Thanks for your reply radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=POMORSU+%{AD-Group}" } Ready to process requests. rad_recv: Access-Request packet from host 192.168.213.210 port 1067, id=0, length=210 Message-Authenticator = 0x76f5e1499b3c78689adf8fb623dc7c4e Service-Type = Framed-User User-Name = "POMORSU\\rahs" Framed-MTU = 1488 Called-Station-Id = "04-11-9A-D1-44-39:localnet1" Calling-Station-Id = "00-1F-3C-3D-DF-8C" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001201504f4d4f5253555c75736f7773 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{7} -> localnet1 ++++[request] returns ok ++++? if (Called-Station-SSID == localnet1) ? Evaluating (Called-Station-SSID == localnet1) -> TRUE ++++? if (Called-Station-SSID == localnet1) -> TRUE ++++- entering if (Called-Station-SSID == localnet1) {...} +++++[request] returns ok ++++- if (Called-Station-SSID == localnet1) returns ok ++++ ... skipping else for request 0: Preceding "if" was taken +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- policy extract_ssid returns ok [suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Flushing SSL sessions (of #0) [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.213.210 port 1067 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x140c0338140d1ab54c20eb7bf1588770 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.213.210 port 1067, id=1, length=315 Message-Authenticator = 0x52b3370475dcad2571d8a4ef20d46246 Service-Type = Framed-User User-Name = "POMORSU\\rahs" Framed-MTU = 1488 State = 0x140c0338140d1ab54c20eb7bf1588770 Called-Station-Id = "04-11-9A-D1-44-39:localnet1" Calling-Station-Id = "00-1F-3C-3D-DF-8C" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201006919800000005f160301005a0100005603014ede257a500dcb4913694c60469b783a7bdaa0d482ac13baa056619eb2d75c37000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{7} -> localnet1 ++++[request] returns ok ++++? if (Called-Station-SSID == localnet1) ? Evaluating (Called-Station-SSID == localnet1) -> TRUE ++++? if (Called-Station-SSID == localnet1) -> TRUE ++++- entering if (Called-Station-SSID == localnet1) {...} +++++[request] returns ok ++++- if (Called-Station-SSID == localnet1) returns ok ++++ ... skipping else for request 1: Preceding "if" was taken +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 1: Preceding "if" was taken ++- policy extract_ssid returns ok [suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 105 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0051], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0aa2], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.213.210 port 1067 EAP-Message = 0x0102040019c000000b0616030100510200004d03014ede257d5214a614052a2f4ae8eaa694e5a613fb016bae2820961cc559eaf4ac2007f4d62a74fd69c2f9c148b84c4d48990f576d732ef00472799c3937e4940d62002f000005ff010001001603010aa20b000a9e000a9b0006203082061c30820504a003020102020a5a2edc82000000001329300d06092a864886f70d0101050500304131153013060a0992268993f22c64011916056c6f63616c31173015060a0992268993f22c6401191607706f6d6f727375310f300d060355040313066f63656c6f74301e170d3131313230353131303332345a170d3133313230343131303332345a308195 EAP-Message = 0x310b3009060355040613025255311330110603550408130a536f6d652d5374617465311430120603550407130b41726b68616e67656c736b310e300c060355040a13054e41524655310c300a060355040b13034f5341311e301c06035504031315726164697573322e706f6d6f7273752e6c6f63616c311d301b06092a864886f70d010901160e6f736140706f6d6f7273752e727530820122300d06092a864886f70d01010105000382010f003082010a0282010100d9dabf36461ecb485ff65384f7019ed1e937d59adafac95f0de0cdd780bfb12c5e9a7b1739ca8e4e986e94999693e205fd00928bb3fa30a9cd04100e032cd9aee6fb67923c9b8f EAP-Message = 0xe754943b37b13e8206b158d44f0261eb77f45a3b2b1984bf36d51141879dd82634a0f2fc55072885f20a3d78491cf8db1de52cca2d3952d5fadf4e6a45da1ed9eda6d21e0af13050584ecfe934f2a256fc9c6fb0ee3edab0331d17cd1356a12de2d40e45e9def0764b5b80ca7a32fbe0c404247f697ebe644bc3d716cb08d6779eca29053a972a8440ff4e677ae229dd82fdb96093f5c21ae5a264bc466a7c7543dc435c4b4dc0c3769b0c7e75ad3a4bbc1b5ec6a288993e0d0203010001a38202bf308202bb301d0603551d0e041604141c4267da2c09e9603568f0141bbf6cd57a1742ea301f0603551d23041830168014e20df80dccdf76296d4dbe EAP-Message = 0x8c0a1533e789410190308201040603551d1f0481fc3081f93081f6a081f3a081f08681b46c6461703a2f2f2f434e3d6f63656c6f742c434e3d68712d7073752d63612d30312c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d706f6d6f7273752c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e748637687474703a2f2f68712d7073752d63612d30312e706f6d6f7273752e6c6f63616c2f43 EAP-Message = 0x657274456e726f6c6c2f6f63 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x140c0338150e1ab54c20eb7bf1588770 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.213.210 port 1067, id=2, length=216 Message-Authenticator = 0xec25df49dc4e71a8ab902d62111a2943 Service-Type = Framed-User User-Name = "POMORSU\\rahs" Framed-MTU = 1488 State = 0x140c0338150e1ab54c20eb7bf1588770 Called-Station-Id = "04-11-9A-D1-44-39:localnet1" Calling-Station-Id = "00-1F-3C-3D-DF-8C" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{7} -> localnet1 ++++[request] returns ok ++++? if (Called-Station-SSID == localnet1) ? Evaluating (Called-Station-SSID == localnet1) -> TRUE ++++? if (Called-Station-SSID == localnet1) -> TRUE ++++- entering if (Called-Station-SSID == localnet1) {...} +++++[request] returns ok ++++- if (Called-Station-SSID == localnet1) returns ok ++++ ... skipping else for request 2: Preceding "if" was taken +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 2: Preceding "if" was taken ++- policy extract_ssid returns ok [suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.213.210 port 1067 EAP-Message = 0x010303fc1940656c6f742e63726c3082011c06082b060105050701010482010e3082010a3081a706082b0601050507300286819a6c6461703a2f2f2f434e3d6f63656c6f742c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d706f6d6f7273752c44433d6c6f63616c3f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479305e06082b060105050730028652687474703a2f2f68712d7073752d63612d30312e706f6d6f7273752e6c6f63616c EAP-Message = 0x2f43657274456e726f6c6c2f68712d7073752d63612d30312e706f6d6f7273752e6c6f63616c5f6f63656c6f742e637274302106092b060104018237140204141e12005700650062005300650072007600650072300c0603551d130101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010086d899336d4ae8012861dd16e2621ad32f419a774d1a528db018d9e7ada46eec0f2cd753028a867098d5b53e62954c15d76cd11c348e6fad7519a2cf8d721231f6f2dde973a392192576c483c682ff28afcef70f48a33ea446009179c03c02a3337919cc38 EAP-Message = 0x015a75b0addafa49551dab3f968349a15d9749fc6b5334f24415af3d49e7407936887f9c9fcdb5d2a30b28f60560f24ef583df16b0110abda12ea8d2474f8a18b84657f4eee5fe4841b6e7843893271e94d759e47ebce86f55d2fc42c058eb9d4205ed77ce3a4d180ec1222638711decab6ae50b973d487addb978c357395a5296efe40723db9e026155c1791f5b98fdefc31d1ceee2eee98c71b80004753082047130820359a00302010202107980e4b2631f4a92442eaf634e19ddbc300d06092a864886f70d0101050500304131153013060a0992268993f22c64011916056c6f63616c31173015060a0992268993f22c6401191607706f6d6f7273 EAP-Message = 0x75310f300d060355040313066f63656c6f74301e170d3039303131353138323733365a170d3134303131353138333432305a304131153013060a0992268993f22c64011916056c6f63616c31173015060a0992268993f22c6401191607706f6d6f727375310f300d060355040313066f63656c6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100c39c48714a962a776b9cc59bb38728441e5ec681f876dd3ae2fec05b821a96b6f629c43a1dcb95d22952047099b04fed8d2ac93c69ec20c3c91e6850965bd1ae205c21106c71cf664dbff15b6d7370a90cfe701326b9b933bb2b1d63721d89dab56a5d5bc2abf3 EAP-Message = 0xc8afaf4178ed1028 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x140c0338160f1ab54c20eb7bf1588770 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.213.210 port 1067, id=3, length=216 Message-Authenticator = 0xfa2905a5466f4dfecef8a595cdce93fd Service-Type = Framed-User User-Name = "POMORSU\\rahs" Framed-MTU = 1488 State = 0x140c0338160f1ab54c20eb7bf1588770 Called-Station-Id = "04-11-9A-D1-44-39:localnet1" Calling-Station-Id = "00-1F-3C-3D-DF-8C" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300061900 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{7} -> localnet1 ++++[request] returns ok ++++? if (Called-Station-SSID == localnet1) ? Evaluating (Called-Station-SSID == localnet1) -> TRUE ++++? if (Called-Station-SSID == localnet1) -> TRUE ++++- entering if (Called-Station-SSID == localnet1) {...} +++++[request] returns ok ++++- if (Called-Station-SSID == localnet1) returns ok ++++ ... skipping else for request 3: Preceding "if" was taken +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 3: Preceding "if" was taken ++- policy extract_ssid returns ok [suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.213.210 port 1067 EAP-Message = 0x010403201900c6c3d0687a50d3315b0ff6207fa5c68a64bf8de0be136d648a63e14067dfe168a805e4f15af641579af9e9eb647ba41ac1054f3d9f9adbc689cb2b1d01747c7da16d5cdbfd3c2fdee76ebb89b8266b114c99020b1c332932e88184707292a7c55113d839a057766086d329d8fe96cec9b4fe09e02b23587846a9bae05403f9450f88739a5b963f1d04166caafe2431933d0203010001a38201633082015f301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414e20df80dccdf76296d4dbe8c0a1533e7894101903081f80603551d EAP-Message = 0x1f0481f03081ed3081eaa081e7a081e48681ae6c6461703a2f2f2f434e3d6f63656c6f742c434e3d6f63656c6f742c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d706f6d6f7273752c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e748631687474703a2f2f6f63656c6f742e706f6d6f7273752e6c6f63616c2f43657274456e726f6c6c2f6f63656c6f742e63726c301006092b06010401 EAP-Message = 0x823715010403020100300d06092a864886f70d0101050500038201010082f863c4e6a1326e0ad69d775dedc50df5d8fd92e9e7a8e2910869a737bc3803a2a17cc4181468aa73acb084b59d6c4ba8764b1e91e86d5200cff7f5263e7da82b7cbe376fc831708cf438bab348dd6168e8d4ffb40625f1a833b05ded0de22c3f9ef0047f16a84396d062a5af0dcedaf01de627a24a5f46f94c0fb471f448fa58d6bcdd2192aef902e0236d187df9b83105b89cc83af7bb2a56aa9521a9d79203b3f61eac7511c7154f2eead368fd49264d5bc7f2ebb4d770a28400eab64949a70aeabfa88564331cb4b36da2583f2900e21c8d5ebce3e545e83351acced626 EAP-Message = 0xe0d0d0c2a95ec527dd7638711f1a4459fdc66656931df9ad2ab46a1e9a7028d316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x140c033817081ab54c20eb7bf1588770 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.213.210 port 1067, id=4, length=548 Message-Authenticator = 0x1f8babc53208d84dff4b518dad41482f Service-Type = Framed-User User-Name = "POMORSU\\rahs" Framed-MTU = 1488 State = 0x140c033817081ab54c20eb7bf1588770 Called-Station-Id = "04-11-9A-D1-44-39:localnet1" Calling-Station-Id = "00-1F-3C-3D-DF-8C" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02040150198000000146160301010610000102010072e7a1a4e07f9abe55b3da4cfc482c20c573164b92130286276d372f6c1f3a79694b169cb8393a6b0094730e0811a15f0d273073fa553d246fd1fccbe352952a8f33a742198a5867de686412f8a834aa1dcf1136dcca634b9e99e52220285fbc96fb01a0326c7630edf0288f0e6374fdb6ffaac319cd020d2bc5c3626aafde52dd22d0781d855606d35a4ae9c77fec576efa397591e24008905764aad24c0b60cc385dd6f8af2c74a773a9bc799a8edd695ae35f171366ed508299ab262978a2a49b615850649f30d654cfaca00df0fc8bd03e51054598a32e068e9bd98a1884eb1ab0dc2eaae168 EAP-Message = 0x13ca0ba9653d9e0b17d672bd60f7bccd749c662735103c071403010001011603010030f711f2e238918f27b44cd51d5175ae050c3f2f461b346ec944834b53b14a464fc5fba56d6354a5bf3b91bbb1eddff456 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{7} -> localnet1 ++++[request] returns ok ++++? if (Called-Station-SSID == localnet1) ? Evaluating (Called-Station-SSID == localnet1) -> TRUE ++++? if (Called-Station-SSID == localnet1) -> TRUE ++++- entering if (Called-Station-SSID == localnet1) {...} +++++[request] returns ok ++++- if (Called-Station-SSID == localnet1) returns ok ++++ ... skipping else for request 4: Preceding "if" was taken +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 4: Preceding "if" was taken ++- policy extract_ssid returns ok [suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data SSL: adding session 07f4d62a74fd69c2f9c148b84c4d48990f576d732ef00472799c3937e4940d62 to cache [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.213.210 port 1067 EAP-Message = 0x0105004119001403010001011603010030298180873d3f4e5440ba30c711070f1ffeb5992384662bcfeadbb8d3e89b5070a186fc070f3316599a9cf94b9e4ab05d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x140c033810091ab54c20eb7bf1588770 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.213.210 port 1067, id=5, length=216 Message-Authenticator = 0x2cac919d164387ddc825c989d5c197e1 Service-Type = Framed-User User-Name = "POMORSU\\rahs" Framed-MTU = 1488 State = 0x140c033810091ab54c20eb7bf1588770 Called-Station-Id = "04-11-9A-D1-44-39:localnet1" Calling-Station-Id = "00-1F-3C-3D-DF-8C" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020500061900 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{7} -> localnet1 ++++[request] returns ok ++++? if (Called-Station-SSID == localnet1) ? Evaluating (Called-Station-SSID == localnet1) -> TRUE ++++? if (Called-Station-SSID == localnet1) -> TRUE ++++- entering if (Called-Station-SSID == localnet1) {...} +++++[request] returns ok ++++- if (Called-Station-SSID == localnet1) returns ok ++++ ... skipping else for request 5: Preceding "if" was taken +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 5: Preceding "if" was taken ++- policy extract_ssid returns ok [suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.213.210 port 1067 EAP-Message = 0x0106002b1900170301002053a780d9c0f3ca9b195e38b9697b45e0eae817c1ec0f172ffec177e8714208da Message-Authenticator = 0x00000000000000000000000000000000 State = 0x140c0338110a1ab54c20eb7bf1588770 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.213.210 port 1067, id=6, length=269 Message-Authenticator = 0x07372ed61087d095166610e927fb148a Service-Type = Framed-User User-Name = "POMORSU\\rahs" Framed-MTU = 1488 State = 0x140c0338110a1ab54c20eb7bf1588770 Called-Station-Id = "04-11-9A-D1-44-39:localnet1" Calling-Station-Id = "00-1F-3C-3D-DF-8C" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206003b19001703010030c34f2c5b9c08e2e0d50ead10130291b17dfbe159fa0a1d1bd634f5188f13d1859bc17dd94ef124e1e33588a5825dd88f NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{7} -> localnet1 ++++[request] returns ok ++++? if (Called-Station-SSID == localnet1) ? Evaluating (Called-Station-SSID == localnet1) -> TRUE ++++? if (Called-Station-SSID == localnet1) -> TRUE ++++- entering if (Called-Station-SSID == localnet1) {...} +++++[request] returns ok ++++- if (Called-Station-SSID == localnet1) returns ok ++++ ... skipping else for request 6: Preceding "if" was taken +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 6: Preceding "if" was taken ++- policy extract_ssid returns ok [suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - POMORSU\rahs [peap] Got inner identity 'POMORSU\rahs' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206001201504f4d4f5253555c75736f7773 server { PEAP: Setting User-Name to POMORSU\rahs Sending tunneled request EAP-Message = 0x0206001201504f4d4f5253555c75736f7773 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "POMORSU\\rahs" server { # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) (Attribute Called-Station-Id was not found) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> FALSE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> FALSE +++- entering else else {...} ++++[noop] returns noop +++- else else returns noop ++- policy extract_ssid returns noop [suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server [peap] Got tunneled reply code 11 EAP-Message = 0x010700271a0107002210d6925886b862a504eb6b55d312656f74504f4d4f5253555c75736f7773 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7e9ab6a97e9dacde2a97339e291c9d54 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700271a0107002210d6925886b862a504eb6b55d312656f74504f4d4f5253555c75736f7773 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7e9ab6a97e9dacde2a97339e291c9d54 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.213.210 port 1067 EAP-Message = 0x0107004b190017030100401918b2856d2a053eb747138f06f073e03afa717026737760282561356040e458f02c871626106dbd20a3b3dea0c08d5b193226e4ac5fbc9df1c860d32576b134 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x140c0338120b1ab54c20eb7bf1588770 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.213.210 port 1067, id=7, length=317 Message-Authenticator = 0x42d12e68ead55a70709a762bdf1c067a Service-Type = Framed-User User-Name = "POMORSU\\rahs" Framed-MTU = 1488 State = 0x140c0338120b1ab54c20eb7bf1588770 Called-Station-Id = "04-11-9A-D1-44-39:localnet1" Calling-Station-Id = "00-1F-3C-3D-DF-8C" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0207006b19001703010060c41186f2cf41d55750b4e6f2d6aec2644d88dc5e8cb5a933bcd3ffe919977510236b26c30a2546eb6b2564da426d1fcf8a7ec2433c480a7f3ee861b4ca86ab71c63246b5b541043ac881dc6e351fe40c1a81337b2b0b647a8bfab0bd8b1e17a5 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{7} -> localnet1 ++++[request] returns ok ++++? if (Called-Station-SSID == localnet1) ? Evaluating (Called-Station-SSID == localnet1) -> TRUE ++++? if (Called-Station-SSID == localnet1) -> TRUE ++++- entering if (Called-Station-SSID == localnet1) {...} +++++[request] returns ok ++++- if (Called-Station-SSID == localnet1) returns ok ++++ ... skipping else for request 7: Preceding "if" was taken +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 7: Preceding "if" was taken ++- policy extract_ssid returns ok [suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700481a0207004331a1167cc77188ebb67c99c3cbea43b32a000000000000000051a42d5e5822c1170d326960eae781a91b746bf0486a7ffc00504f4d4f5253555c75736f7773 server { PEAP: Setting User-Name to POMORSU\rahs Sending tunneled request EAP-Message = 0x020700481a0207004331a1167cc77188ebb67c99c3cbea43b32a000000000000000051a42d5e5822c1170d326960eae781a91b746bf0486a7ffc00504f4d4f5253555c75736f7773 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "POMORSU\\rahs" State = 0x7e9ab6a97e9dacde2a97339e291c9d54 server { # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) (Attribute Called-Station-Id was not found) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> FALSE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> FALSE +++- entering else else {...} ++++[noop] returns noop +++- else else returns noop ++- policy extract_ssid returns noop [suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 72 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/default [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: rahs [mschap] Told to do MS-CHAPv2 for rahs with NT-Password [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=POMORSU [mschap] expand: --username=%{mschap:User-Name} -> --username=rahs [mschap] mschap2: d6 [mschap] Creating challenge hash with username: rahs [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c834304f4e49dc11 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=51a42d5e5822c1170d326960eae781a91b746bf0486a7ffc [mschap] expand: --require-membership-of=POMORSU+%{AD-Group} -> --require-membership-of=POMORSU+ Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject 07.12.2011 13:32, Fajar A. Nugraha пишет:
On Wed, Dec 7, 2011 at 4:11 PM, Сергей Усов<usows@pomorsu.ru> wrote:
Hi
I try to configure authentication via ntlm_auth to check the user group. All authentication attempts are rejected
What does the debug log say when the authentications are rejected?