Hi Enrique,
Can you show us what the inner-tunnel post-auth section looks like? By trimming down the debug output, we've lost that.
If your inner-tunnel post-auth just uses "update reply {", then you may with to update it with "update outer.reply {", which should feed the attribute back.
Stefan
Hi Stefan,
I only added to postauth in inner-tunnel server configuration what I had in authorize in default server:
foreach &control:LDAP-Group { update reply { &Ruckus-User-Groups += "%{Foreach-Variable-0}" } }
Now I changed it into update outer.reply and, instead of the attribute being added to the tunneled reply to the default server, it was added to the Access-Challenge that the default server sent to the client. Then, the client >sends one last Access-Request and the server sends Access-Accept without the attribute. I am guessing that this last reply was done only by the default server, so the inner-tunnel didn't get to add anything. But if that's so, >how can I add the attribute in the default server without querying LDAP on every packet that the server sends to set up the TLS conversation?
Thanks again!
Hello again, I am thinking that rlm_cache might be a good solution to my problem here. However, I have been looking at config extracts from [1] (especially the rlm_cache config and the virtual server config) and I still don't get to understand how and where to call the module. I would like it to cache group information (LDAP-Group, I guess) in the authorize inner-tunnel server, because that's when that info is available, and then retrieve it before sending the last Access-Accept response. The problem here is that (see below debug output) authorize in inner-tunnel is only executed for request number (8). And I actually add the group info to the attribute I need it in, but it gets sent to the client in the Access-Challenge that comes from request (8). Then, in request (9) EAP handles the authorize section, so group info is never available in inner-tunnel, and in request (10) (which is the one that sends the Access-Accept) inner-tunnel isn't even run, so group info is again never available. Is rlm_cache the answer to my problems? If so, should I just call it in authorize in inner-tunnel after ldap and then to retrieve in default server post-auth? Or when/how? And if not, any other solutions to this? Thanks very much! Here comes the debug output: Received Access-Request Id 44 from 192.168.60.1:1024 to 192.168.50.62:1812 length 184 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x02000009016a75616e Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0x551c607a199f01eb0d0e81738caf9fce (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "juan", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : EAP packet type response id 0 length 9 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_md5 to process EAP data (0) eap_md5 : Issuing MD5 Challenge (0) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f2d24f6d (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge Id 44 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010100160410cb20de385d1d546bfc7008d3203aad16 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f2d24f6dba0219098c99f6b0 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 45 from 192.168.60.1:1024 to 192.168.50.62:1812 length 199 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020100060319 State = 0xf2d34be6f2d24f6dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0x5c681550b7e9d39a666e12cc187e7e41 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "juan", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : EAP packet type response id 1 length 6 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (4) (1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap : --> (uid=juan) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (1) ldap : No cacheable group memberships found in user object (1) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (1) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (1) ldap : EXPAND dc=ejemplo,dc=org (1) ldap : --> dc=ejemplo,dc=org (1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (1) ldap : Waiting for search result... (1) ldap : Added control:Ldap-Group with value "profesores" (1) ldap : Processing user attributes (1) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (1) [ldap] = ok (1) foreach &control:LDAP-Group (1) update reply { (1) EXPAND %{Foreach-Variable-0} (1) --> profesores (1) &Ruckus-User-Groups += '"profesores"' (1) } # update reply = noop (1) } # foreach &control:LDAP-Group = noop (1) [expiration] = noop (1) [logintime] = noop (1) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (1) WARNING: pap : Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0xf2d34be6f2d24f6d (1) eap : Finished EAP session with state 0xf2d34be6f2d24f6d (1) eap : Previous EAP request found for state 0xf2d34be6f2d24f6d, released from the list (1) eap : Peer sent NAK (3) (1) eap : Found mutually acceptable type PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : Flushing SSL sessions (of #0) (1) eap_peap : Initiate (1) eap_peap : Start returned 1 (1) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f3d1526d (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge Id 45 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f3d1526dba0219098c99f6b0 (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 46 from 192.168.60.1:1024 to 192.168.50.62:1812 length 433 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020200f01980000000e616030100e1010000dd0301539023c86aa69faf2c7106399473d0b7 5b15d8dc6e8f9ca40f683448a44eb5962081c93bdccf265b22049421297ff8f45a11aab6cfa5 a4db2f469fbd9d378533190054c014c00ac022c02100390038c00fc0050035c012c008c01cc0 1b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc00200 0500040015001200090014001100080006000300ff01000040000b000403000102000a003400 32000e000d0019000b000c00180009000a001600170008000600070014001500040005001200 13000100020003000f00100011 State = 0xf2d34be6f3d1526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0xa07d697dcd6a448d60b407c2f0c4c3c9 (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "juan", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : EAP packet type response id 2 length 240 (2) eap : Continuing tunnel setup. (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0xf2d34be6f3d1526d (2) eap : Finished EAP session with state 0xf2d34be6f3d1526d (2) eap : Previous EAP request found for state 0xf2d34be6f3d1526d, released from the list (2) eap : Peer sent PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS TLS Length 230 (2) eap_peap : Length Included (2) eap_peap : eaptls_verify returned 11 (2) eap_peap : (other): before/accept initialization (2) eap_peap : TLS_accept: before/accept initialization (2) eap_peap : <<< TLS 1.0 Handshake [length 00e1], ClientHello SSL: Client requested cached session 81c93bdccf265b22049421297ff8f45a11aab6cfa5a4db2f469fbd9d37853319 (2) eap_peap : TLS_accept: SSLv3 read client hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello (2) eap_peap : TLS_accept: SSLv3 write server hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate (2) eap_peap : TLS_accept: SSLv3 write certificate A (2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap : TLS_accept: SSLv3 write key exchange A (2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap : TLS_accept: SSLv3 write server done A (2) eap_peap : TLS_accept: SSLv3 flush data (2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f0d0526d (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge Id 46 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010303ec19c000000a8c1603010059020000550301537ab444850db3bb3136ea68af9bbafc 51f7770ffd02bcb00e393b3e88ff57de202a6565d47da8be010096c76ce138e64f1b9093d86f f4ebbf83fd0676ff503bcdc01400000dff01000100000b00040300010216030108d00b0008cc 0008c90003de308203da308202c2a003020102020101300d06092a864886f70d010105050030 8193310b3009060355040613024652310f300d06035504081306526164697573311230100603 5504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e31 20301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406 03550403131d4578616d706c6520436572746966696361746520417574686f72697479301e17 0d3134303532363039303731395a170d3134303732353039303731395a307c310b3009060355 040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d 706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274 696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e 636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b4d9 2a9bd1b2b267aad680a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f0d0526dba0219098c99f6b0 (2) Finished request Waking up in 0.2 seconds. Received Access-Request Id 47 from 192.168.60.1:1024 to 192.168.50.62:1812 length 199 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020300061900 State = 0xf2d34be6f0d0526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0xe309d5e5cdae1c0bbfa623be11903ab5 (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "juan", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : EAP packet type response id 3 length 6 (3) eap : Continuing tunnel setup. (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0xf2d34be6f0d0526d (3) eap : Finished EAP session with state 0xf2d34be6f0d0526d (3) eap : Previous EAP request found for state 0xf2d34be6f0d0526d, released from the list (3) eap : Peer sent PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f1d7526d (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge Id 47 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010403e81940f08a7c1b2dd8c2953a42092c40256f3c95aead6ca24e42eb6c1922b09e14b1 acbecd87e846237acd2d2b9421114a92a0fece98830605e1b5299bda2f3c687c04b964250562 c495fda180e34903539504d24ed41219657467513bbee3da43aeceea7dc740779031ef400004 e5308204e1308203c9a003020102020900ae1eee72cb957415300d06092a864886f70d010105 0500308193310b3009060355040613024652310f300d06035504081306526164697573311230 1006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e 632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126 30240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 301e170d3134303532363039303731395a170d3134303732353039303731395a308193310b30 09060355040613024652310f300d060355040813065261646975733112301006035504071309 536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e0609 2a864886f70d010901161161646d696e406578616d706c652e636f6d31263024060355040313 1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d0609 2a864886f70d0101010 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f1d7526dba0219098c99f6b0 (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 48 from 192.168.60.1:1024 to 192.168.50.62:1812 length 199 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020400061900 State = 0xf2d34be6f1d7526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0x4cf4e096457ca42b66f081ffe62c56a3 (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "juan", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : EAP packet type response id 4 length 6 (4) eap : Continuing tunnel setup. (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0xf2d34be6f1d7526d (4) eap : Finished EAP session with state 0xf2d34be6f1d7526d (4) eap : Previous EAP request found for state 0xf2d34be6f1d7526d, released from the list (4) eap : Peer sent PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS (4) eap_peap : Received TLS ACK (4) eap_peap : Received TLS ACK (4) eap_peap : ACK handshake fragment handler (4) eap_peap : eaptls_verify returned 1 (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f6d6526d (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge Id 48 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010502ce190020417574686f72697479820900ae1eee72cb957415300c0603551d13040530 030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d 706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003 820101003e5b89120dcee4dd3ad38d4e613703d4c2957b440e989041bbc0b2104fab41bc1711 4e7375667726228cdebdd991df6adbbf6acedfbcce2a3db0fbfd52c6d8651795cafd46b86aee ee792b917a8310520e406173fb9071650f734758316fd06c6087eacf393b241191332b5ef05a c25e91f0c80a7f387385718f077a1ee574bed2485c2f29b926f9a5239f0545883a8b8f713c8b cb1665b992027f88fd6112f30a4170b5151b86b36e837f6024d70e51dddaefbd8be228797820 17a7064bbc0dae176d5c5a3fb2db24c1da3162f9c8bb483e4e9c3e5f76cec3a49e9b43fd102d 447ecd12c1d9ee6df5a5b868bbefeb39d69430ff28323a319fdb076127784acb160301014b0c 000147030017410419d934713434dd24230ffad43111e2bfef9dd5657948bffa872bb594ce8d 14018e1319bd86c7b3dac03a66bfb00427b33eb856a705404f5c9c3698e7d0d32f5d01009ab4 07bae9b7b3d713700259aface19f0abd52ee93d0576038e3ce91fc6b9128cbde2ca0126a5dfb be21dfc58e4e7a15e2a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f6d6526dba0219098c99f6b0 (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 49 from 192.168.60.1:1024 to 192.168.50.62:1812 length 337 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020500901980000000861603010046100000424104160c81895c3d89fb344bb2e4235d88f5 a644a8dd981215a2895151d75ecc80abdf72f0c36bccddd3a313aba4a13f617bf209c8c3c3ab 6775877e878f6b94ab5c14030100010116030100304d156ceb95e04c21090a6054e72c32101a edf9bbd1615936f5c2a6633e9ba093d8c6ec6aead5b6f9139aede59a1085fe State = 0xf2d34be6f6d6526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0x5962e73ff0cb81ca848b8d4b1643bbfc (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "juan", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : EAP packet type response id 5 length 144 (5) eap : Continuing tunnel setup. (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0xf2d34be6f6d6526d (5) eap : Finished EAP session with state 0xf2d34be6f6d6526d (5) eap : Previous EAP request found for state 0xf2d34be6f6d6526d, released from the list (5) eap : Peer sent PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS TLS Length 134 (5) eap_peap : Length Included (5) eap_peap : eaptls_verify returned 11 (5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap : TLS_accept: SSLv3 read client key exchange A (5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 read finished A (5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : TLS_accept: SSLv3 write change cipher spec A (5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 write finished A (5) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session 2a6565d47da8be010096c76ce138e64f1b9093d86ff4ebbf83fd0676ff503bcd to cache (5) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (5) eap_peap : eaptls_process returned 13 (5) eap_peap : FR_TLS_HANDLED (5) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f7d5526d (5) [eap] = handled (5) } # authenticate = handled Sending Access-Challenge Id 49 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x01060041190014030100010116030100305f1dd086b2fcda746ddd6675d050b616eb46f6c4 85ad33bcfb24708bea0b71f847df30874010c1109cf3718fccd5fb9c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f7d5526dba0219098c99f6b0 (5) Finished request Waking up in 0.2 seconds. Received Access-Request Id 50 from 192.168.60.1:1024 to 192.168.50.62:1812 length 199 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020600061900 State = 0xf2d34be6f7d5526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0xe204536505984e24186fbdb38c7d72a7 (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : No '@' in User-Name = "juan", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) eap : EAP packet type response id 6 length 6 (6) eap : Continuing tunnel setup. (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0xf2d34be6f7d5526d (6) eap : Finished EAP session with state 0xf2d34be6f7d5526d (6) eap : Previous EAP request found for state 0xf2d34be6f7d5526d, released from the list (6) eap : Peer sent PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS (6) eap_peap : Received TLS ACK (6) eap_peap : Received TLS ACK (6) eap_peap : ACK handshake is finished (6) eap_peap : eaptls_verify returned 3 (6) eap_peap : eaptls_process returned 3 (6) eap_peap : FR_TLS_SUCCESS (6) eap_peap : Session established. Decoding tunneled attributes. (6) eap_peap : Peap state TUNNEL ESTABLISHED (6) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f4d4526d (6) [eap] = handled (6) } # authenticate = handled Sending Access-Challenge Id 50 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x0107002b19001703010020e7dc197b9d445951f885b9272c9920eb0ccf2022d8dc5b84adb3 7eda224b2039 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f4d4526dba0219098c99f6b0 (6) Finished request Waking up in 0.2 seconds. Received Access-Request Id 51 from 192.168.60.1:1024 to 192.168.50.62:1812 length 273 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020700501900170301002035445b3148809e34a209ba4306150164c5972e03971a54a84a67 0e2444b4d81317030100200963d2867e367f7d0e82be8adad08264b5e0a0a5cb6c3060ea1c27 cb44f9cef2 State = 0xf2d34be6f4d4526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0x338da1d3c7e5c75bba182f7efefd8c31 (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : No '@' in User-Name = "juan", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) eap : EAP packet type response id 7 length 80 (7) eap : Continuing tunnel setup. (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0xf2d34be6f4d4526d (7) eap : Finished EAP session with state 0xf2d34be6f4d4526d (7) eap : Previous EAP request found for state 0xf2d34be6f4d4526d, released from the list (7) eap : Peer sent PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : eaptls_verify returned 7 (7) eap_peap : Done initial handshake (7) eap_peap : eaptls_process returned 7 (7) eap_peap : FR_TLS_OK (7) eap_peap : Session established. Decoding tunneled attributes. (7) eap_peap : Peap state WAITING FOR INNER IDENTITY (7) eap_peap : Identity - juan (7) eap_peap : Got inner identity 'juan' (7) eap_peap : Setting default EAP type for tunneled EAP session. (7) eap_peap : Got tunneled request EAP-Message = 0x02070009016a75616e server default { (7) eap_peap : Setting User-Name to juan Sending tunneled request EAP-Message = 0x02070009016a75616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'juan' server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix : No '@' in User-Name = "juan", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) update control { (7) Proxy-To-Realm := 'LOCAL' (7) } # update control = noop (7) eap : EAP packet type response id 7 length 9 (7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap : Peer sent Identity (1) (7) eap : Calling eap_mschapv2 to process EAP data (7) eap_mschapv2 : Issuing Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0x0cb2efe70cbaf5a7 (7) [eap] = handled (7) } # authenticate = handled } # server inner-tunnel (7) eap_peap : Got tunneled reply code 11 EAP-Message = 0x0108001e1a0108001910efc88c501c83e7d1122c97cc3931a3466a75616e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0cb2efe70cbaf5a7fe78397182ecc493 (7) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001e1a0108001910efc88c501c83e7d1122c97cc3931a3466a75616e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0cb2efe70cbaf5a7fe78397182ecc493 (7) eap_peap : Got tunneled Access-Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6f5db526d (7) [eap] = handled (7) } # authenticate = handled Sending Access-Challenge Id 51 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x0108003b19001703010030c259dc6418a48f52880c52b4e53a9fd571e709543aea2228628e ed46695d0cb3edf2b15afcf810ff06db7fe5dafaa79b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6f5db526dba0219098c99f6b0 (7) Finished request Waking up in 0.2 seconds. Received Access-Request Id 52 from 192.168.60.1:1024 to 192.168.50.62:1812 length 321 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x0208008019001703010020ca2297ddcdb80ca5c658810c20a1048a3b1fd4fda09e2586f096 e0c3c0ec1b8017030100500c5e41e36b65952fcc24d98040ba5b13bc777f27d94d75587bccda c9eae340d3ff56e5a80e44401b1b84f06048231da6d4de6c190653500f3ad3351748758ea14b 43868b6934d83b77e01bde5d27bf81 State = 0xf2d34be6f5db526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0xf005c1e2521b44d4635ea6f72e096598 (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : No '@' in User-Name = "juan", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) eap : EAP packet type response id 8 length 128 (8) eap : Continuing tunnel setup. (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0x0cb2efe70cbaf5a7 (8) eap : Finished EAP session with state 0xf2d34be6f5db526d (8) eap : Previous EAP request found for state 0xf2d34be6f5db526d, released from the list (8) eap : Peer sent PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes. (8) eap_peap : Peap state phase2 (8) eap_peap : EAP type MSCHAPv2 (26) (8) eap_peap : Got tunneled request EAP-Message = 0x0208003f1a0208003a311405263ba16d3386f4c29edb366bd1140000000000000000312202 cc3292cab89b43f145649092513174d1ee90e90224006a75616e server default { (8) eap_peap : Setting User-Name to juan Sending tunneled request EAP-Message = 0x0208003f1a0208003a311405263ba16d3386f4c29edb366bd1140000000000000000312202 cc3292cab89b43f145649092513174d1ee90e90224006a75616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'juan' State = 0x0cb2efe70cbaf5a7fe78397182ecc493 server inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : No '@' in User-Name = "juan", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : EAP packet type response id 8 length 63 (8) eap : No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (4) (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap : --> (uid=juan) (8) ldap : EXPAND dc=ejemplo,dc=org (8) ldap : --> dc=ejemplo,dc=org (8) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (8) ldap : Waiting for search result... (8) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (8) ldap : No cacheable group memberships found in user object (8) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (8) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (8) ldap : EXPAND dc=ejemplo,dc=org (8) ldap : --> dc=ejemplo,dc=org (8) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (8) ldap : Waiting for search result... (8) ldap : Added control:Ldap-Group with value "profesores" (8) ldap : Processing user attributes (8) ldap : control:Password-With-Header += ''1234'' rlm_ldap (ldap): Released connection (4) (8) [ldap] = ok (8) foreach &control:LDAP-Group (8) update outer.reply { (8) EXPAND %{Foreach-Variable-0} (8) --> profesores (8) &Ruckus-User-Groups += '"profesores"' (8) } # update outer.reply = noop (8) } # foreach &control:LDAP-Group = noop (8) [expiration] = noop (8) [logintime] = noop (8) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password (8) WARNING: pap : Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0x0cb2efe70cbaf5a7 (8) eap : Finished EAP session with state 0x0cb2efe70cbaf5a7 (8) eap : Previous EAP request found for state 0x0cb2efe70cbaf5a7, released from the list (8) eap : Peer sent MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) eap_mschapv2 : Auth-Type MS-CHAP { (8) mschap : Found Cleartext-Password, hashing to create LM-Password (8) mschap : Found Cleartext-Password, hashing to create NT-Password (8) mschap : Creating challenge hash with username: juan (8) mschap : Client is using MS-CHAPv2 (8) mschap : Adding MS-CHAPv2 MPPE keys (8) [mschap] = ok (8) } # Auth-Type MS-CHAP = ok MSCHAP Success (8) eap : New EAP session, adding 'State' attribute to reply 0x0cb2efe70dbbf5a7 (8) [eap] = handled (8) } # authenticate = handled } # server inner-tunnel (8) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d4338424430343744353931323244333545373631353142433444 3743434346364534423341423236 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0cb2efe70dbbf5a7fe78397182ecc493 (8) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d4338424430343744353931323244333545373631353142433444 3743434346364534423341423236 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0cb2efe70dbbf5a7fe78397182ecc493 (8) eap_peap : Got tunneled Access-Challenge (8) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6fada526d (8) [eap] = handled (8) } # authenticate = handled Sending Access-Challenge Id 52 from 192.168.50.62:1812 to 192.168.60.1:1024 Ruckus-User-Groups += 'profesores' EAP-Message = 0x0109005b190017030100501c6001565f58ad0148f0cde072e0eae03b6306c874c55d5c9599 d8581a68807b0ce0e02d471ccd40e82e99a7e9c93f8ed779ec42c3e802db9089ddbb64be4e0a 3317fb3a595a98ef1aafb878b93314c3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6fada526dba0219098c99f6b0 (8) Finished request Waking up in 0.2 seconds. Received Access-Request Id 53 from 192.168.60.1:1024 to 192.168.50.62:1812 length 273 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x0209005019001703010020ff5990044103107d4c1c6c0dcfd1592042bb616688995c8dd577 80afdee5290717030100206a03608ba19931e3be1f213f3f662169139b78345f3ae82edd9517 c9ac069de1 State = 0xf2d34be6fada526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0xa33a0c467259057dfa7938db9d7983eb (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : No '@' in User-Name = "juan", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) eap : EAP packet type response id 9 length 80 (9) eap : Continuing tunnel setup. (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0x0cb2efe70dbbf5a7 (9) eap : Finished EAP session with state 0xf2d34be6fada526d (9) eap : Previous EAP request found for state 0xf2d34be6fada526d, released from the list (9) eap : Peer sent PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes. (9) eap_peap : Peap state phase2 (9) eap_peap : EAP type MSCHAPv2 (26) (9) eap_peap : Got tunneled request EAP-Message = 0x020900061a03 server default { (9) eap_peap : Setting User-Name to juan Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'juan' State = 0x0cb2efe70dbbf5a7fe78397182ecc493 server inner-tunnel { (9) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix : No '@' in User-Name = "juan", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) update control { (9) Proxy-To-Realm := 'LOCAL' (9) } # update control = noop (9) eap : EAP packet type response id 9 length 6 (9) eap : EAP-MSCHAPV2 success, returning short-circuit ok (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (9) authenticate { (9) eap : Expiring EAP session with state 0x0cb2efe70dbbf5a7 (9) eap : Finished EAP session with state 0x0cb2efe70dbbf5a7 (9) eap : Previous EAP request found for state 0x0cb2efe70dbbf5a7, released from the list (9) eap : Peer sent MSCHAPv2 (26) (9) eap : EAP MSCHAPv2 (26) (9) eap : Calling eap_mschapv2 to process EAP data (9) eap : Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (9) (null) post-auth { ... } # empty sub-section is ignored } # server inner-tunnel (9) eap_peap : Got tunneled reply code 2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0xafb88407094b01fc005b3597058d8598 MS-MPPE-Recv-Key = 0x642cb4e62dc038e3896c5d673858b38c EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'juan' (9) eap_peap : Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0xafb88407094b01fc005b3597058d8598 MS-MPPE-Recv-Key = 0x642cb4e62dc038e3896c5d673858b38c EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'juan' (9) eap_peap : Tunneled authentication was successful. (9) eap_peap : SUCCESS (9) eap : New EAP session, adding 'State' attribute to reply 0xf2d34be6fbd9526d (9) [eap] = handled (9) } # authenticate = handled Sending Access-Challenge Id 53 from 192.168.50.62:1812 to 192.168.60.1:1024 EAP-Message = 0x010a002b1900170301002059aab1d6a4c6ab0a57f24096d6d0aa80e9662d6a63ac66e96db8 a524d2085cc8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2d34be6fbd9526dba0219098c99f6b0 (9) Finished request Waking up in 0.1 seconds. Received Access-Request Id 54 from 192.168.60.1:1024 to 192.168.50.62:1812 length 273 User-Name = 'juan' Calling-Station-Id = '60-BE-B5-98-BA-0B' NAS-IP-Address = 192.168.60.1 NAS-Port = 1 Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '2C-E6-CC-5A-3E-58' Connect-Info = 'CONNECT 802.11g/n' EAP-Message = 0x020a005019001703010020bc5b6012ba4c6d4926636f89412299e03018b666ab58139c884e 1d8e301ad05617030100200b70dae1f629e3833f6be835eda0d221b722c8a2f4b347f3425229 f9cb872647 State = 0xf2d34be6fbd9526dba0219098c99f6b0 Attr-26.25053.3 = 0x414c554d4e4f53 Message-Authenticator = 0xdd12a7edfa22a09e90d59aba01b16498 (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix : No '@' in User-Name = "juan", looking up realm NULL (10) suffix : No such realm "NULL" (10) [suffix] = noop (10) eap : EAP packet type response id 10 length 80 (10) eap : Continuing tunnel setup. (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) authenticate { (10) eap : Expiring EAP session with state 0xf2d34be6fbd9526d (10) eap : Finished EAP session with state 0xf2d34be6fbd9526d (10) eap : Previous EAP request found for state 0xf2d34be6fbd9526d, released from the list (10) eap : Peer sent PEAP (25) (10) eap : EAP PEAP (25) (10) eap : Calling eap_peap to process EAP data (10) eap_peap : processing EAP-TLS (10) eap_peap : eaptls_verify returned 7 (10) eap_peap : Done initial handshake (10) eap_peap : eaptls_process returned 7 (10) eap_peap : FR_TLS_OK (10) eap_peap : Session established. Decoding tunneled attributes. (10) eap_peap : Peap state send tlv success (10) eap_peap : Received EAP-TLV response. (10) eap_peap : Success (10) WARNING: eap_peap : No information to cache: session caching will be disabled for session 2a6565d47da8be010096c76ce138e64f1b9093d86ff4ebbf83fd0676ff503bcd SSL: Removing session 2a6565d47da8be010096c76ce138e64f1b9093d86ff4ebbf83fd0676ff503bcd from the cache (10) eap : Freeing handler (10) [eap] = ok (10) } # authenticate = ok (10) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (10) post-auth { (10) ldap : EXPAND . (10) ldap : --> . (10) ldap : EXPAND Authenticated at %S (10) ldap : --> Authenticated at 2014-05-20 03:47:48 rlm_ldap (ldap): Reserved connection (4) (10) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (10) ldap : --> (uid=juan) (10) ldap : EXPAND dc=ejemplo,dc=org (10) ldap : --> dc=ejemplo,dc=org (10) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (10) ldap : Waiting for search result... (10) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (10) ldap : Modifying object with DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (10) ldap : Waiting for modify result... rlm_ldap (ldap): Released connection (4) (10) [ldap] = ok (10) foreach &control:LDAP-Group { (10) } # foreach &control:LDAP-Group = noop (10) [exec] = noop (10) remove_reply_message_if_eap remove_reply_message_if_eap { (10) if (reply:EAP-Message && reply:Reply-Message) (10) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (10) else else { (10) [noop] = noop (10) } # else else = noop (10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (10) } # post-auth = ok Sending Access-Accept Id 54 from 192.168.50.62:1812 to 192.168.60.1:1024 MS-MPPE-Recv-Key = 0x82502acb1a755aa3a2eba98e23e3f5796ccab96d124ff6198b32c78859edc7da MS-MPPE-Send-Key = 0x759dee2ef53c1423c8bd1d6412ab31963a14690b756a64237315aa0e8e3aa94f EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'juan' (10) Finished request Waking up in 0.1 seconds. Waking up in 4.5 seconds. (0) Cleaning up request packet ID 44 with timestamp +5 (1) Cleaning up request packet ID 45 with timestamp +5 (2) Cleaning up request packet ID 46 with timestamp +5 (3) Cleaning up request packet ID 47 with timestamp +5 (4) Cleaning up request packet ID 48 with timestamp +5 (5) Cleaning up request packet ID 49 with timestamp +5 (6) Cleaning up request packet ID 50 with timestamp +5 (7) Cleaning up request packet ID 51 with timestamp +5 (8) Cleaning up request packet ID 52 with timestamp +5 (9) Cleaning up request packet ID 53 with timestamp +5 (10) Cleaning up request packet ID 54 with timestamp +5 Ready to process requests.