On Thu, Nov 12, 2015 at 4:47 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Thu, Nov 12, 2015 at 03:15:10PM +0800, Tim Chen wrote:
+group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ^^^
++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "eduroam.example.edu" for User-Name = " john@eduroam.example.edu" [suffix] Found realm "eduroam.example.edu" [suffix] Adding Stripped-User-Name = "john" ^^^
[suffix] Adding Realm = "eduroam.example.edu" [suffix] Proxying request from user john to realm eduroam.example.edu [suffix] Preparing to proxy authentication request to realm " eduroam.example.edu" ++[suffix] = updated
You're calling passwdf1 before Stripped-User-Name is defined by suffix.
Move passwdf1 after the call to suffix in both inner & outer.
Cheers
Matthew
Dear Matthew, I've move passwdf1 after suffix in both inner & outer. (after the "files") But it seems the same situation: 1. PAP with/without domain(realm) PASSED 2. MSCHAP with/without domain(realm) PASSED 3. EAP(PEAP) I use eapol_test to test identity="john" PASS identity="john@eduroam.example.edu" FAIL!! Would you please give me some more hint? Thanks for your time. Eric Chang rad_recv: Access-Request packet from host XXX port 60597, id=0, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0xeeca830d9bace15bd26bba26b68a040d # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] file_common ++[files] = noop ++[passwdf1] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to XXX port 60597 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e0b9dd7c53f14170d6c10b8a Finished request 18. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=1, length=349 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100db1980000000d116030100cc010000c80301342f621a43418e1f4a1f83fbd1d7f98e3eb86f95fc8f660bb6324aa0abc507bc00005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000045000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011000f000101 State = 0xe0b8c466e0b9dd7c53f14170d6c10b8a Message-Authenticator = 0x99ccdc81eedada43581f99d7d8eab825 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 219 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 209 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00cc], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 1411], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to XXX port 60597 EAP-Message = 0x0102040019c00000166716030100310200002d0301564472ede77c9b3d69871dd755169704e06c896cc1c230d9d673e975253012c4000039000005ff0100010016030114110b00140d00140a00056d3082056930820451a003020102021047df00000000068f47a297480cbfa807300d06092a864886f70d01010b0500306f310b300906035504061302545731123010060355040a130954414957414e2d4341311a3018060355040b13115365637572652053534c205375622d43413130302e0603550403132754574341205365637572652053534c2043657274696669636174696f6e20417574686f72697479301e170d3135303630383035333333 EAP-Message = 0x355a170d3136303630383135353935395a30818b310b3009060355040613025457310f300d06035504080c0654616977616e310f300d06035504070c0654616970656931233021060355040a0c1a4e6174696f6e616c2054616977616e20556e697665727369747931183016060355040b0c0f436f6d70757465722043656e746572311b301906035504030c12656475726f616d2e6e74752e6564752e747730820122300d06092a864886f70d01010105000382010f003082010a0282010100f1765133c1c57f8c043d22b71804729c7fc2631e0699374d43f8bc3b914c15722dc36020da16d028a4d1890c3a5271b7c1a72e7deea72d37946a1fc6e9 EAP-Message = 0x0b8bd477e6a71ab5353f8f81166fbf6cd4c2d531b677bf273d663603b5a60b265a968a261b0a1b8d5207daaf0bedccc670a7f4ad0e5a05fdd46bffed86abeed89857307cd50b55a4f0843523e57f9555427830d48eef368d037eb3dc685d511659a21ce557a53537c08dc552529ed64da0849833637f3507ebb58788272a526c7d19d8a51fa50f0558490737bb0e45b025c166783b3b1c279fa16c9de9576089c21869f103202b93c5a315b7c80d93b043fb946ab94576c6310f6cdedb721de25f8c6d0203010001a38201e2308201de301f0603551d23041830168014f807c26824ff8595cbdb1ee3339c2a4f9720567b30290603551d0e042204208d EAP-Message = 0x8ae0e0ca30409af8cef50a525ae9b18d6e669ad46cff8f48595468a084089f30560603551d1f044f304d304ba049a0478645687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f73736c7365727665722f53656375726573736c5f7265766f6b655f736861325f323031342e63726c301d0603551d11041630148212656475726f616d2e6e74752e6564752e747730818106082b0601050507010104753073304406082b060105050730028638687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f6361636572742f7365637572655f736861325f323031342e637274302b06082b06010505073001861f6874 EAP-Message = 0x74703a2f2f7477636173736c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e1badd7c53f14170d6c10b8a Finished request 19. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=2, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0xe0b8c466e1badd7c53f14170d6c10b8a Message-Authenticator = 0x36c0b2ca90211d3c2c9dca6de4022ca4 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to XXX port 60597 EAP-Message = 0x010303fc19406f6373702e747763612e636f6d2e74772f305b0603551d20045430523050060b2b0601040182bf250101193041301b06082b06010505070201160f7777772e747763612e636f6d2e7477302206082b0601050507020230161a145265737472696374696f6e203d332e322e302e3130090603551d1304023000300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b050003820101001de810ca6c43b1feecba2817c78c853072af9e8ae8e0a5b6f4fb32b8e84423621eca6282a322434081ee26572c9d99b63246da8083f09b4ae4b3d5 EAP-Message = 0x02c02e30cff30300a17483a98ef819f4eea6cb7711ad9bcfb9dcd8428b99069f6075894fb22ea7a2d2f2bc2111acd6cdf1c803abcc6e642951e5447f9ce3779620e7f39fff05efa5e5697037b57349868aa15cfaab3d2e184907f947d1753709450e663cad3439cf8875102f7d27ad8d5115c79a85075bb988a2c450664414f4a55bd5a16e8b8b4411b3566315c5674d6476a9c8a688f02bdd4984a5c42b086275a537f8dcc62efc4cde6f3590cbd336249300e6e16153de8209d19d77743b566928b95b330005b5308205b130820399a003020102021040013353e40000000000000cc36e888d300d06092a864886f70d01010b05003051310b300906 EAP-Message = 0x035504061302545731123010060355040a130954414957414e2d43413110300e060355040b1307526f6f74204341311c301a060355040313135457434120476c6f62616c20526f6f74204341301e170d3134313032383037323735365a170d3234313032383135353935395a306f310b300906035504061302545731123010060355040a130954414957414e2d4341311a3018060355040b13115365637572652053534c205375622d43413130302e0603550403132754574341205365637572652053534c2043657274696669636174696f6e20417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101 EAP-Message = 0x00dbe0fe5153a201a6cf6a8e5da951096a167e4a1412b3114a26281b2f23528bc10dab1855e3a65cf2ed1af5632efab16a22866166ced21cd78f844568bc1333b80e270e466a578c363f8f2f84e8d4dd95290c55009dbd2efa52246be2a78569d1a45331bdffc65888b2c967e1fa55680e7d025c2e03237946b8a2e87678e64153d9d79f462acda6dd9c0450d49069237e03fb86dc9b4edc0116bf147d440bb31b6077b4260b4b9f01956a908683352e9b82d2d6c40531509a2868184d32bc930bf609813d7a680fa7d3f174f8d11e2e3664e11e2fd395ce9bc94678b28769564aadb0ab0bf6d10f92abe906e1550e0e1eb9b19359ae27fd6fe551a7e7 EAP-Message = 0xbc05244502030100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e2bbdd7c53f14170d6c10b8a Finished request 20. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=3, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0xe0b8c466e2bbdd7c53f14170d6c10b8a Message-Authenticator = 0x5f5a7d1a7b0015e5627e9666c2f0efb8 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 3 to XXX port 60597 EAP-Message = 0x010403fc194001a382016530820161301f0603551d2304183016801448dbcdde8ee949725a88e8b1d83d07b3b96b6650301d0603551d0e04160414f807c26824ff8595cbdb1ee3339c2a4f9720567b300e0603551d0f0101ff04040302010630380603551d200431302f302d0604551d20003025302306082b060105050702011617687474703a2f2f7777772e747763612e636f6d2e74772f30490603551d1f04423040303ea03ca03a8638687474703a2f2f526f6f7443412e747763612e636f6d2e74772f545743415243412f676c6f62616c5f7265766f6b655f343039362e63726c30120603551d130101ff040830060101ff020100307606082b EAP-Message = 0x06010505070101046a3068303c06082b060105050730028630687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f6361636572742f726f6f74343039362e637274302806082b06010505073001861c687474703a2f2f726f6f746f6373702e747763612e636f6d2e74772f300d06092a864886f70d01010b050003820201009e80281ad40477c7e497cb3b7f10c26c9562edcbdfa42c11da641a141a7876e92bfc4b7ebf9a98ee19a31368960c219bfbd5587161da48caf935cdffcd584258f1f218cec7a532d8918491510a8ac5bf4129746dc461e0be03eb6b194a19ddf01a657cc8534701095d95b76d1e72bf2fc32eb36e1d11 EAP-Message = 0x8f7eb3dbd2fdfb2fb9f076ef9630e52fbf5e4ac15fb656523e727ad11185960188b10e6d8d8cadb2302a148c4bf009cca59e7c2c838091f08978d5e03b1b51d9802dea638fd4760ceed62819731447e3a1e0e07aea73c3513ee0ac611328a368e1eac1b3f7704568a63e0d06c4be5fdc1f9ab22adcd9bf3eed2c4b0590a44d92670e7c240fefb7cc9bcfda4e9cf3ca33afc4d274d17303a3163b23eb5277fe97c72effbc9dd56505f89854a0f0d4e5229db2b684ef5757eeb3df55d8da4bb7ddc05fccb00dc38299afeb2ea953f10bbb9dbe5afb9afab0a31df35c1f556258c27725e467b5dcbda0a1acbedb511a15381dd31a7a07804c459dd3b401ff EAP-Message = 0x654d77dfeefc3e6b7d2266ac68994f021f144c117092d6c20a62a6886beb6642dcbc75cbd11d7caaec8763eea865b29ad5e659b147230e812b8fcb2d21df96f102bbc6909b3189e2c3be8d1ff832fb96899b1710c4c73213706480c9cc6b8f93b08af62d2927bc398e6d6fe684c30028705f010bccb6d2c18aeaa04ea46419fe18ee4487e2117f05bb0efbdc6700055d3082055930820441a003020102021040013353e40000000000000cca5d1b69300d06092a864886f70d01010b0500305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c EAP-Message = 0x215457434120526f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e3bcdd7c53f14170d6c10b8a Finished request 21. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=4, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0xe0b8c466e3bcdd7c53f14170d6c10b8a Message-Authenticator = 0xf9b17f3e26b5b05b17d438eb094b12d9 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to XXX port 60597 EAP-Message = 0x010503fc19406f742043657274696669636174696f6e20417574686f72697479301e170d3134313032383037333833315a170d3330313032383135353935395a3051310b300906035504061302545731123010060355040a130954414957414e2d43413110300e060355040b1307526f6f74204341311c301a060355040313135457434120476c6f62616c20526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b005dbc8eb8cc46e8a21ef8e4d9c710a1f5270ed6d829c97c5d74c4e4549cb4042b512346c19c274a4315f850297ec43330a53d29c8c8eb7b879db2bd56af28e66c4ee2b010792d4b3 EAP-Message = 0xd002df50f655af660ecbe047602f2b323935523a2883f87b16c618b862d6472591cef019124dad63f5d33f755f29f0a1301c2aa098a615bdeefd1936f0e291438ffacad61027494cefddc1f185709bcaeaa85a43fc6d866f73e93745a9f036c7cc88751ebb6c06ff9b6b3e17ec61aa717cc61da2f749e915b53cd6a161f511f7056f1dfd11bed03007c229b0094e26dce3a2a8916a1fc29145885ce598b871a51519c97c7511cc70744f2d9b1d9144fd5628a0febb866ac8fa5c0b58dcc64b76c8ab22d9730fa5f45a02893f4f9e2282eea274532a3d5327691d6c8e322c6400266361364ea346b73f7db32dac6d90a295a2cecfda82e707341996e9b8 EAP-Message = 0x21aa297ea638be8e294a2166791fb3c3b50967ded6d40746f32adae6223760cb81b60fa00fe9c8957fbf5591057acf3d15c06fde09940183d7341bcc40a5f0b89b67d598913ba784789526a45a08f82b74b400043cdfb8148ee8dfa98d6c6792331dc0b7d2ec92c8be09bf2c29056f026b9eefbcbf2abc5bc0508f41707187b24db704a984a332afaeee6b178bb2b1fe6ce1908c88a89748cec84dcbf306cf5f6a0a42b11e1e772f8ea0e6920e06fc0522d226e131517d32dc0f0203010001a382011d30820119301f0603551d230418301680146a385b268dde8b5af24f7a54831918e30835a6ba301d0603551d0e0416041448dbcdde8ee949725a88 EAP-Message = 0xe8b1d83d07b3b96b6650300e0603551d0f0101ff04040302010630380603551d200431302f302d0604551d20003025302306082b060105050702011617687474703a2f2f7777772e747763612e636f6d2e74772f30420603551d1f043b30393037a035a0338631687474703a2f2f526f6f7443412e747763612e636f6d2e74772f545743415243412f7265766f6b655f323034382e63726c300f0603551d130101ff040530030101ff303806082b06010505070101042c302a302806082b06010505073001861c687474703a2f2f726f6f746f6373702e747763612e636f6d2e74772f300d06092a864886f70d01010b05000382010100290b6ec494dc EAP-Message = 0x6259937a5a4c5ddc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e4bddd7c53f14170d6c10b8a Finished request 22. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=5, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500061900 State = 0xe0b8c466e4bddd7c53f14170d6c10b8a Message-Authenticator = 0x65f499ed0355542a4c7e35a66f8f0e5f # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 5 to XXX port 60597 EAP-Message = 0x010603fc1940993e8ea8fbf9a08f1bd927706df82e5e48696117401089aa03b81ccbdfbc6c28541fc521f54b96bffc4c47ca0b77c3cc667b6fb9360869f9c191ed8fd69ea222e882b789c8aad020e74aac232b2f4ff64f146bf17a45a187c871e7a7a4b9806bc9cecd8a259ccdd309a532fa24d1517f3c319947ea1fa76f6e84cdaed8ae356ad6cbe0be13c1a231cbee1fe926dfb706c60d450ae7ab45571eb7019b31f5f205404586d8021bd04b21db2082e322e94fe35d2bc439121728c6b967b17de1b27c76e53684da745eac38b66bf8eea103c4b0c45c124c6f06da3a4465b636970c1879d04697331fab52a8cede57b4281338b7ac00037f3082 EAP-Message = 0x037b30820263a003020102020101300d06092a864886f70d0101050500305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c215457434120526f6f742043657274696669636174696f6e20417574686f72697479301e170d3038303832383037323433335a170d3330313233313135353935395a305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c215457434120526f6f742043657274696669636174696f6e20417574686f7269 EAP-Message = 0x747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b07e72b8a40394e6a7de0938914a114087a77c5964147bb51110ddfebfd5c0bb56e28525f435720ff853d041e14401c2b41cc33142164785332276b20a6f0fe525504f8586bebf982e10671ebe1105860590c459d07c7810b0805cb7e1c72b75cb7c9faeb5d19d233763a7dc42a22d92041b50c17bb83e1bc956048b2f529bada956e9c1ffada9588730b681f79745fc19573b2b6fe447f49945fe1df1f897a3881d371c5c8fe076259a50f8a054ff44907623d232c6c3ab06bffcfbbff3ad7d9262025b29d335a3939a4364605db2fa32ff3b04af4d406af9c7 EAP-Message = 0xe3ef23fd6bcbe50f8b380dee0afcfe0f989f3031dd6c5265f98b81be22e11c5803ba911b89070203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a385b268dde8b5af24f7a54831918e30835a6ba300d06092a864886f70d010105050003820101003cd5773ddadf89ba870c08546a205092beb0413db92664830a2fe840c097282782304ac993ff6ae7a6007f89429ad611e553ce2fccf2da05c4fee250c43a867dccda7e10093b92352a53b2feeb2b05d96c5de6d0efd36a669e1528857ae88200ac1ea709695642d3685118be549abf4441ba49be20ba695ceeb8 EAP-Message = 0x77cdce6c1fad8396 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e5bedd7c53f14170d6c10b8a Finished request 23. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=6, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600061900 State = 0xe0b8c466e5bedd7c53f14170d6c10b8a Message-Authenticator = 0x972dd2cbfac6b409f039e2c7cc7b3f54 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 6 to XXX port 60597 EAP-Message = 0x0107029f1900187d0eb5143984f128e92da39e7b1e7a725a83b3796fefb4fcd00aa5584f46dffb6d7959f2842252ae0fccfb7c3be76aca4761c37af8d392041fb82084e1365416c740de3b8a73dcdfc6094cdfecdaffd45342a1c9f2621d22833c97c5f9196227ac6522d7d33cc6e58eb253cc49cebc30fe7b0e3390fbedd214911f07af160301020d0c0002090080f330e182461ac1124f5b50a47f973caee6024b9aca5a451cc1b5e663f16bb9063f4a7b1393c2393e28a59080f9aa96bc7abb8119a7e4eb4692accd80ece3018dabf5f0b5e8124b3e2cb69bdf96f52b26ca06ae45cadc31676bb17115261819095027a73b5151fc761d574fe44ec3 EAP-Message = 0x14452195733585d8170a671a713ee4875e2b0001020080aa33eb607ca6e2cd3431adcc0d49160ecbc0909755d7e59b757a31ffd85bc43c053c05461253a9c4fb3ab5819eb133be48e8b44a2f0dd9bb32ab1a5705840a39a83d6ff4a8d34d1ab5da87d6582b1784807dfa311a4a9ed8678a37797833f1c42c98574b6a674b48383b6bc15d513846262f7704e38678740c4673d9bcda83900100267489ded2f9e59849d4de7af7ecfe6ff178226722d490524e6b76dbcbe0a7630313475f957b2b94a69062a261693fa004ebf67b580f8e8dd36d3319b7c34c98a1b0b5377756188c3cd449d29ca91966d577a5b8c764c8abe4e5dcb737c2c1a4ac58c93b EAP-Message = 0x6dc0c8bd7ff20def0f8ed9cce4d29f3ed99f708d73ca7249e4b981dad6258c65e335d46918f81f52cc785aa3813037a674a42f6c30322c3b58b3efa3109fea962e9586b11404ae9cb2c025277a49a8102591047636949157619b3998a9fcf0e01ec62733396646ca2206b48296d08d2b29c1f2c5110a61b767b6220f862e4b344b9a709a2dcce25000f861eb039bf417587478effd60c9dc39d2ac9f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e6bfdd7c53f14170d6c10b8a Finished request 24. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=7, length=338 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020700d01980000000c6160301008610000082008037397ea3303c05783518b52aa03a549dbf5637e7fc3906c1ac0707900db32c27bbaf83b72577d47aaf906d58e96190767bab1d837158ee2a161ea38aff71af01162661d5b39a6728e9fb7669549ae95ee1fd32d374b3bab766c15e5f1f2a5589e440a64449eb328135f72645800d04c3fa7282c8786acb3a721ed8d727084d4f1403010001011603010030ccf5680511f68785678ac1c7280c613ad90ce602c19e3f36904f96f184b9a95c909f49e6fa2dc7ed0b326d4779e74c8b State = 0xe0b8c466e6bfdd7c53f14170d6c10b8a Message-Authenticator = 0x04e75b2199d6ae19b4d3f930ea273643 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 208 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 7 to XXX port 60597 EAP-Message = 0x0108004119001403010001011603010030b5f3deeb1e46572a001ab0cb62e8dc83560ab61f641703b38f764aa1f1234cff61201fb1c1ad1af68d4f05000eee1f74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e7b0dd7c53f14170d6c10b8a Finished request 25. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=8, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020800061900 State = 0xe0b8c466e7b0dd7c53f14170d6c10b8a Message-Authenticator = 0x97a7b696c186dfae46ddd95b9d548ee9 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 8 to XXX port 60597 EAP-Message = 0x0109002b19001703010020ff86faf97d4639be9426719ee0aba567e35a0230dc5cb6ef05bb66d87323a248 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e8b1dd7c53f14170d6c10b8a Finished request 26. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=9, length=226 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0209006019001703010020747c93ea7fa927528d70d44e59bc1b5716ebd3d8a7c08e22b87d86f366cde4f717030100309611d052aa27d02f06fbea6f19b6dcb81b30014c3df2d631a442a4a1fe31ce5d94316956f284761e2fe0adee9daeb47f State = 0xe0b8c466e8b1dd7c53f14170d6c10b8a Message-Authenticator = 0x079f64a6b49baec478c02318e85be3dc # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 96 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - john@eduroam.example.edu [peap] Got inner identity 'john@eduroam.example.edu' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0209001b016a736340656475726f616d2e6e74752e6564752e7477 server { [peap] Setting User-Name to john@eduroam.example.edu Sending tunneled request EAP-Message = 0x0209001b016a736340656475726f616d2e6e74752e6564752e7477 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "john@eduroam.example.edu" server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "eduroam.example.edu" for User-Name = " john@eduroam.example.edu" [suffix] Found realm "eduroam.example.edu" [suffix] Adding Stripped-User-Name = "john" [suffix] Adding Realm = "eduroam.example.edu" [suffix] Proxying request from user john to realm eduroam.example.edu [suffix] Preparing to proxy authentication request to realm " eduroam.example.edu" ++[suffix] = updated ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] file_common ++[files] = noop ++[passwdf1] = notfound ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00301a010a002b10e5300e4995aa18fb84d46e244cfe1b076a736340656475726f616d2e6e74752e6564752e7477 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03fe26c403f43cfffff39b292568cd04 [peap] Got tunneled reply RADIUS code Access-Challenge EAP-Message = 0x010a00301a010a002b10e5300e4995aa18fb84d46e244cfe1b076a736340656475726f616d2e6e74752e6564752e7477 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03fe26c403f43cfffff39b292568cd04 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 9 to XXX port 60597 EAP-Message = 0x010a005b190017030100504829958debd5ce8970ef192d93cfa56ea96b69f702aaec9b78d64ea5729ff05ff8f7a5655a119c700a34d725767b26f3d8814521afa27c93ea849de8c1c9dafbc7f785ddee4fb16af059b6d9fdace362 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e9b2dd7c53f14170d6c10b8a Finished request 27. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=10, length=290 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020a00a01900170301002062eb92c1a90dfdc1af592cc2e3f60d949193e5f5609e1f0270d3060aee06093f1703010070254b748e5c03ba5e3d602cbf39fb26a46ed697798a19afb33b812e7df239e1a7794ba430f03bfe66e4f546f8257649b0963081b115287955fc880599477bcf3a00323b8e1d877b0a39b3021295b05ccf55c59b8f9d21315407871433e5db1fcc42f9a1a0230d497bb08a0d0925ca7f99 State = 0xe0b8c466e9b2dd7c53f14170d6c10b8a Message-Authenticator = 0x313531a5259dd06d861209a42032e394 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 160 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00511a020a004c31e1b79f474a6404288c4f3039eec9e25b0000000000000000127c91d50c70cba486931070b47e7713c173843e796cd384006a736340656475726f616d2e6e74752e6564752e7477 server { [peap] Setting User-Name to john@eduroam.example.edu Sending tunneled request EAP-Message = 0x020a00511a020a004c31e1b79f474a6404288c4f3039eec9e25b0000000000000000127c91d50c70cba486931070b47e7713c173843e796cd384006a736340656475726f616d2e6e74752e6564752e7477 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "john@eduroam.example.edu" State = 0x03fe26c403f43cfffff39b292568cd04 server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "eduroam.example.edu" for User-Name = " john@eduroam.example.edu" [suffix] Found realm "eduroam.example.edu" [suffix] Adding Stripped-User-Name = "john" [suffix] Adding Realm = "eduroam.example.edu" [suffix] Proxying request from user john to realm eduroam.example.edu [suffix] Preparing to proxy authentication request to realm " eduroam.example.edu" ++[suffix] = updated ++update control { ++} # update control = noop [eap] EAP packet type response id 10 length 81 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] file_common ++[files] = noop ++[passwdf1] = notfound ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: john@eduroam.example.edu [mschap] Client is using MS-CHAPv2 for john@eduroam.example.edu, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Login incorrect: [john@eduroam.example.edu/<via Auth-Type = EAP>] (from client network8 port 0 via TLS tunnel) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> john@eduroam.example.edu attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code Access-Reject MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 10 to XXX port 60597 EAP-Message = 0x010b002b1900170301002074a804afb0f47eeca2c61b96396601cad3bf914e77f9e7dfb4315d446ac8ba75 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466eab3dd7c53f14170d6c10b8a Finished request 28. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=11, length=210 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020b0050190017030100209042a6b24b30cd3562204ee125fa1ccb3c71936efd32a2bc1e6be929ce92ae471703010020e1fd5cd4e4c25e517f2eb8465409559b4288fbbf05f5c6805306a23fab161c3f State = 0xe0b8c466eab3dd7c53f14170d6c10b8a Message-Authenticator = 0xff197e1157b28e7cef9eacdcbc22d695 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 11 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client network8 port 0 cli 02-00-00-00-00-01) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [eap] Reply already contained an EAP-Message, not inserting EAP-Failure ++[eap] = noop [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 29 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 29 Sending Access-Reject of id 11 to XXX port 60597 EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 18 ID 0 with timestamp +116 Cleaning up request 19 ID 1 with timestamp +116 Cleaning up request 20 ID 2 with timestamp +116 Cleaning up request 21 ID 3 with timestamp +116 Cleaning up request 22 ID 4 with timestamp +116 Cleaning up request 23 ID 5 with timestamp +116 Cleaning up request 24 ID 6 with timestamp +116 Cleaning up request 25 ID 7 with timestamp +116 Cleaning up request 26 ID 8 with timestamp +116 Cleaning up request 27 ID 9 with timestamp +116 Cleaning up request 28 ID 10 with timestamp +116 Waking up in 0.9 seconds. Cleaning up request 29 ID 11 with timestamp +116 Ready to process requests.