULL" (38) [suffix] = noop (38) eap: Peer sent EAP Response (code 2) ID 183 length 96 (38) eap: Continuing tunnel setup (38) [eap] = ok (38) } # authorize = ok (38) Found Auth-Type = eap (38) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (38) authenticate { (38) eap: Expiring EAP session with state 0x2a8581bd2b3298df (38) eap: Finished EAP session with state 0x2a8581bd2b3298df (38) eap: Previous EAP request found for state 0x2a8581bd2b3298df, released from the list (38) eap: Peer sent packet with method EAP PEAP (25) (38) eap: Calling submodule eap_peap to process data (38) eap_peap: Continuing EAP-TLS (38) eap_peap: Peer indicated complete TLS record size will be 86 bytes (38) eap_peap: Got complete TLS record (86 bytes) (38) eap_peap: [eaptls verify] = length included (38) eap_peap: (other): before SSL initialization (38) eap_peap: TLS_accept: before SSL initialization (38) eap_peap: TLS_accept: before SSL initialization (38) eap_peap: <<< recv TLS 1.2 [length 0051] (38) eap_peap: TLS_accept: SSLv3/TLS read client hello (38) eap_peap: >>> send TLS 1.2 [length 002a] (38) eap_peap: TLS_accept: SSLv3/TLS write server hello (38) eap_peap: >>> send TLS 1.2 [length 02f1] (38) eap_peap: TLS_accept: SSLv3/TLS write certificate (38) eap_peap: >>> send TLS 1.2 [length 0004] (38) eap_peap: TLS_accept: SSLv3/TLS write server done (38) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (38) eap_peap: In SSL Handshake Phase (38) eap_peap: In SSL Accept mode (38) eap_peap: [eaptls process] = handled (38) eap: Sending EAP Request (code 1) ID 184 length 820 (38) eap: EAP session adding &reply:State = 0x2a8581bd283d98df (38) [eap] = handled (38) } # authenticate = handled (38) Using Post-Auth-Type Challenge (38) Post-Auth-Type sub-section not found. Ignoring. (38) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (38) Sent Access-Challenge Id 210 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (38) EAP-Message = 0x01b803341900160303002a020000260303cf3c4b0e5ed60e104aad4ed9b51fb76b9896b63ef4a31d3e772041f6e35b257200003c0016030302f10b0002ed0002ea0002e7308202e3308201cba003020102020900a170e33eaa8a04e7300d06092a864886f70d01010b0500301b3119301706035504030c (38) Message-Authenticator = 0x00000000000000000000000000000000 (38) State = 0x2a8581bd283d98df1e814808369ac970 (38) Finished request Waking up in 4.9 seconds. (39) Received Access-Request Id 211 from 192.168.1.38:55602 to 192.168.1.33:1812 length 548 (39) User-Name = "anonymous" (39) NAS-IP-Address = 192.168.1.38 (39) NAS-Identifier = "b4fbe4c348ab" (39) NAS-Port = 0 (39) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (39) Calling-Station-Id = "E0-4F-43-36-B1-F1" (39) Framed-MTU = 1400 (39) NAS-Port-Type = Wireless-802.11 (39) Connect-Info = "CONNECT 0Mbps 802.11b" (39) EAP-Message = 0x02b80170198000000166160303010610000102010071e19621b125c24ad8dad747ca68b5f71eedd73d928788b92dcffb97d102f453587e37ecc1fa3d8fd8b80b6db2ef5bb91b0452e39652df4324e7251c3ca8401dc5d7565b8b87187452af469f979e0f7e89441a02251a4da163c0cd6fcd7faa357fac (39) State = 0x2a8581bd283d98df1e814808369ac970 (39) Message-Authenticator = 0x04bed256ea91148ae84b66643a916080 (39) session-state: No cached attributes (39) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (39) authorize { (39) policy filter_username { (39) if (&User-Name) { (39) if (&User-Name) -> TRUE (39) if (&User-Name) { (39) if (&User-Name =~ / /) { (39) if (&User-Name =~ / /) -> FALSE (39) if (&User-Name =~ /@[^@]*@/ ) { (39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (39) if (&User-Name =~ /\.\./ ) { (39) if (&User-Name =~ /\.\./ ) -> FALSE (39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (39) if (&User-Name =~ /\.$/) { (39) if (&User-Name =~ /\.$/) -> FALSE (39) if (&User-Name =~ /@\./) { (39) if (&User-Name =~ /@\./) -> FALSE (39) } # if (&User-Name) = notfound (39) } # policy filter_username = notfound (39) [preprocess] = ok (39) [chap] = noop (39) [mschap] = noop (39) [digest] = noop (39) suffix: Checking for suffix after "@" (39) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (39) suffix: No such realm "NULL" (39) [suffix] = noop (39) eap: Peer sent EAP Response (code 2) ID 184 length 368 (39) eap: Continuing tunnel setup (39) [eap] = ok (39) } # authorize = ok (39) Found Auth-Type = eap (39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (39) authenticate { (39) eap: Expiring EAP session with state 0x2a8581bd283d98df (39) eap: Finished EAP session with state 0x2a8581bd283d98df (39) eap: Previous EAP request found for state 0x2a8581bd283d98df, released from the list (39) eap: Peer sent packet with method EAP PEAP (25) (39) eap: Calling submodule eap_peap to process data (39) eap_peap: Continuing EAP-TLS (39) eap_peap: Peer indicated complete TLS record size will be 358 bytes (39) eap_peap: Got complete TLS record (358 bytes) (39) eap_peap: [eaptls verify] = length included (39) eap_peap: TLS_accept: SSLv3/TLS write server done (39) eap_peap: <<< recv TLS 1.2 [length 0106] (39) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (39) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (39) eap_peap: <<< recv TLS 1.2 [length 0010] (39) eap_peap: TLS_accept: SSLv3/TLS read finished (39) eap_peap: >>> send TLS 1.2 [length 0001] (39) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (39) eap_peap: >>> send TLS 1.2 [length 0010] (39) eap_peap: TLS_accept: SSLv3/TLS write finished (39) eap_peap: (other): SSL negotiation finished successfully (39) eap_peap: SSL Connection Established (39) eap_peap: [eaptls process] = handled (39) eap: Sending EAP Request (code 1) ID 185 length 97 (39) eap: EAP session adding &reply:State = 0x2a8581bd293c98df (39) [eap] = handled (39) } # authenticate = handled (39) Using Post-Auth-Type Challenge (39) Post-Auth-Type sub-section not found. Ignoring. (39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (39) Sent Access-Challenge Id 211 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (39) EAP-Message = 0x01b9006119001403030001011603030050b0b0d9af69f459f35b4b47f71ed961ad39a4d03368daf9ae1b1438e2c5f6586f3396151c1e6d9b8d815db52d93a0b1df8be145d56c2a3dd6b1133e231ee64be468f9dafc1529bac1bb8da84d57fe81d0 (39) Message-Authenticator = 0x00000000000000000000000000000000 (39) State = 0x2a8581bd293c98df1e814808369ac970 (39) Finished request Waking up in 4.8 seconds. (40) Received Access-Request Id 212 from 192.168.1.38:55602 to 192.168.1.33:1812 length 184 (40) User-Name = "anonymous" (40) NAS-IP-Address = 192.168.1.38 (40) NAS-Identifier = "b4fbe4c348ab" (40) NAS-Port = 0 (40) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (40) Calling-Station-Id = "E0-4F-43-36-B1-F1" (40) Framed-MTU = 1400 (40) NAS-Port-Type = Wireless-802.11 (40) Connect-Info = "CONNECT 0Mbps 802.11b" (40) EAP-Message = 0x02b900061900 (40) State = 0x2a8581bd293c98df1e814808369ac970 (40) Message-Authenticator = 0xe886a2afdad2cabad78f25fbe33d4914 (40) session-state: No cached attributes (40) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (40) authorize { (40) policy filter_username { (40) if (&User-Name) { (40) if (&User-Name) -> TRUE (40) if (&User-Name) { (40) if (&User-Name =~ / /) { (40) if (&User-Name =~ / /) -> FALSE (40) if (&User-Name =~ /@[^@]*@/ ) { (40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (40) if (&User-Name =~ /\.\./ ) { (40) if (&User-Name =~ /\.\./ ) -> FALSE (40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (40) if (&User-Name =~ /\.$/) { (40) if (&User-Name =~ /\.$/) -> FALSE (40) if (&User-Name =~ /@\./) { (40) if (&User-Name =~ /@\./) -> FALSE (40) } # if (&User-Name) = notfound (40) } # policy filter_username = notfound (40) [preprocess] = ok (40) [chap] = noop (40) [mschap] = noop (40) [digest] = noop (40) suffix: Checking for suffix after "@" (40) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (40) suffix: No such realm "NULL" (40) [suffix] = noop (40) eap: Peer sent EAP Response (code 2) ID 185 length 6 (40) eap: Continuing tunnel setup (40) [eap] = ok (40) } # authorize = ok (40) Found Auth-Type = eap (40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (40) authenticate { (40) eap: Expiring EAP session with state 0x2a8581bd293c98df (40) eap: Finished EAP session with state 0x2a8581bd293c98df (40) eap: Previous EAP request found for state 0x2a8581bd293c98df, released from the list (40) eap: Peer sent packet with method EAP PEAP (25) (40) eap: Calling submodule eap_peap to process data (40) eap_peap: Continuing EAP-TLS (40) eap_peap: Peer ACKed our handshake fragment. handshake is finished (40) eap_peap: [eaptls verify] = success (40) eap_peap: [eaptls process] = success (40) eap_peap: Session established. Decoding tunneled attributes (40) eap_peap: PEAP state TUNNEL ESTABLISHED (40) eap: Sending EAP Request (code 1) ID 186 length 75 (40) eap: EAP session adding &reply:State = 0x2a8581bd2e3f98df (40) [eap] = handled (40) } # authenticate = handled (40) Using Post-Auth-Type Challenge (40) Post-Auth-Type sub-section not found. Ignoring. (40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (40) Sent Access-Challenge Id 212 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (40) EAP-Message = 0x01ba004b1900170303004050c7ff5a029d65ebb5f58ad75a43ea64eac1cd728a20be159fe3b332033e212a25fff20cf216db3542a33712cec541299cc1be4e818a681e6170a7ef0f0b36fd (40) Message-Authenticator = 0x00000000000000000000000000000000 (40) State = 0x2a8581bd2e3f98df1e814808369ac970 (40) Finished request Waking up in 4.7 seconds. (41) Received Access-Request Id 213 from 192.168.1.38:55602 to 192.168.1.33:1812 length 253 (41) User-Name = "anonymous" (41) NAS-IP-Address = 192.168.1.38 (41) NAS-Identifier = "b4fbe4c348ab" (41) NAS-Port = 0 (41) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (41) Calling-Station-Id = "E0-4F-43-36-B1-F1" (41) Framed-MTU = 1400 (41) NAS-Port-Type = Wireless-802.11 (41) Connect-Info = "CONNECT 0Mbps 802.11b" (41) EAP-Message = 0x02ba004b190017030300400afc0335cdebda0b8aedef718917f7a9266c20e51e93d29843d1d72b4692f912508ecd700311673ed582be464091945f62ecef71c226614b11d7520ed1411b3e (41) State = 0x2a8581bd2e3f98df1e814808369ac970 (41) Message-Authenticator = 0x9fb73be30fe0f94516f4b1eb6ca07baf (41) session-state: No cached attributes (41) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (41) authorize { (41) policy filter_username { (41) if (&User-Name) { (41) if (&User-Name) -> TRUE (41) if (&User-Name) { (41) if (&User-Name =~ / /) { (41) if (&User-Name =~ / /) -> FALSE (41) if (&User-Name =~ /@[^@]*@/ ) { (41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (41) if (&User-Name =~ /\.\./ ) { (41) if (&User-Name =~ /\.\./ ) -> FALSE (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (41) if (&User-Name =~ /\.$/) { (41) if (&User-Name =~ /\.$/) -> FALSE (41) if (&User-Name =~ /@\./) { (41) if (&User-Name =~ /@\./) -> FALSE (41) } # if (&User-Name) = notfound (41) } # policy filter_username = notfound (41) [preprocess] = ok (41) [chap] = noop (41) [mschap] = noop (41) [digest] = noop (41) suffix: Checking for suffix after "@" (41) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (41) suffix: No such realm "NULL" (41) [suffix] = noop (41) eap: Peer sent EAP Response (code 2) ID 186 length 75 (41) eap: Continuing tunnel setup (41) [eap] = ok (41) } # authorize = ok (41) Found Auth-Type = eap (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (41) authenticate { (41) eap: Expiring EAP session with state 0x2a8581bd2e3f98df (41) eap: Finished EAP session with state 0x2a8581bd2e3f98df (41) eap: Previous EAP request found for state 0x2a8581bd2e3f98df, released from the list (41) eap: Peer sent packet with method EAP PEAP (25) (41) eap: Calling submodule eap_peap to process data (41) eap_peap: Continuing EAP-TLS (41) eap_peap: [eaptls verify] = ok (41) eap_peap: Done initial handshake (41) eap_peap: [eaptls process] = ok (41) eap_peap: Session established. Decoding tunneled attributes (41) eap_peap: PEAP state WAITING FOR INNER IDENTITY (41) eap_peap: Identity - particle (41) eap_peap: Got inner identity 'particle' (41) eap_peap: Setting default EAP type for tunneled EAP session (41) eap_peap: Got tunneled request (41) eap_peap: EAP-Message = 0x02ba000d017061727469636c65 (41) eap_peap: Setting User-Name to particle (41) eap_peap: Sending tunneled request to inner-tunnel (41) eap_peap: EAP-Message = 0x02ba000d017061727469636c65 (41) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (41) eap_peap: User-Name = "particle" (41) Virtual server inner-tunnel received request (41) EAP-Message = 0x02ba000d017061727469636c65 (41) FreeRADIUS-Proxied-To = 127.0.0.1 (41) User-Name = "particle" (41) server inner-tunnel { (41) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (41) authorize { (41) policy filter_username { (41) if (&User-Name) { (41) if (&User-Name) -> TRUE (41) if (&User-Name) { (41) if (&User-Name =~ / /) { (41) if (&User-Name =~ / /) -> FALSE (41) if (&User-Name =~ /@[^@]*@/ ) { (41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (41) if (&User-Name =~ /\.\./ ) { (41) if (&User-Name =~ /\.\./ ) -> FALSE (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (41) if (&User-Name =~ /\.$/) { (41) if (&User-Name =~ /\.$/) -> FALSE (41) if (&User-Name =~ /@\./) { (41) if (&User-Name =~ /@\./) -> FALSE (41) } # if (&User-Name) = notfound (41) } # policy filter_username = notfound (41) [chap] = noop (41) [mschap] = noop (41) suffix: Checking for suffix after "@" (41) suffix: No '@' in User-Name = "particle", looking up realm NULL (41) suffix: No such realm "NULL" (41) [suffix] = noop (41) update control { (41) &Proxy-To-Realm := LOCAL (41) } # update control = noop (41) eap: Peer sent EAP Response (code 2) ID 186 length 13 (41) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (41) [eap] = ok (41) } # authorize = ok (41) Found Auth-Type = eap (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (41) authenticate { (41) eap: Peer sent packet with method EAP Identity (1) (41) eap: Calling submodule eap_mschapv2 to process data (41) eap_mschapv2: Issuing Challenge (41) eap: Sending EAP Request (code 1) ID 187 length 43 (41) eap: EAP session adding &reply:State = 0xc826a0d6c89dba78 (41) [eap] = handled (41) } # authenticate = handled (41) } # server inner-tunnel (41) Virtual server sending reply (41) EAP-Message = 0x01bb002b1a01bb0026106f4ce167e77644b791c3f64990af9d0a667265657261646975732d332e302e3132 (41) Message-Authenticator = 0x00000000000000000000000000000000 (41) State = 0xc826a0d6c89dba78a72f2090812f4b12 (41) eap_peap: Got tunneled reply code 11 (41) eap_peap: EAP-Message = 0x01bb002b1a01bb0026106f4ce167e77644b791c3f64990af9d0a667265657261646975732d332e302e3132 (41) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (41) eap_peap: State = 0xc826a0d6c89dba78a72f2090812f4b12 (41) eap_peap: Got tunneled reply RADIUS code 11 (41) eap_peap: EAP-Message = 0x01bb002b1a01bb0026106f4ce167e77644b791c3f64990af9d0a667265657261646975732d332e302e3132 (41) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (41) eap_peap: State = 0xc826a0d6c89dba78a72f2090812f4b12 (41) eap_peap: Got tunneled Access-Challenge (41) eap: Sending EAP Request (code 1) ID 187 length 107 (41) eap: EAP session adding &reply:State = 0x2a8581bd2f3e98df (41) [eap] = handled (41) } # authenticate = handled (41) Using Post-Auth-Type Challenge (41) Post-Auth-Type sub-section not found. Ignoring. (41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (41) Sent Access-Challenge Id 213 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (41) EAP-Message = 0x01bb006b1900170303006079feffc6710fc43792c394a4889d930fe8c6c16d764af16d1d3976d6e621e36843745d0bffc55524283b9bd53ea806ced6df2dbbdde549e3e5cc38979d5cb49ad0da91db6f806722c0e8a4d302d8271e25e76be953888bdd43cae59c2735c288 (41) Message-Authenticator = 0x00000000000000000000000000000000 (41) State = 0x2a8581bd2f3e98df1e814808369ac970 (41) Finished request Waking up in 4.7 seconds. (42) Received Access-Request Id 214 from 192.168.1.38:55602 to 192.168.1.33:1812 length 301 (42) User-Name = "anonymous" (42) NAS-IP-Address = 192.168.1.38 (42) NAS-Identifier = "b4fbe4c348ab" (42) NAS-Port = 0 (42) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (42) Calling-Station-Id = "E0-4F-43-36-B1-F1" (42) Framed-MTU = 1400 (42) NAS-Port-Type = Wireless-802.11 (42) Connect-Info = "CONNECT 0Mbps 802.11b" (42) EAP-Message = 0x02bb007b190017030300700afc0335cdebda0b8aedef718917f7a9c3609e53fed2947c5461a170ad04e646ead20718e53d64b3e64bfa32cbc4920565fd84e50ee59a599ef81f5b234f495ceb2429aed13228f79886d1231139863a94e38688d4bf00844977159f1ab54839398774564992f36bdca50f16 (42) State = 0x2a8581bd2f3e98df1e814808369ac970 (42) Message-Authenticator = 0x03cd878b5c6e2070f2fe065228980db3 (42) session-state: No cached attributes (42) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (42) authorize { (42) policy filter_username { (42) if (&User-Name) { (42) if (&User-Name) -> TRUE (42) if (&User-Name) { (42) if (&User-Name =~ / /) { (42) if (&User-Name =~ / /) -> FALSE (42) if (&User-Name =~ /@[^@]*@/ ) { (42) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (42) if (&User-Name =~ /\.\./ ) { (42) if (&User-Name =~ /\.\./ ) -> FALSE (42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (42) if (&User-Name =~ /\.$/) { (42) if (&User-Name =~ /\.$/) -> FALSE (42) if (&User-Name =~ /@\./) { (42) if (&User-Name =~ /@\./) -> FALSE (42) } # if (&User-Name) = notfound (42) } # policy filter_username = notfound (42) [preprocess] = ok (42) [chap] = noop (42) [mschap] = noop (42) [digest] = noop (42) suffix: Checking for suffix after "@" (42) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (42) suffix: No such realm "NULL" (42) [suffix] = noop (42) eap: Peer sent EAP Response (code 2) ID 187 length 123 (42) eap: Continuing tunnel setup (42) [eap] = ok (42) } # authorize = ok (42) Found Auth-Type = eap (42) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (42) authenticate { (42) eap: Expiring EAP session with state 0xc826a0d6c89dba78 (42) eap: Finished EAP session with state 0x2a8581bd2f3e98df (42) eap: Previous EAP request found for state 0x2a8581bd2f3e98df, released from the list (42) eap: Peer sent packet with method EAP PEAP (25) (42) eap: Calling submodule eap_peap to process data (42) eap_peap: Continuing EAP-TLS (42) eap_peap: [eaptls verify] = ok (42) eap_peap: Done initial handshake (42) eap_peap: [eaptls process] = ok (42) eap_peap: Session established. Decoding tunneled attributes (42) eap_peap: PEAP state phase2 (42) eap_peap: EAP method MSCHAPv2 (26) (42) eap_peap: Got tunneled request (42) eap_peap: EAP-Message = 0x02bb00431a02bb003e312f2fa421ed073e5f4e6ffa2ac0392cf50000000000000000fd328695c49903d233c34dacdd44570b0aa2ef23d5078df9007061727469636c65 (42) eap_peap: Setting User-Name to particle (42) eap_peap: Sending tunneled request to inner-tunnel (42) eap_peap: EAP-Message = 0x02bb00431a02bb003e312f2fa421ed073e5f4e6ffa2ac0392cf50000000000000000fd328695c49903d233c34dacdd44570b0aa2ef23d5078df9007061727469636c65 (42) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (42) eap_peap: User-Name = "particle" (42) eap_peap: State = 0xc826a0d6c89dba78a72f2090812f4b12 (42) Virtual server inner-tunnel received request (42) EAP-Message = 0x02bb00431a02bb003e312f2fa421ed073e5f4e6ffa2ac0392cf50000000000000000fd328695c49903d233c34dacdd44570b0aa2ef23d5078df9007061727469636c65 (42) FreeRADIUS-Proxied-To = 127.0.0.1 (42) User-Name = "particle" (42) State = 0xc826a0d6c89dba78a72f2090812f4b12 (42) server inner-tunnel { (42) session-state: No cached attributes (42) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (42) authorize { (42) policy filter_username { (42) if (&User-Name) { (42) if (&User-Name) -> TRUE (42) if (&User-Name) { (42) if (&User-Name =~ / /) { (42) if (&User-Name =~ / /) -> FALSE (42) if (&User-Name =~ /@[^@]*@/ ) { (42) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (42) if (&User-Name =~ /\.\./ ) { (42) if (&User-Name =~ /\.\./ ) -> FALSE (42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (42) if (&User-Name =~ /\.$/) { (42) if (&User-Name =~ /\.$/) -> FALSE (42) if (&User-Name =~ /@\./) { (42) if (&User-Name =~ /@\./) -> FALSE (42) } # if (&User-Name) = notfound (42) } # policy filter_username = notfound (42) [chap] = noop (42) [mschap] = noop (42) suffix: Checking for suffix after "@" (42) suffix: No '@' in User-Name = "particle", looking up realm NULL (42) suffix: No such realm "NULL" (42) [suffix] = noop (42) update control { (42) &Proxy-To-Realm := LOCAL (42) } # update control = noop (42) eap: Peer sent EAP Response (code 2) ID 187 length 67 (42) eap: No EAP Start, assuming it's an on-going EAP conversation (42) [eap] = updated (42) files: users: Matched entry particle at line 1 (42) [files] = ok (42) [expiration] = noop (42) [logintime] = noop (42) pap: WARNING: Auth-Type already set. Not setting to PAP (42) [pap] = noop (42) } # authorize = updated (42) Found Auth-Type = eap (42) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (42) authenticate { (42) eap: Expiring EAP session with state 0xc826a0d6c89dba78 (42) eap: Finished EAP session with state 0xc826a0d6c89dba78 (42) eap: Previous EAP request found for state 0xc826a0d6c89dba78, released from the list (42) eap: Peer sent packet with method EAP MSCHAPv2 (26) (42) eap: Calling submodule eap_mschapv2 to process data (42) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (42) eap_mschapv2: authenticate { (42) mschap: Found Cleartext-Password, hashing to create NT-Password (42) mschap: Found Cleartext-Password, hashing to create LM-Password (42) mschap: Creating challenge hash with username: particle (42) mschap: Client is using MS-CHAPv2 (42) mschap: Adding MS-CHAPv2 MPPE keys (42) [mschap] = ok (42) } # authenticate = ok (42) MSCHAP Success (42) eap: Sending EAP Request (code 1) ID 188 length 51 (42) eap: EAP session adding &reply:State = 0xc826a0d6c99aba78 (42) [eap] = handled (42) } # authenticate = handled (42) } # server inner-tunnel (42) Virtual server sending reply (42) EAP-Message = 0x01bc00331a03bb002e533d46394438374233353045373638353639363642334230453831344530314234394638393739463836 (42) Message-Authenticator = 0x00000000000000000000000000000000 (42) State = 0xc826a0d6c99aba78a72f2090812f4b12 (42) eap_peap: Got tunneled reply code 11 (42) eap_peap: EAP-Message = 0x01bc00331a03bb002e533d46394438374233353045373638353639363642334230453831344530314234394638393739463836 (42) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (42) eap_peap: State = 0xc826a0d6c99aba78a72f2090812f4b12 (42) eap_peap: Got tunneled reply RADIUS code 11 (42) eap_peap: EAP-Message = 0x01bc00331a03bb002e533d46394438374233353045373638353639363642334230453831344530314234394638393739463836 (42) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (42) eap_peap: State = 0xc826a0d6c99aba78a72f2090812f4b12 (42) eap_peap: Got tunneled Access-Challenge (42) eap: Sending EAP Request (code 1) ID 188 length 107 (42) eap: EAP session adding &reply:State = 0x2a8581bd2c3998df (42) [eap] = handled (42) } # authenticate = handled (42) Using Post-Auth-Type Challenge (42) Post-Auth-Type sub-section not found. Ignoring. (42) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (42) Sent Access-Challenge Id 214 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (42) EAP-Message = 0x01bc006b19001703030060b9f4e0a42efec0bee4d249cc360bda244ef5eb4368b4b4f327f7a7f7576312b11aae4a061cc97e76ec3e4c0e9082190d0bc9a581a909759c1c2baf22bb29c97fc63d71bd9b875c4bddb657eaa082997f34f48f5fce577bf5132ae26e47af86da (42) Message-Authenticator = 0x00000000000000000000000000000000 (42) State = 0x2a8581bd2c3998df1e814808369ac970 (42) Finished request Waking up in 4.7 seconds. (43) Received Access-Request Id 215 from 192.168.1.38:55602 to 192.168.1.33:1812 length 253 (43) User-Name = "anonymous" (43) NAS-IP-Address = 192.168.1.38 (43) NAS-Identifier = "b4fbe4c348ab" (43) NAS-Port = 0 (43) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (43) Calling-Station-Id = "E0-4F-43-36-B1-F1" (43) Framed-MTU = 1400 (43) NAS-Port-Type = Wireless-802.11 (43) Connect-Info = "CONNECT 0Mbps 802.11b" (43) EAP-Message = 0x02bc004b190017030300400afc0335cdebda0b8aedef718917f7a9b9754affb9dde8383a0f060aa61ccd734c8dbe21fb029818558ea1f8df0577fb7e74b2b1209df846f6fc5555f5161caf (43) State = 0x2a8581bd2c3998df1e814808369ac970 (43) Message-Authenticator = 0xbf55ee3fc671fa161a966a884ed075db (43) session-state: No cached attributes (43) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (43) authorize { (43) policy filter_username { (43) if (&User-Name) { (43) if (&User-Name) -> TRUE (43) if (&User-Name) { (43) if (&User-Name =~ / /) { (43) if (&User-Name =~ / /) -> FALSE (43) if (&User-Name =~ /@[^@]*@/ ) { (43) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (43) if (&User-Name =~ /\.\./ ) { (43) if (&User-Name =~ /\.\./ ) -> FALSE (43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (43) if (&User-Name =~ /\.$/) { (43) if (&User-Name =~ /\.$/) -> FALSE (43) if (&User-Name =~ /@\./) { (43) if (&User-Name =~ /@\./) -> FALSE (43) } # if (&User-Name) = notfound (43) } # policy filter_username = notfound (43) [preprocess] = ok (43) [chap] = noop (43) [mschap] = noop (43) [digest] = noop (43) suffix: Checking for suffix after "@" (43) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (43) suffix: No such realm "NULL" (43) [suffix] = noop (43) eap: Peer sent EAP Response (code 2) ID 188 length 75 (43) eap: Continuing tunnel setup (43) [eap] = ok (43) } # authorize = ok (43) Found Auth-Type = eap (43) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (43) authenticate { (43) eap: Expiring EAP session with state 0xc826a0d6c99aba78 (43) eap: Finished EAP session with state 0x2a8581bd2c3998df (43) eap: Previous EAP request found for state 0x2a8581bd2c3998df, released from the list (43) eap: Peer sent packet with method EAP PEAP (25) (43) eap: Calling submodule eap_peap to process data (43) eap_peap: Continuing EAP-TLS (43) eap_peap: [eaptls verify] = ok (43) eap_peap: Done initial handshake (43) eap_peap: [eaptls process] = ok (43) eap_peap: Session established. Decoding tunneled attributes (43) eap_peap: PEAP state phase2 (43) eap_peap: EAP method MSCHAPv2 (26) (43) eap_peap: Got tunneled request (43) eap_peap: EAP-Message = 0x02bc00061a03 (43) eap_peap: Setting User-Name to particle (43) eap_peap: Sending tunneled request to inner-tunnel (43) eap_peap: EAP-Message = 0x02bc00061a03 (43) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (43) eap_peap: User-Name = "particle" (43) eap_peap: State = 0xc826a0d6c99aba78a72f2090812f4b12 (43) Virtual server inner-tunnel received request (43) EAP-Message = 0x02bc00061a03 (43) FreeRADIUS-Proxied-To = 127.0.0.1 (43) User-Name = "particle" (43) State = 0xc826a0d6c99aba78a72f2090812f4b12 (43) server inner-tunnel { (43) session-state: No cached attributes (43) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (43) authorize { (43) policy filter_username { (43) if (&User-Name) { (43) if (&User-Name) -> TRUE (43) if (&User-Name) { (43) if (&User-Name =~ / /) { (43) if (&User-Name =~ / /) -> FALSE (43) if (&User-Name =~ /@[^@]*@/ ) { (43) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (43) if (&User-Name =~ /\.\./ ) { (43) if (&User-Name =~ /\.\./ ) -> FALSE (43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (43) if (&User-Name =~ /\.$/) { (43) if (&User-Name =~ /\.$/) -> FALSE (43) if (&User-Name =~ /@\./) { (43) if (&User-Name =~ /@\./) -> FALSE (43) } # if (&User-Name) = notfound (43) } # policy filter_username = notfound (43) [chap] = noop (43) [mschap] = noop (43) suffix: Checking for suffix after "@" (43) suffix: No '@' in User-Name = "particle", looking up realm NULL (43) suffix: No such realm "NULL" (43) [suffix] = noop (43) update control { (43) &Proxy-To-Realm := LOCAL (43) } # update control = noop (43) eap: Peer sent EAP Response (code 2) ID 188 length 6 (43) eap: No EAP Start, assuming it's an on-going EAP conversation (43) [eap] = updated (43) files: users: Matched entry particle at line 1 (43) [files] = ok (43) [expiration] = noop (43) [logintime] = noop (43) pap: WARNING: Auth-Type already set. Not setting to PAP (43) [pap] = noop (43) } # authorize = updated (43) Found Auth-Type = eap (43) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (43) authenticate { (43) eap: Expiring EAP session with state 0xc826a0d6c99aba78 (43) eap: Finished EAP session with state 0xc826a0d6c99aba78 (43) eap: Previous EAP request found for state 0xc826a0d6c99aba78, released from the list (43) eap: Peer sent packet with method EAP MSCHAPv2 (26) (43) eap: Calling submodule eap_mschapv2 to process data (43) eap: Sending EAP Success (code 3) ID 188 length 4 (43) eap: Freeing handler (43) [eap] = ok (43) } # authenticate = ok (43) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (43) post-auth { ... } # empty sub-section is ignored (43) } # server inner-tunnel (43) Virtual server sending reply (43) MS-MPPE-Encryption-Policy = Encryption-Allowed (43) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (43) MS-MPPE-Send-Key = 0xa3fa08811509145500a1ebcdf3d7eb5d (43) MS-MPPE-Recv-Key = 0xc972a035aa182fad81e28936609efb98 (43) EAP-Message = 0x03bc0004 (43) Message-Authenticator = 0x00000000000000000000000000000000 (43) User-Name = "particle" (43) eap_peap: Got tunneled reply code 2 (43) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (43) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (43) eap_peap: MS-MPPE-Send-Key = 0xa3fa08811509145500a1ebcdf3d7eb5d (43) eap_peap: MS-MPPE-Recv-Key = 0xc972a035aa182fad81e28936609efb98 (43) eap_peap: EAP-Message = 0x03bc0004 (43) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (43) eap_peap: User-Name = "particle" (43) eap_peap: Got tunneled reply RADIUS code 2 (43) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (43) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (43) eap_peap: MS-MPPE-Send-Key = 0xa3fa08811509145500a1ebcdf3d7eb5d (43) eap_peap: MS-MPPE-Recv-Key = 0xc972a035aa182fad81e28936609efb98 (43) eap_peap: EAP-Message = 0x03bc0004 (43) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (43) eap_peap: User-Name = "particle" (43) eap_peap: Tunneled authentication was successful (43) eap_peap: SUCCESS (43) eap: Sending EAP Request (code 1) ID 189 length 75 (43) eap: EAP session adding &reply:State = 0x2a8581bd2d3898df (43) [eap] = handled (43) } # authenticate = handled (43) Using Post-Auth-Type Challenge (43) Post-Auth-Type sub-section not found. Ignoring. (43) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (43) Sent Access-Challenge Id 215 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0 (43) EAP-Message = 0x01bd004b19001703030040b9bfa8da3c157aefbb79072add6550d5c358cb82d3e35524a00affd2bac853f94e6bab78f4d1ff4a9a67f2887ef428052762834010a626cdf516ba109ff8dd11 (43) Message-Authenticator = 0x00000000000000000000000000000000 (43) State = 0x2a8581bd2d3898df1e814808369ac970 (43) Finished request William Steen wjsteen@talktalk.net
On 20 May 2019, at 09:45, william steen via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
First time using freeradius, attempting to setup freeradius server on a RPi to create a testing environment for WPA2 Enterprise use on an IoT device. Any help to understand where I am going wrong gratefully received.
Included below is the debug output on startup and when an attempt to connect using PEAP-MSCHAPv2 using just username and password (no certificate). The startup contains a few warnings which I assume are not material. The login debug has an error MS-CHAP2-Response is incorrect which comes after a WARNING: Auth-Type already set. Not setting to PAP?
FreeRADIUS Version 3.0.12
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
Ready to process requests
Below is what debug output when trying to connect to the WAP.
(0) Received Access-Request Id 37 from 192.168.1.38:52437 to 192.168.1.33:1812 length 172 (0) User-Name = "particle" (0) NAS-IP-Address = 192.168.1.38 (0) NAS-Identifier = "b4fbe4c348ab" (0) NAS-Port = 0 (0) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (0) Calling-Station-Id = "E0-4F-43-36-B1-F1" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) EAP-Message = 0x0205000d017061727469636c65 (0) Message-Authenticator = 0x3d7c5462881eb85ae3c3e8b1e7f2dcd8 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "particle", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 5 length 13 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 6 length 22 (0) eap: EAP session adding &reply:State = 0x792e584479285c88 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 37 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (0) EAP-Message = 0x0106001604101e0a216dfaac8434a1e13f61d8e18c5f (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x792e584479285c88d729d5f4b5ba04a4 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 38 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183 (1) User-Name = "particle" (1) NAS-IP-Address = 192.168.1.38 (1) NAS-Identifier = "b4fbe4c348ab" (1) NAS-Port = 0 (1) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (1) Calling-Station-Id = "E0-4F-43-36-B1-F1" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) EAP-Message = 0x020600060319 (1) State = 0x792e584479285c88d729d5f4b5ba04a4 (1) Message-Authenticator = 0x81a3bc304acaf36767e74474836e1265 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "particle", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 6 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry particle at line 1 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x792e584479285c88 (1) eap: Finished EAP session with state 0x792e584479285c88 (1) eap: Previous EAP request found for state 0x792e584479285c88, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new EAP-TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 7 length 6 (1) eap: EAP session adding &reply:State = 0x792e584478294188 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 38 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (1) EAP-Message = 0x010700061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x792e584478294188d729d5f4b5ba04a4 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 39 from 192.168.1.38:52437 to 192.168.1.33:1812 length 273 (2) User-Name = "particle" (2) NAS-IP-Address = 192.168.1.38 (2) NAS-Identifier = "b4fbe4c348ab" (2) NAS-Port = 0 (2) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (2) Calling-Station-Id = "E0-4F-43-36-B1-F1" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) EAP-Message = 0x0207006019800000005616030300510100004d030300000013d1a5ed06c133a6582eb8f8b59713a271b38c51af54d5ef2e0cc8b6d6000004003c002f01000020000a000400020017000b00020100000d000e000c020102030301030304010403 (2) State = 0x792e584478294188d729d5f4b5ba04a4 (2) Message-Authenticator = 0xbf54c5bcfb0c4aae623b313a7cec24bf (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "particle", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 7 length 96 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x792e584478294188 (2) eap: Finished EAP session with state 0x792e584478294188 (2) eap: Previous EAP request found for state 0x792e584478294188, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 86 bytes (2) eap_peap: Got complete TLS record (86 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.2 [length 0051] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 002a] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 02f1] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: In SSL Handshake Phase (2) eap_peap: In SSL Accept mode (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 8 length 820 (2) eap: EAP session adding &reply:State = 0x792e58447b264188 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Sent Access-Challenge Id 39 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (2) EAP-Message = 0x010803341900160303002a0200002603035010c628e6c3e571ecdfcb7ed14e02f944e131af1f1483cff17b618c02935b4200003c0016030302f10b0002ed0002ea0002e7308202e3308201cba003020102020900a170e33eaa8a04e7300d06092a864886f70d01010b0500301b3119301706035504030c (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x792e58447b264188d729d5f4b5ba04a4 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 40 from 192.168.1.38:52437 to 192.168.1.33:1812 length 547 (3) User-Name = "particle" (3) NAS-IP-Address = 192.168.1.38 (3) NAS-Identifier = "b4fbe4c348ab" (3) NAS-Port = 0 (3) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (3) Calling-Station-Id = "E0-4F-43-36-B1-F1" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) EAP-Message = 0x02080170198000000166160303010610000102010070ac8a7222a41f5fab40c2a114f343932b699e7629ee25a0ef96616b1582f4e105812e9efb79e3696823f69a931188eeb04bd2f4d9b67869db2d585364c2515a1d44414cc41bc6d87ba8df2ad36e6ba1e57e10fbeb14fc76837d57b50d95a780dc67 (3) State = 0x792e58447b264188d729d5f4b5ba04a4 (3) Message-Authenticator = 0xe80722a96c83d29962b7c6216f7a1b24 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "particle", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 8 length 368 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x792e58447b264188 (3) eap: Finished EAP session with state 0x792e58447b264188 (3) eap: Previous EAP request found for state 0x792e58447b264188, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer indicated complete TLS record size will be 358 bytes (3) eap_peap: Got complete TLS record (358 bytes) (3) eap_peap: [eaptls verify] = length included (3) eap_peap: TLS_accept: SSLv3/TLS write server done (3) eap_peap: <<< recv TLS 1.2 [length 0106] (3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (3) eap_peap: <<< recv TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS read finished (3) eap_peap: >>> send TLS 1.2 [length 0001] (3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (3) eap_peap: >>> send TLS 1.2 [length 0010] (3) eap_peap: TLS_accept: SSLv3/TLS write finished (3) eap_peap: (other): SSL negotiation finished successfully (3) eap_peap: SSL Connection Established (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 9 length 97 (3) eap: EAP session adding &reply:State = 0x792e58447a274188 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Sent Access-Challenge Id 40 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (3) EAP-Message = 0x0109006119001403030001011603030050e4ccfeb29d521f23bceec5b5a6d2086989af54bf30c104ebd10fcadeda3e144e401aeac50e2f2d6fb28711841f9bff03cac82c6e94eb8082d4da10ef0950f6eae7f637b23f93d14e28952fa0735e8273 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x792e58447a274188d729d5f4b5ba04a4 (3) Finished request Waking up in 4.8 seconds. (4) Received Access-Request Id 41 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183 (4) User-Name = "particle" (4) NAS-IP-Address = 192.168.1.38 (4) NAS-Identifier = "b4fbe4c348ab" (4) NAS-Port = 0 (4) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (4) Calling-Station-Id = "E0-4F-43-36-B1-F1" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) EAP-Message = 0x020900061900 (4) State = 0x792e58447a274188d729d5f4b5ba04a4 (4) Message-Authenticator = 0x95b4fe0eef8a5368d718ba97543624d1 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "particle", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 9 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x792e58447a274188 (4) eap: Finished EAP session with state 0x792e58447a274188 (4) eap: Previous EAP request found for state 0x792e58447a274188, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment. handshake is finished (4) eap_peap: [eaptls verify] = success (4) eap_peap: [eaptls process] = success (4) eap_peap: Session established. Decoding tunneled attributes (4) eap_peap: PEAP state TUNNEL ESTABLISHED (4) eap: Sending EAP Request (code 1) ID 10 length 75 (4) eap: EAP session adding &reply:State = 0x792e58447d244188 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Sent Access-Challenge Id 41 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (4) EAP-Message = 0x010a004b19001703030040876f919e5b6f69b08d7d8082925085f96d9d4dc5d287be8a2220d788f3d81410117ac9b30cfe5bf1fdbd3fa127a1c59c9f43f811e9a1ed62184e6b52111b2cc9 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x792e58447d244188d729d5f4b5ba04a4 (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 42 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252 (5) User-Name = "particle" (5) NAS-IP-Address = 192.168.1.38 (5) NAS-Identifier = "b4fbe4c348ab" (5) NAS-Port = 0 (5) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (5) Calling-Station-Id = "E0-4F-43-36-B1-F1" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) EAP-Message = 0x020a004b19001703030040fdcdeff9a7da7077eb3784b51917dbb3f4b705b340e03a3feaf97f3de31941cb2864a9b7a6363f305b5c239727284a9e38bf34deab83141d8393bbc165f2cee7 (5) State = 0x792e58447d244188d729d5f4b5ba04a4 (5) Message-Authenticator = 0x16e198c5d18d50d6db5da8dc8ea94e23 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "particle", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 10 length 75 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x792e58447d244188 (5) eap: Finished EAP session with state 0x792e58447d244188 (5) eap: Previous EAP request found for state 0x792e58447d244188, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: [eaptls verify] = ok (5) eap_peap: Done initial handshake (5) eap_peap: [eaptls process] = ok (5) eap_peap: Session established. Decoding tunneled attributes (5) eap_peap: PEAP state WAITING FOR INNER IDENTITY (5) eap_peap: Identity - particle (5) eap_peap: Got inner identity 'particle' (5) eap_peap: Setting default EAP type for tunneled EAP session (5) eap_peap: Got tunneled request (5) eap_peap: EAP-Message = 0x020a000d017061727469636c65 (5) eap_peap: Setting User-Name to particle (5) eap_peap: Sending tunneled request to inner-tunnel (5) eap_peap: EAP-Message = 0x020a000d017061727469636c65 (5) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (5) eap_peap: User-Name = "particle" (5) Virtual server inner-tunnel received request (5) EAP-Message = 0x020a000d017061727469636c65 (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) User-Name = "particle" (5) WARNING: Outer and inner identities are the same. User privacy is compromised. (5) server inner-tunnel { (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "particle", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 10 length 13 (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (5) authenticate { (5) eap: Peer sent packet with method EAP Identity (1) (5) eap: Calling submodule eap_mschapv2 to process data (5) eap_mschapv2: Issuing Challenge (5) eap: Sending EAP Request (code 1) ID 11 length 43 (5) eap: EAP session adding &reply:State = 0x9ed5137a9ede0992 (5) [eap] = handled (5) } # authenticate = handled (5) } # server inner-tunnel (5) Virtual server sending reply (5) EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled reply code 11 (5) eap_peap: EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled reply RADIUS code 11 (5) eap_peap: EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132 (5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (5) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (5) eap_peap: Got tunneled Access-Challenge (5) eap: Sending EAP Request (code 1) ID 11 length 107 (5) eap: EAP session adding &reply:State = 0x792e58447c254188 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Sent Access-Challenge Id 42 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (5) EAP-Message = 0x010b006b19001703030060427e72f2a75ff426efd53ee1f42bf29ba4aae389d83bc4b7e8f1257e772430ede3cb69944b24e4f7b6280ffa62e224b27be20c2c641b0fbf6a77cab9ef38ba1f47e79470ecca8368ca25beda56349c1e21e3d49b1db8bc2bd749aab8bf3aa3cb (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x792e58447c254188d729d5f4b5ba04a4 (5) Finished request Waking up in 4.7 seconds. (6) Received Access-Request Id 43 from 192.168.1.38:52437 to 192.168.1.33:1812 length 300 (6) User-Name = "particle" (6) NAS-IP-Address = 192.168.1.38 (6) NAS-Identifier = "b4fbe4c348ab" (6) NAS-Port = 0 (6) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (6) Calling-Station-Id = "E0-4F-43-36-B1-F1" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) EAP-Message = 0x020b007b19001703030070fdcdeff9a7da7077eb3784b51917dbb344ede7b63a9b0f5b11eb7701e504139b09564427efbb43c2ec17f8b42b4124f8fbfc5b440c1c050ff8aa9b8badfaedf539c727f4dfa655815cc469a0812b494ea16db3c4e1ffb49720bdf58408642e7387e7d103393cc91e2db29818 (6) State = 0x792e58447c254188d729d5f4b5ba04a4 (6) Message-Authenticator = 0x9d932302c8a3d3979d08ad610dcc59e7 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "particle", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 11 length 123 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992 (6) eap: Finished EAP session with state 0x792e58447c254188 (6) eap: Previous EAP request found for state 0x792e58447c254188, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: [eaptls verify] = ok (6) eap_peap: Done initial handshake (6) eap_peap: [eaptls process] = ok (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state phase2 (6) eap_peap: EAP method MSCHAPv2 (26) (6) eap_peap: Got tunneled request (6) eap_peap: EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) eap_peap: Setting User-Name to particle (6) eap_peap: Sending tunneled request to inner-tunnel (6) eap_peap: EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_peap: User-Name = "particle" (6) eap_peap: State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "particle" (6) State = 0x9ed5137a9ede099241d17dbdaa28bbf3 (6) WARNING: Outer and inner identities are the same. User privacy is compromised. (6) server inner-tunnel { (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "particle", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 11 length 67 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) files: users: Matched entry particle at line 1 (6) [files] = ok (6) [expiration] = noop (6) [logintime] = noop (6) pap: WARNING: Auth-Type already set. Not setting to PAP (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) authenticate { (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992 (6) eap: Finished EAP session with state 0x9ed5137a9ede0992 (6) eap: Previous EAP request found for state 0x9ed5137a9ede0992, released from the list (6) eap: Peer sent packet with method EAP MSCHAPv2 (26) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) eap_mschapv2: authenticate { (6) mschap: Found Cleartext-Password, hashing to create NT-Password (6) mschap: Found Cleartext-Password, hashing to create LM-Password (6) mschap: Creating challenge hash with username: particle (6) mschap: Client is using MS-CHAPv2 (6) mschap: ERROR: MS-CHAP2-Response is incorrect (6) [mschap] = reject (6) } # authenticate = reject (6) eap: Sending EAP Failure (code 4) ID 11 length 4 (6) eap: Freeing handler (6) [eap] = reject (6) } # authenticate = reject (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (6) Post-Auth-Type REJECT { (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> particle (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) update outer.session-state { (6) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect' (6) } # update outer.session-state = noop (6) } # Post-Auth-Type REJECT = updated (6) } # server inner-tunnel (6) Virtual server sending reply (6) MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) EAP-Message = 0x040b0004 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Got tunneled reply code 3 (6) eap_peap: MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) eap_peap: EAP-Message = 0x040b0004 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Got tunneled reply RADIUS code 3 (6) eap_peap: MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed" (6) eap_peap: EAP-Message = 0x040b0004 (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (6) eap_peap: Tunneled authentication was rejected (6) eap_peap: FAILURE (6) eap: Sending EAP Request (code 1) ID 12 length 75 (6) eap: EAP session adding &reply:State = 0x792e58447f224188 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) session-state: Saving cached attributes (6) Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (6) Sent Access-Challenge Id 43 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0 (6) EAP-Message = 0x010c004b190017030300400c78fe983c5dd192db59da8240896c96033a7305a8f101405d8d1c04a6b8b77542214f016ab70bfe1a2c9039ff65e7c215f722faedc84912623688cb283b2cbd (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x792e58447f224188d729d5f4b5ba04a4 (6) Finished request Waking up in 4.7 seconds. (7) Received Access-Request Id 44 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252 (7) User-Name = "particle" (7) NAS-IP-Address = 192.168.1.38 (7) NAS-Identifier = "b4fbe4c348ab" (7) NAS-Port = 0 (7) Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2" (7) Calling-Station-Id = "E0-4F-43-36-B1-F1" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) EAP-Message = 0x020c004b19001703030040fdcdeff9a7da7077eb3784b51917dbb315f7e335a9c8a19767c1033ff9329c5f037450eba6f2eb7a9b9347ed8606cef0ce75ae3f03a9518a7ecf3c4b642716ea (7) State = 0x792e58447f224188d729d5f4b5ba04a4 (7) Message-Authenticator = 0xc6525ab028d9d5e9459c8d3d25442ff7 (7) Restoring &session-state (7) &session-state:Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "particle", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 12 length 75 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x792e58447f224188 (7) eap: Finished EAP session with state 0x792e58447f224188 (7) eap: Previous EAP request found for state 0x792e58447f224188, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state send tlv failure (7) eap_peap: Received EAP-TLV response (7) eap_peap: The users session was previously rejected: returning reject (again.) (7) eap_peap: This means you need to read the PREVIOUS messages in the debug output (7) eap_peap: to find out the reason why the user was rejected (7) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (7) eap_peap: what went wrong, and how to fix the problem (7) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (7) eap: Sending EAP Failure (code 4) ID 12 length 4 (7) eap: Failed in EAP select (7) [eap] = invalid (7) } # authenticate = invalid (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> particle (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) [eap] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # Post-Auth-Type REJECT = updated (7) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (7) Sending delayed response (7) Sent Access-Reject Id 44 from 192.168.1.33:1812 to 192.168.1.38:52437 length 44 (7) EAP-Message = 0x040c0004 (7) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. (0) Cleaning up request packet ID 37 with timestamp +37 (1) Cleaning up request packet ID 38 with timestamp +37 (2) Cleaning up request packet ID 39 with timestamp +37 Waking up in 0.1 seconds. (3) Cleaning up request packet ID 40 with timestamp +37 (4) Cleaning up request packet ID 41 with timestamp +37 (5) Cleaning up request packet ID 42 with timestamp +37 (6) Cleaning up request packet ID 43 with timestamp +37 (7) Cleaning up request packet ID 44 with timestamp +37
Thanks in advance for any help.
Will
wjsteen@talktalk.net
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html