Hi Alan, Thank you so much!!! thank you :D It took about 5 min after I followed everything you said and now works like a charm. Also I'll read the documentation you suggest about how to read debug output, again. Because it was not the first time I saw that documentation. The last time I read once it was about one year ago when I was looking around https://freeradius.org/documentation/ Just to let you know about the EAP authentication, I did a compare with the file installed in the server with another file from the GitHub from here: https://github.com/redBorder/freeradius/blob/master/raddb/sites-available/de... and I found out the section: ... # Allow EAP authentication. eap <- (Here was a comment out. Pls, don't ask me why it was commented but it was. Most likely 99,9% could be my fault, sorry about that) .... After I just removed only the "#" before "eap" and FreeRadius started to work as expected and I also managed to install the client.p12 on Windows and Android too while I was adding a new wifi network or setting the SSID on the phone. Here is the logs from the Server and also the eapol test: FreeRADIUS Version 3.0.26 Copyright (C) 1999-2021 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/soh including configuration file /etc/freeradius/3.0/mods-enabled/files including configuration file /etc/freeradius/3.0/mods-enabled/digest including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/utf8 including configuration file /etc/freeradius/3.0/mods-enabled/linelog including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/detail.log including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/replicate including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/mschap including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/echo including configuration file /etc/freeradius/3.0/mods-enabled/unix including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp including configuration file /etc/freeradius/3.0/mods-enabled/unpack including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth including configuration file /etc/freeradius/3.0/mods-enabled/chap including configuration file /etc/freeradius/3.0/mods-enabled/passwd including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap including configuration file /etc/freeradius/3.0/mods-enabled/pap including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/control including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/rfc7542 including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/eap including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/default including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 postauth_client_lost = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipaddr = 192.168.0.0/24 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP # Creating Autz-Type = New-TLS-Connection radiusd: #### Instantiating modules #### modules { # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files files { filename = "/etc/freeradius/3.0/mods-config/files/authorize" acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy" } # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest # Loaded module rlm_exec # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8 # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_detail # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.coa" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.coa { filename = "/etc/freeradius/3.0/mods-config/attr_filter/coa" key = "%{User-Name}" relaxed = no } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap pap { normalise = yes } instantiate { } # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "attr_filter.coa" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/coa # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/server.key" certificate_file = "/etc/freeradius/3.0/certs/server.crt" ca_file = "/etc/freeradius/3.0/certs/ca.pem" private_key_password = <<< secret >>> fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT" cipher_server_preference = no reject_unknown_intermediate_ca = no ecdh_curve = "" tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) Compiling Autz-Type New-TLS-Connection for attr Autz-Type # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type Compiling Post-Auth-Type Challenge for attr Post-Auth-Type Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type } # server default server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336 Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 55848 Listening on proxy address :: port 41827 Ready to process requests (0) Received Access-Request Id 0 from 127.0.0.1:44657 to 127.0.0.1:1812 length 146 (0) User-Name = "user@example.org" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) EAP-Message = 0x020200150175736572406578616d706c652e6f7267 (0) Message-Authenticator = 0xfcc1f63f6c4f4b9e44611b14119b76e9 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "example.org" for User-Name = "user@example.org " (0) suffix: No such realm "example.org" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 2 length 21 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: (TLS) Initiating new session (0) eap_tls: (TLS) Setting verify mode to require certificate from client (0) eap: Sending EAP Request (code 1) ID 3 length 6 (0) eap: EAP session adding &reply:State = 0x915bb6629158bb63 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:44657 length 64 (0) EAP-Message = 0x010300060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x915bb6629158bb63d9e85057a0f8f68a (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 1 from 127.0.0.1:44657 to 127.0.0.1:1812 length 333 (1) User-Name = "user@example.org" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) EAP-Message = 0x020300be0d0016030100b3010000af030355bbaaba22085affa27bf313eaa51f6b0f191d0c63552a96489ae93881e50d63000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602 (1) State = 0x915bb6629158bb63d9e85057a0f8f68a (1) Message-Authenticator = 0x9a4a50e19134ea4b731492d61a96ce89 (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "example.org" for User-Name = "user@example.org " (1) suffix: No such realm "example.org" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 3 length 190 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x915bb6629158bb63 (1) eap: Finished EAP session with state 0x915bb6629158bb63 (1) eap: Previous EAP request found for state 0x915bb6629158bb63, released from the list (1) eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: (TLS) EAP Got final fragment (184 bytes) (1) eap_tls: WARNING: (TLS) EAP Total received record fragments (184 bytes), does not equal expected expected data length (0 bytes) (1) eap_tls: (TLS) EAP Done initial handshake (1) eap_tls: (TLS) Handshake state - before SSL initialization (1) eap_tls: (TLS) Handshake state - Server before SSL initialization (1) eap_tls: (TLS) Handshake state - Server before SSL initialization (1) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello (1) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (1) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request (1) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (1) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (1) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (1) eap_tls: (TLS) In Handshake Phase (1) eap: Sending EAP Request (code 1) ID 4 length 1004 (1) eap: EAP session adding &reply:State = 0x915bb662905fbb63 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:44657 length 1068 (1) EAP-Message = 0x010403ec0dc000000b97160303003d020000390303c057c95286e8abc5a19ed6e71a2f470f4ab2dd8898e5286933d29cabf629273900c030000011ff01000100000b0004030001020017000016030309450b00094100093e00043a308204363082031ea003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3234303232383031333232345a170d3234303432383031333232345a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x915bb662905fbb63d9e85057a0f8f68a (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 2 from 127.0.0.1:44657 to 127.0.0.1:1812 length 149 (2) User-Name = "user@example.org" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) EAP-Message = 0x020400060d00 (2) State = 0x915bb662905fbb63d9e85057a0f8f68a (2) Message-Authenticator = 0xca7a9d5362cebf2ec100e51e4cb1639d (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "example.org" for User-Name = "user@example.org " (2) suffix: No such realm "example.org" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 4 length 6 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x915bb662905fbb63 (2) eap: Finished EAP session with state 0x915bb662905fbb63 (2) eap: Previous EAP request found for state 0x915bb662905fbb63, released from the list (2) eap: Peer sent packet with method EAP TLS (13) (2) eap: Calling submodule eap_tls to process data (2) eap_tls: (TLS) Peer ACKed our handshake fragment (2) eap: Sending EAP Request (code 1) ID 5 length 1004 (2) eap: EAP session adding &reply:State = 0x915bb662935ebb63 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:44657 length 1068 (2) EAP-Message = 0x010503ec0dc000000b9705ecb4b01e01e674cd17114248e5953c68d50808bfda8aedcbef7857bfaf2b3cd70f07eee53029230aa473f0afbf9e955f5178f7cf70f115fabdcbe7c4fa45f95e8e9176145705fd1797d7f024b3b33fc9171eb0263c7423df92605a8c34330475ec57f4e7db3053004b588ee2264d51a48100835f69f92f1bebdbeb03d94d7eed49ddbe8eba3444d1daf370d6a9a4869ea7236e8851466bf4bb28fcd5a1c439674838242589003aba0004fe308204fa308203e2a00302010202142557e1728d04afe1d4dc8f3ba7ed9f02a1142468300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x915bb662935ebb63d9e85057a0f8f68a (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 3 from 127.0.0.1:44657 to 127.0.0.1:1812 length 149 (3) User-Name = "user@example.org" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) EAP-Message = 0x020500060d00 (3) State = 0x915bb662935ebb63d9e85057a0f8f68a (3) Message-Authenticator = 0x157e8ecd40493b8b25d5dc23f0d83404 (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "example.org" for User-Name = "user@example.org " (3) suffix: No such realm "example.org" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 5 length 6 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x915bb662935ebb63 (3) eap: Finished EAP session with state 0x915bb662935ebb63 (3) eap: Previous EAP request found for state 0x915bb662935ebb63, released from the list (3) eap: Peer sent packet with method EAP TLS (13) (3) eap: Calling submodule eap_tls to process data (3) eap_tls: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 6 length 989 (3) eap: EAP session adding &reply:State = 0x915bb662925dbb63 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:44657 length 1053 (3) EAP-Message = 0x010603dd0d8000000b9778616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747982142557e1728d04afe1d4dc8f3ba7ed9f02a1142468300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100555b2e66c6da9a6ffd14172dbedf3d1e5338f55da258fafeb78d26408f25e04b82c56c5773e15ad3b035946ecc123e61001c5718bb698e44c8741fc483cb47e4928fe23a31df3bfaa251a3fde3c9214339af971304506bc9d405d0c5d55a1b105eeb8442aee49682191f524ef1c90329fcfb65076f6d7159d78e076ba54d7a3e70e1e92cdb86762d742d098e03a3a75e8c270718aee58d740c5cced0b9b6c3a20b02354f8b (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x915bb662925dbb63d9e85057a0f8f68a (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 4 from 127.0.0.1:44657 to 127.0.0.1:1812 length 1561 (4) User-Name = "user@example.org" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) EAP-Message = 0x020605800dc000000a8f16030309200b00091c00091900041530820411308202f9a003020102020102300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3234303232383031333232355a170d3234303432383031333232355a3071310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3119301706035504030c1075736572406578616d706c652e6f7267311f301d06092a864886f70d010901161075736572406578616d706c652e6f726730820122300d06092a864886f70d0101010500038201 (4) State = 0x915bb662925dbb63d9e85057a0f8f68a (4) Message-Authenticator = 0x50ce128c4e9a716c72b3380993132908 (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "example.org" for User-Name = "user@example.org " (4) suffix: No such realm "example.org" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 6 length 1408 (4) eap: No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) [files] = noop (4) [expiration] = noop (4) [logintime] = noop (4) [pap] = noop (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x915bb662925dbb63 (4) eap: Finished EAP session with state 0x915bb662925dbb63 (4) eap: Previous EAP request found for state 0x915bb662925dbb63, released from the list (4) eap: Peer sent packet with method EAP TLS (13) (4) eap: Calling submodule eap_tls to process data (4) eap_tls: (TLS) EAP Peer says that the final record size will be 2703 bytes (4) eap_tls: (TLS) EAP Expecting 2 fragments (4) eap_tls: (TLS) EAP Got first TLS fragment (1398 bytes). Peer says more fragments will follow (4) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (4) eap: Sending EAP Request (code 1) ID 7 length 6 (4) eap: EAP session adding &reply:State = 0x915bb662955cbb63 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:44657 length 64 (4) EAP-Message = 0x010700060d00 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x915bb662955cbb63d9e85057a0f8f68a (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 5 from 127.0.0.1:44657 to 127.0.0.1:1812 length 1464 (5) User-Name = "user@example.org" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) EAP-Message = 0x0207051f0d00706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101008fd8ebe0ef83c9187f256e38e9ef2d6ef1e365f03987f64178ad8c099f79c9e10f79d3d296a75ff7fe44d7da66b8ba79f74ec0c2f6dab09a0c9d5e8bd725476b08a5dfd353d7d7e469a9cf5316bd19da820a61f3803c6aa2e95c37445c43ab0944dc3606c4218104b27c305d280aeede42e736bac91bcba157fc93d0e1c09774cf067dbb512b716b667a4eba19884aca067a10bb7ec4cb2819492d2cd2abd023eb49b2a8e014cdb8a11919160933ee62710fb3d7e0e886b083f7220e3be12283970f5b343c9ca3f348b728ec195e4cfc279d54f3a1fb1d2ae18d0344622ea8f4a582ed3679d381e3fbd40fca2c9e8cf651f2ddba621312b81203fc918f4d20310203010001a38201423082013e301d0603551d0e0416041468e8d758bafd2cf855 (5) State = 0x915bb662955cbb63d9e85057a0f8f68a (5) Message-Authenticator = 0x4b372884eaee0e458add2352d318a081 (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "example.org" for User-Name = "user@example.org " (5) suffix: No such realm "example.org" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 7 length 1311 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) [files] = noop (5) [expiration] = noop (5) [logintime] = noop (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x915bb662955cbb63 (5) eap: Finished EAP session with state 0x915bb662955cbb63 (5) eap: Previous EAP request found for state 0x915bb662955cbb63, released from the list (5) eap: Peer sent packet with method EAP TLS (13) (5) eap: Calling submodule eap_tls to process data (5) eap_tls: (TLS) EAP Got final fragment (1305 bytes) (5) eap_tls: (TLS) EAP Done initial handshake (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (5) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate (5) eap_tls: (TLS) Creating attributes from server certificate (5) eap_tls: TLS-Cert-Serial := "2557e1728d04afe1d4dc8f3ba7ed9f02a1142468" (5) eap_tls: TLS-Cert-Expiration := "240428013224Z" (5) eap_tls: TLS-Cert-Valid-Since := "240228013224Z" (5) eap_tls: TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority" (5) eap_tls: TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority" (5) eap_tls: TLS-Cert-Common-Name := "Example Certificate Authority" (5) eap_tls: (TLS) Creating attributes from client certificate (5) eap_tls: TLS-Client-Cert-Serial := "02" (5) eap_tls: TLS-Client-Cert-Expiration := "240428013225Z" (5) eap_tls: TLS-Client-Cert-Valid-Since := "240228013225Z" (5) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org" (5) eap_tls: TLS-Client-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= admin@example.org/CN=Example Certificate Authority" (5) eap_tls: TLS-Client-Cert-Common-Name := "user@example.org" (5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (5) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "BF:8B:EE:28:D4:A2:2A:EE:30:BA:18:5B:11:76:50:45:1C:BC:A9:27" (5) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "68:E8:D7:58:BA:FD:2C:F8:55:E5:99:F0:1D:1B:E1:B0:49:7C:45:43" (5) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [1] subject name /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= admin@example.org/CN=Example Certificate Authority (TLS) untrusted certificate with depth [0] subject name /C=FR/ST=Radius/O=Example Inc./CN= user@example.org/emailAddress=user@example.org (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client certificate (5) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (5) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate verify (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (5) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished (5) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (5) eap_tls: (TLS) send TLS 1.2 Handshake, Finished (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished (5) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully (5) eap_tls: (TLS) Connection Established (5) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) eap_tls: TLS-Session-Version = "TLS 1.2" (5) eap: Sending EAP Request (code 1) ID 8 length 61 (5) eap: EAP session adding &reply:State = 0x915bb6629453bb63 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) Framed-MTU = 994 (5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" (5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (5) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) TLS-Session-Version = "TLS 1.2" (5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:44657 length 119 (5) EAP-Message = 0x0108003d0d80000000331403030001011603030028e8ed43d5f14d7ea2d6d952a993702475cd35a16cc73f1546cffda13f01adc2ff0958fd830c2539cb (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x915bb6629453bb63d9e85057a0f8f68a (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 6 from 127.0.0.1:44657 to 127.0.0.1:1812 length 149 (6) User-Name = "user@example.org" (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) EAP-Message = 0x020800060d00 (6) State = 0x915bb6629453bb63d9e85057a0f8f68a (6) Message-Authenticator = 0xeeed5fc00c06ed5bb63f1ef809fb0ff2 (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) &session-state:TLS-Session-Version = "TLS 1.2" (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: Looking up realm "example.org" for User-Name = "user@example.org " (6) suffix: No such realm "example.org" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 8 length 6 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) [files] = noop (6) [expiration] = noop (6) [logintime] = noop (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x915bb6629453bb63 (6) eap: Finished EAP session with state 0x915bb6629453bb63 (6) eap: Previous EAP request found for state 0x915bb6629453bb63, released from the list (6) eap: Peer sent packet with method EAP TLS (13) (6) eap: Calling submodule eap_tls to process data (6) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished (6) eap: Sending EAP Success (code 3) ID 8 length 4 (6) eap: Freeing handler (6) [eap] = ok (6) } # authenticate = ok (6) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (6) post-auth { (6) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (6) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (6) update { (6) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, CertificateRequest' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Certificate' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, CertificateVerify' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec' (6) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' (6) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (6) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (6) } # update = noop (6) [exec] = noop (6) policy remove_reply_message_if_eap { (6) if (&reply:EAP-Message && &reply:Reply-Message) { (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy remove_reply_message_if_eap = noop (6) if (EAP-Key-Name && &reply:EAP-Session-Id) { (6) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (6) } # post-auth = noop (6) Sent Access-Accept Id 6 from 127.0.0.1:1812 to 127.0.0.1:44657 length 184 (6) MS-MPPE-Recv-Key = 0x2ce77c48a85743806af23a14abdbf24dc8ea52969462cc9cd7a5035b15aef473 (6) MS-MPPE-Send-Key = 0xc697aee46a8d611863036bd4cb69f412ff6f4a005165780b1ec25dcf40a28128 (6) EAP-Message = 0x03080004 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) User-Name = "user@example.org" (6) Framed-MTU += 994 (6) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +25 due to cleanup_delay was reached (1) Cleaning up request packet ID 1 with timestamp +25 due to cleanup_delay was reached (2) Cleaning up request packet ID 2 with timestamp +25 due to cleanup_delay was reached (3) Cleaning up request packet ID 3 with timestamp +25 due to cleanup_delay was reached (4) Cleaning up request packet ID 4 with timestamp +25 due to cleanup_delay was reached (5) Cleaning up request packet ID 5 with timestamp +25 due to cleanup_delay was reached (6) Cleaning up request packet ID 6 with timestamp +25 due to cleanup_delay was reached Ready to process requests EAPOL_TEST.config Reading configuration file 'eapol_test.conf' Line: 1 - start of a new network block key_mgmt: 0x8 eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 identity - hexdump_ascii(len=16): 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 user@example.org client_cert - hexdump_ascii(len=36): 2f 65 74 63 2f 66 72 65 65 72 61 64 69 75 73 2f /etc/freeradius/ 33 2e 30 2f 63 65 72 74 73 2f 63 6c 69 65 6e 74 3.0/certs/client 2e 63 72 74 .crt private_key - hexdump_ascii(len=36): 2f 65 74 63 2f 66 72 65 65 72 61 64 69 75 73 2f /etc/freeradius/ 33 2e 30 2f 63 65 72 74 73 2f 63 6c 69 65 6e 74 3.0/certs/client 2e 6b 65 79 .key private_key_passwd - hexdump_ascii(len=8): 77 68 61 74 65 76 65 72 whatever ca_cert - hexdump_ascii(len=32): 2f 65 74 63 2f 66 72 65 65 72 61 64 69 75 73 2f /etc/freeradius/ 33 2e 30 2f 63 65 72 74 73 2f 63 61 2e 70 65 6d 3.0/certs/ca.pem Priority group 0 id=0 ssid='' Authentication server 127.0.0.1:1812 RADIUS local address: 127.0.0.1:40286 ENGINE: Loading builtin engines ENGINE: Loading builtin engines EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=77 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: Status notification: started (param=) EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=16): 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 user@example.org EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=21) TX EAP -> RADIUS - hexdump(len=21): 02 4d 00 15 01 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=16): 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=146 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=23 Value: 024d00150175736572406578616d706c652e6f7267 Attribute 80 (Message-Authenticator) length=18 Value: 5765424494243530746e574e5aec17e6 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 64 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=64 Attribute 79 (EAP-Message) length=8 Value: 014e00060d20 Attribute 80 (Message-Authenticator) length=18 Value: d936830309023cb23a0345057e2c5d2b Attribute 24 (State) length=18 Value: edd2cd8eed9cc0b549867676db0ddfbf STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=78 len=6) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=78 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 EAP: Status notification: accept proposed method (param=TLS) EAP: Initialize selected EAP method: vendor 0 method 13 (TLS) TLS: using phase1 config options TLS: Trusted root certificate(s) loaded OpenSSL: SSL_use_certificate_chain_file --> OK OpenSSL: tls_use_private_key_file (PEM) --> loaded SSL: Private key loaded successfully CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected EAP: EAP entering state METHOD SSL: Received packet(len=6) - Flags 0x20 EAP-TLS: Start SSL: (where=0x10 ret=0x1) SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:before SSL initialization OpenSSL: TX ver=0x301 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 01 00 b3 OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello) OpenSSL: Message - hexdump(len=179): 01 00 00 af 03 03 fe d5 af 5e 92 5e df 28 8b 3a 05 6a 3b 3e a9 8e 41 47 b3 cf ff ee 88 27 e6 3c 15 56 17 56 73 0a 00 00 38 c0 2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 00 ff 01 00 00 4e 00 0b 00 04 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 00 00 00 17 00 00 00 0d 00 2a 00 28 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 03 03 03 01 03 02 04 02 05 02 06 02 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS write client hello SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3/TLS write client hello SSL: SSL_connect - want more data SSL: 184 bytes pending from ssl_out SSL: Using TLS version TLSv1.2 SSL: 184 bytes left to be sent out (of total 184 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x55ff45bc6ad0 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=190) TX EAP -> RADIUS - hexdump(len=190): 02 4e 00 be 0d 00 16 03 01 00 b3 01 00 00 af 03 03 fe d5 af 5e 92 5e df 28 8b 3a 05 6a 3b 3e a9 8e 41 47 b3 cf ff ee 88 27 e6 3c 15 56 17 56 73 0a 00 00 38 c0 2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 00 ff 01 00 00 4e 00 0b 00 04 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 00 00 00 17 00 00 00 0d 00 2a 00 28 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 03 03 03 01 03 02 04 02 05 02 06 02 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=1 length=333 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=192 Value: 024e00be0d0016030100b3010000af0303fed5af5e925edf288b3a056a3b3ea98e4147b3cfffee8827e63c15561756730a000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602 Attribute 24 (State) length=18 Value: edd2cd8eed9cc0b549867676db0ddfbf Attribute 80 (Message-Authenticator) length=18 Value: 9fd5aa074756c60ac77358debc329fc4 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 1068 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=1 length=1068 Attribute 79 (EAP-Message) length=255 Value: 014f03ec0dc000000b97160303003d020000390303f61d14e65035acccf7f101ae2de543a9bd8ef9d61c9cd4e1362ea674a439c09f00c030000011ff01000100000b0004030001020017000016030309450b00094100093e00043a308204363082031ea003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c65204365 Attribute 79 (EAP-Message) length=255 Value: 72746966696361746520417574686f72697479301e170d3234303232383031333232345a170d3234303432383031333232345a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a028201010090f40284a31ef1c54d2c4089d96d751eee590fe2a0f81288945416a8b00fb47a680dc5c3113908c26c4a11 Attribute 79 (EAP-Message) length=255 Value: 14b5ab75ea295fda69c5e15de6906813dac9fea2889f9f79d0c051fcc97e07e03d896a230dec1d4f604c710b647bdad81fc53655ea7387ae8553f7da01f272631f39c568eac2fe6878e15572a2f01d37f8f44a09e6e5c2a864606c271ecd1187c51040e852021bd2d50431f377668f442f96cec8117c73ef5fc3ee3e0911a0fcb57131ace51b49d05fc11bdecdeda1ad35f1a9db86cf06607f8ceade1cdd2acfb52ccd15116f1cb816ec154a22448df328dd45f51843a8669f1b0c31ab31da1ebf5b860ab7a45d1fcdbd40dcbf6d1e4e849547e67d0203010001a381aa3081a730130603551d25040c300a06082b0601050507030130360603551d1f04 Attribute 79 (EAP-Message) length=247 Value: 2f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c30180603551d200411300f300d060b2b0601040182be68010302301d0603551d0e041604143a44f16099a6e3432b1695cf5483ac52abe60fdf301f0603551d2304183016801468e8d758bafd2cf855e599f01d1be1b0497c4543300d06092a864886f70d01010b050003820101003fa79358983442290ecbe3fd48e904e37da1b69f8b560857f83c25cfad385713a2a07806c5276f47f2f0693d4247026b137eaeda12b44356ccbdad27bc443ca2ae17928c9344ab6995d4009a3a7eda75ab4ec523577b08 Attribute 80 (Message-Authenticator) length=18 Value: b8b7e03e1c7730eb5738e5229836fac4 Attribute 24 (State) length=18 Value: edd2cd8eec9dc0b549867676db0ddfbf STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=79 len=1004) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=79 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=1004) - Flags 0xc0 SSL: TLS Message Length: 2967 SSL: Need 1973 bytes more input data SSL: Building ACK (type=13 id=79 ver=0) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x55ff45bb9440 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 4f 00 06 0d 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=2 length=149 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 024f00060d00 Attribute 24 (State) length=18 Value: edd2cd8eec9dc0b549867676db0ddfbf Attribute 80 (Message-Authenticator) length=18 Value: 6adf378f78bcffea0a989b134718c3ce Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 1068 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=2 length=1068 Attribute 79 (EAP-Message) length=255 Value: 015003ec0dc000000b9705ecb4b01e01e674cd17114248e5953c68d50808bfda8aedcbef7857bfaf2b3cd70f07eee53029230aa473f0afbf9e955f5178f7cf70f115fabdcbe7c4fa45f95e8e9176145705fd1797d7f024b3b33fc9171eb0263c7423df92605a8c34330475ec57f4e7db3053004b588ee2264d51a48100835f69f92f1bebdbeb03d94d7eed49ddbe8eba3444d1daf370d6a9a4869ea7236e8851466bf4bb28fcd5a1c439674838242589003aba0004fe308204fa308203e2a00302010202142557e1728d04afe1d4dc8f3ba7ed9f02a1142468300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06 Attribute 79 (EAP-Message) length=255 Value: 035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3234303232383031333232345a170d3234303432383031333232345a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d01090116 Attribute 79 (EAP-Message) length=255 Value: 1161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101008fd8ebe0ef83c9187f256e38e9ef2d6ef1e365f03987f64178ad8c099f79c9e10f79d3d296a75ff7fe44d7da66b8ba79f74ec0c2f6dab09a0c9d5e8bd725476b08a5dfd353d7d7e469a9cf5316bd19da820a61f3803c6aa2e95c37445c43ab0944dc3606c4218104b27c305d280aeede42e736bac91bcba157fc93d0e1c09774cf067dbb512b716b667a4eba19884aca067a10bb7ec4cb2819492d2cd2abd023eb49 Attribute 79 (EAP-Message) length=247 Value: b2a8e014cdb8a11919160933ee62710fb3d7e0e886b083f7220e3be12283970f5b343c9ca3f348b728ec195e4cfc279d54f3a1fb1d2ae18d0344622ea8f4a582ed3679d381e3fbd40fca2c9e8cf651f2ddba621312b81203fc918f4d20310203010001a38201423082013e301d0603551d0e0416041468e8d758bafd2cf855e599f01d1be1b0497c45433081d30603551d230481cb3081c8801468e8d758bafd2cf855e599f01d1be1b0497c4543a18199a48196308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c45 Attribute 80 (Message-Authenticator) length=18 Value: d7b344b5c88528d5c384639186ed3f9b Attribute 24 (State) length=18 Value: edd2cd8eef82c0b549867676db0ddfbf STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=80 len=1004) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=80 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=1004) - Flags 0xc0 SSL: TLS Message Length: 2967 SSL: Need 979 bytes more input data SSL: Building ACK (type=13 id=80 ver=0) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x55ff45bb9440 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 50 00 06 0d 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=3 length=149 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 025000060d00 Attribute 24 (State) length=18 Value: edd2cd8eef82c0b549867676db0ddfbf Attribute 80 (Message-Authenticator) length=18 Value: e32b0f568fbec391ea359d5727310723 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 1053 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=3 length=1053 Attribute 79 (EAP-Message) length=255 Value: 015103dd0d8000000b9778616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747982142557e1728d04afe1d4dc8f3ba7ed9f02a1142468300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100555b2e66c6da9a6ffd14172dbedf3d1e5338f55da258fafeb78d26408f25e04b82c56c5773e15ad3b03594 Attribute 79 (EAP-Message) length=255 Value: 6ecc123e61001c5718bb698e44c8741fc483cb47e4928fe23a31df3bfaa251a3fde3c9214339af971304506bc9d405d0c5d55a1b105eeb8442aee49682191f524ef1c90329fcfb65076f6d7159d78e076ba54d7a3e70e1e92cdb86762d742d098e03a3a75e8c270718aee58d740c5cced0b9b6c3a20b02354f8bb632af96b1706c91d7ac96407cfc680f49e343daaa744c3f36fc287d24339ca136b228df51b0926c6e9d2c320805fbc420e9be9e07409a208ebc4745ab0c387395c286d77147e17a31168e561d8e07439e91fc7597bf4c3b2d0580160303012c0c00012803001d20ec42a2c97b33ba7b758710660f249db1988f182ac4f3a1bec6aa63 Attribute 79 (EAP-Message) length=255 Value: b913ee06640804010071938d1b655469023aba67bba8063176e9fe7eb476650270df1f10569a2e8e8ae832af529c07a234ea2b32e8910fc8b2d136b0374b4331273847c1583930a6417be5ffe5f9300a8d3ad03f08e01dd027ad6db66ec547b75767d995c35f1bf99c802cad871fa2cd75e7a77cdcdba8145690d8e39b1c9b895041cf8d2c46de6747b1a099e91d7d81357d542b8f323e1e46647917248b878ee0982dacae6cdd2d0e21eb5a516bbd1eeda979b30d2126ce0050ed33357b07afac697c1fbf67007dacc3328d7409bc95160dc7f3e2c607fe9aae3fb6f003c001ae617d34769d8fb52ba5da8ffb8f4a3434b971fafecb547c090addd690 Attribute 79 (EAP-Message) length=232 Value: 3ba1a8d942046e945a826dbd16030300cc0d0000c8030102400028040305030603080708080809080a080b08040805080604010501060103030301030204020502060200980096308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747916030300040e000000 Attribute 80 (Message-Authenticator) length=18 Value: d4c6474e5e1b5a24f47f58d519f69e43 Attribute 24 (State) length=18 Value: edd2cd8eee83c0b549867676db0ddfbf STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=81 len=989) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=81 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=989) - Flags 0x80 SSL: TLS Message Length: 2967 OpenSSL: RX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 00 3d SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS write client hello OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello) OpenSSL: Message - hexdump(len=61): 02 00 00 39 03 03 f6 1d 14 e6 50 35 ac cc f7 f1 01 ae 2d e5 43 a9 bd 8e f9 d6 1c 9c d4 e1 36 2e a6 74 a4 39 c0 9f 00 c0 30 00 00 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 00 00 OpenSSL: Server selected cipher suite 0xc030 OpenSSL: RX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 09 45 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS read server hello OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate) OpenSSL: Message - hexdump(len=2373): 0b 00 09 41 00 09 3e 00 04 3a 30 82 04 36 30 82 03 1e a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 32 34 30 32 32 38 30 31 33 32 32 34 5a 17 0d 32 34 30 34 32 38 30 31 33 32 32 34 5a 30 7c 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 23 30 21 06 03 55 04 03 0c 1a 45 78 61 6d 70 6c 65 20 53 65 72 76 65 72 20 43 65 72 74 69 66 69 63 61 74 65 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 90 f4 02 84 a3 1e f1 c5 4d 2c 40 89 d9 6d 75 1e ee 59 0f e2 a0 f8 12 88 94 54 16 a8 b0 0f b4 7a 68 0d c5 c3 11 39 08 c2 6c 4a 11 14 b5 ab 75 ea 29 5f da 69 c5 e1 5d e6 90 68 13 da c9 fe a2 88 9f 9f 79 d0 c0 51 fc c9 7e 07 e0 3d 89 6a 23 0d ec 1d 4f 60 4c 71 0b 64 7b da d8 1f c5 36 55 ea 73 87 ae 85 53 f7 da 01 f2 72 63 1f 39 c5 68 ea c2 fe 68 78 e1 55 72 a2 f0 1d 37 f8 f4 4a 09 e6 e5 c2 a8 64 60 6c 27 1e cd 11 87 c5 10 40 e8 52 02 1b d2 d5 04 31 f3 77 66 8f 44 2f 96 ce c8 11 7c 73 ef 5f c3 ee 3e 09 11 a0 fc b5 71 31 ac e5 1b 49 d0 5f c1 1b de cd ed a1 ad 35 f1 a9 db 86 cf 06 60 7f 8c ea de 1c dd 2a cf b5 2c cd 15 11 6f 1c b8 16 ec 15 4a 22 44 8d f3 28 dd 45 f5 18 43 a8 66 9f 1b 0c 31 ab 31 da 1e bf 5b 86 0a b7 a4 5d 1f cd bd 40 dc bf 6d 1e 4e 84 95 47 e6 7d 02 03 01 00 01 a3 81 aa 30 81 a7 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 63 6f 6d 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 18 06 03 55 1d 20 04 11 30 0f 30 0d 06 0b 2b 06 01 04 01 82 be 68 01 03 02 30 1d 06 03 55 1d 0e 04 16 04 14 3a 44 f1 60 99 a6 e3 43 2b 16 95 cf 54 83 ac 52 ab e6 0f df 30 1f 06 03 55 1d 23 04 18 30 16 80 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 3f a7 93 58 98 34 42 29 0e cb e3 fd 48 e9 04 e3 7d a1 b6 9f 8b 56 08 57 f8 3c 25 cf ad 38 57 13 a2 a0 78 06 c5 27 6f 47 f2 f0 69 3d 42 47 02 6b 13 7e ae da 12 b4 43 56 cc bd ad 27 bc 44 3c a2 ae 17 92 8c 93 44 ab 69 95 d4 00 9a 3a 7e da 75 ab 4e c5 23 57 7b 08 05 ec b4 b0 1e 01 e6 74 cd 17 11 42 48 e5 95 3c 68 d5 08 08 bf da 8a ed cb ef 78 57 bf af 2b 3c d7 0f 07 ee e5 30 29 23 0a a4 73 f0 af bf 9e 95 5f 51 78 f7 cf 70 f1 15 fa bd cb e7 c4 fa 45 f9 5e 8e 91 76 14 57 05 fd 17 97 d7 f0 24 b3 b3 3f c9 17 1e b0 26 3c 74 23 df 92 60 5a 8c 34 33 04 75 ec 57 f4 e7 db 30 53 00 4b 58 8e e2 26 4d 51 a4 81 00 83 5f 69 f9 2f 1b eb db eb 03 d9 4d 7e ed 49 dd be 8e ba 34 44 d1 da f3 70 d6 a9 a4 86 9e a7 23 6e 88 51 46 6b f4 bb 28 fc d5 a1 c4 39 67 48 38 24 25 89 00 3a ba 00 04 fe 30 82 04 fa 30 82 03 e2 a0 03 02 01 02 02 14 25 57 e1 72 8d 04 af e1 d4 dc 8f 3b a7 ed 9f 02 a1 14 24 68 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 32 34 30 32 32 38 30 31 33 32 32 34 5a 17 0d 32 34 30 34 32 38 30 31 33 32 32 34 5a 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 8f d8 eb e0 ef 83 c9 18 7f 25 6e 38 e9 ef 2d 6e f1 e3 65 f0 39 87 f6 41 78 ad 8c 09 9f 79 c9 e1 0f 79 d3 d2 96 a7 5f f7 fe 44 d7 da 66 b8 ba 79 f7 4e c0 c2 f6 da b0 9a 0c 9d 5e 8b d7 25 47 6b 08 a5 df d3 53 d7 d7 e4 69 a9 cf 53 16 bd 19 da 82 0a 61 f3 80 3c 6a a2 e9 5c 37 44 5c 43 ab 09 44 dc 36 06 c4 21 81 04 b2 7c 30 5d 28 0a ee de 42 e7 36 ba c9 1b cb a1 57 fc 93 d0 e1 c0 97 74 cf 06 7d bb 51 2b 71 6b 66 7a 4e ba 19 88 4a ca 06 7a 10 bb 7e c4 cb 28 19 49 2d 2c d2 ab d0 23 eb 49 b2 a8 e0 14 cd b8 a1 19 19 16 09 33 ee 62 71 0f b3 d7 e0 e8 86 b0 83 f7 22 0e 3b e1 22 83 97 0f 5b 34 3c 9c a3 f3 48 b7 28 ec 19 5e 4c fc 27 9d 54 f3 a1 fb 1d 2a e1 8d 03 44 62 2e a8 f4 a5 82 ed 36 79 d3 81 e3 fb d4 0f ca 2c 9e 8c f6 51 f2 dd ba 62 13 12 b8 12 03 fc 91 8f 4d 20 31 02 03 01 00 01 a3 82 01 42 30 82 01 3e 30 1d 06 03 55 1d 0e 04 16 04 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 30 81 d3 06 03 55 1d 23 04 81 cb 30 81 c8 80 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 a1 81 99 a4 81 96 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 82 14 25 57 e1 72 8d 04 af e1 d4 dc 8f 3b a7 ed 9f 02 a1 14 24 68 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 6f 72 67 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 55 5b 2e 66 c6 da 9a 6f fd 14 17 2d be df 3d 1e 53 38 f5 5d a2 58 fa fe b7 8d 26 40 8f 25 e0 4b 82 c5 6c 57 73 e1 5a d3 b0 35 94 6e cc 12 3e 61 00 1c 57 18 bb 69 8e 44 c8 74 1f c4 83 cb 47 e4 92 8f e2 3a 31 df 3b fa a2 51 a3 fd e3 c9 21 43 39 af 97 13 04 50 6b c9 d4 05 d0 c5 d5 5a 1b 10 5e eb 84 42 ae e4 96 82 19 1f 52 4e f1 c9 03 29 fc fb 65 07 6f 6d 71 59 d7 8e 07 6b a5 4d 7a 3e 70 e1 e9 2c db 86 76 2d 74 2d 09 8e 03 a3 a7 5e 8c 27 07 18 ae e5 8d 74 0c 5c ce d0 b9 b6 c3 a2 0b 02 35 4f 8b b6 32 af 96 b1 70 6c 91 d7 ac 96 40 7c fc 68 0f 49 e3 43 da aa 74 4c 3f 36 fc 28 7d 24 33 9c a1 36 b2 28 df 51 b0 92 6c 6e 9d 2c 32 08 05 fb c4 20 e9 be 9e 07 40 9a 20 8e bc 47 45 ab 0c 38 73 95 c2 86 d7 71 47 e1 7a 31 16 8e 56 1d 8e 07 43 9e 91 fc 75 97 bf 4c 3b 2d 05 80 OpenSSL: Peer certificate - depth 1 Certificate: Data: Version: 3 (0x2) Serial Number: 25:57:e1:72:8d:04:af:e1:d4:dc:8f:3b:a7:ed:9f:02:a1:14:24:68 Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress= admin@example.org, CN=Example Certificate Authority Validity Not Before: Feb 28 01:32:24 2024 GMT Not After : Apr 28 01:32:24 2024 GMT Subject: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress= admin@example.org, CN=Example Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:8f:d8:eb:e0:ef:83:c9:18:7f:25:6e:38:e9:ef: 2d:6e:f1:e3:65:f0:39:87:f6:41:78:ad:8c:09:9f: 79:c9:e1:0f:79:d3:d2:96:a7:5f:f7:fe:44:d7:da: 66:b8:ba:79:f7:4e:c0:c2:f6:da:b0:9a:0c:9d:5e: 8b:d7:25:47:6b:08:a5:df:d3:53:d7:d7:e4:69:a9: cf:53:16:bd:19:da:82:0a:61:f3:80:3c:6a:a2:e9: 5c:37:44:5c:43:ab:09:44:dc:36:06:c4:21:81:04: b2:7c:30:5d:28:0a:ee:de:42:e7:36:ba:c9:1b:cb: a1:57:fc:93:d0:e1:c0:97:74:cf:06:7d:bb:51:2b: 71:6b:66:7a:4e:ba:19:88:4a:ca:06:7a:10:bb:7e: c4:cb:28:19:49:2d:2c:d2:ab:d0:23:eb:49:b2:a8: e0:14:cd:b8:a1:19:19:16:09:33:ee:62:71:0f:b3: d7:e0:e8:86:b0:83:f7:22:0e:3b:e1:22:83:97:0f: 5b:34:3c:9c:a3:f3:48:b7:28:ec:19:5e:4c:fc:27: 9d:54:f3:a1:fb:1d:2a:e1:8d:03:44:62:2e:a8:f4: a5:82:ed:36:79:d3:81:e3:fb:d4:0f:ca:2c:9e:8c: f6:51:f2:dd:ba:62:13:12:b8:12:03:fc:91:8f:4d: 20:31 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 68:E8:D7:58:BA:FD:2C:F8:55:E5:99:F0:1D:1B:E1:B0:49:7C:45:43 X509v3 Authority Key Identifier: keyid:68:E8:D7:58:BA:FD:2C:F8:55:E5:99:F0:1D:1B:E1:B0:49:7C:45:43 DirName:/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority serial:25:57:E1:72:8D:04:AF:E1:D4:DC:8F:3B:A7:ED:9F:02:A1:14:24:68 X509v3 Basic Constraints: critical CA:TRUE X509v3 CRL Distribution Points: Full Name: URI:http://www.example.org/example_ca.crl Signature Algorithm: sha256WithRSAEncryption Signature Value: 55:5b:2e:66:c6:da:9a:6f:fd:14:17:2d:be:df:3d:1e:53:38: f5:5d:a2:58:fa:fe:b7:8d:26:40:8f:25:e0:4b:82:c5:6c:57: 73:e1:5a:d3:b0:35:94:6e:cc:12:3e:61:00:1c:57:18:bb:69: 8e:44:c8:74:1f:c4:83:cb:47:e4:92:8f:e2:3a:31:df:3b:fa: a2:51:a3:fd:e3:c9:21:43:39:af:97:13:04:50:6b:c9:d4:05: d0:c5:d5:5a:1b:10:5e:eb:84:42:ae:e4:96:82:19:1f:52:4e: f1:c9:03:29:fc:fb:65:07:6f:6d:71:59:d7:8e:07:6b:a5:4d: 7a:3e:70:e1:e9:2c:db:86:76:2d:74:2d:09:8e:03:a3:a7:5e: 8c:27:07:18:ae:e5:8d:74:0c:5c:ce:d0:b9:b6:c3:a2:0b:02: 35:4f:8b:b6:32:af:96:b1:70:6c:91:d7:ac:96:40:7c:fc:68: 0f:49:e3:43:da:aa:74:4c:3f:36:fc:28:7d:24:33:9c:a1:36: b2:28:df:51:b0:92:6c:6e:9d:2c:32:08:05:fb:c4:20:e9:be: 9e:07:40:9a:20:8e:bc:47:45:ab:0c:38:73:95:c2:86:d7:71: 47:e1:7a:31:16:8e:56:1d:8e:07:43:9e:91:fc:75:97:bf:4c: 3b:2d:05:80 CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= admin@example.org/CN=Example Certificate Authority' hash=d9eac2b02db2002517073d70ad51fa46a6059ab4c460b5d258c55c26e0f3e389 TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1 buf='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= admin@example.org/CN=Example Certificate Authority' OpenSSL: Peer certificate - depth 0 Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, ST=Radius, L=Somewhere, O=Example Inc./emailAddress= admin@example.org, CN=Example Certificate Authority Validity Not Before: Feb 28 01:32:24 2024 GMT Not After : Apr 28 01:32:24 2024 GMT Subject: C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate/emailAddress=admin@example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:90:f4:02:84:a3:1e:f1:c5:4d:2c:40:89:d9:6d: 75:1e:ee:59:0f:e2:a0:f8:12:88:94:54:16:a8:b0: 0f:b4:7a:68:0d:c5:c3:11:39:08:c2:6c:4a:11:14: b5:ab:75:ea:29:5f:da:69:c5:e1:5d:e6:90:68:13: da:c9:fe:a2:88:9f:9f:79:d0:c0:51:fc:c9:7e:07: e0:3d:89:6a:23:0d:ec:1d:4f:60:4c:71:0b:64:7b: da:d8:1f:c5:36:55:ea:73:87:ae:85:53:f7:da:01: f2:72:63:1f:39:c5:68:ea:c2:fe:68:78:e1:55:72: a2:f0:1d:37:f8:f4:4a:09:e6:e5:c2:a8:64:60:6c: 27:1e:cd:11:87:c5:10:40:e8:52:02:1b:d2:d5:04: 31:f3:77:66:8f:44:2f:96:ce:c8:11:7c:73:ef:5f: c3:ee:3e:09:11:a0:fc:b5:71:31:ac:e5:1b:49:d0: 5f:c1:1b:de:cd:ed:a1:ad:35:f1:a9:db:86:cf:06: 60:7f:8c:ea:de:1c:dd:2a:cf:b5:2c:cd:15:11:6f: 1c:b8:16:ec:15:4a:22:44:8d:f3:28:dd:45:f5:18: 43:a8:66:9f:1b:0c:31:ab:31:da:1e:bf:5b:86:0a: b7:a4:5d:1f:cd:bd:40:dc:bf:6d:1e:4e:84:95:47: e6:7d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: Full Name: URI:http://www.example.com/example_ca.crl X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.40808.1.3.2 X509v3 Subject Key Identifier: 3A:44:F1:60:99:A6:E3:43:2B:16:95:CF:54:83:AC:52:AB:E6:0F:DF X509v3 Authority Key Identifier: 68:E8:D7:58:BA:FD:2C:F8:55:E5:99:F0:1D:1B:E1:B0:49:7C:45:43 Signature Algorithm: sha256WithRSAEncryption Signature Value: 3f:a7:93:58:98:34:42:29:0e:cb:e3:fd:48:e9:04:e3:7d:a1: b6:9f:8b:56:08:57:f8:3c:25:cf:ad:38:57:13:a2:a0:78:06: c5:27:6f:47:f2:f0:69:3d:42:47:02:6b:13:7e:ae:da:12:b4: 43:56:cc:bd:ad:27:bc:44:3c:a2:ae:17:92:8c:93:44:ab:69: 95:d4:00:9a:3a:7e:da:75:ab:4e:c5:23:57:7b:08:05:ec:b4: b0:1e:01:e6:74:cd:17:11:42:48:e5:95:3c:68:d5:08:08:bf: da:8a:ed:cb:ef:78:57:bf:af:2b:3c:d7:0f:07:ee:e5:30:29: 23:0a:a4:73:f0:af:bf:9e:95:5f:51:78:f7:cf:70:f1:15:fa: bd:cb:e7:c4:fa:45:f9:5e:8e:91:76:14:57:05:fd:17:97:d7: f0:24:b3:b3:3f:c9:17:1e:b0:26:3c:74:23:df:92:60:5a:8c: 34:33:04:75:ec:57:f4:e7:db:30:53:00:4b:58:8e:e2:26:4d: 51:a4:81:00:83:5f:69:f9:2f:1b:eb:db:eb:03:d9:4d:7e:ed: 49:dd:be:8e:ba:34:44:d1:da:f3:70:d6:a9:a4:86:9e:a7:23: 6e:88:51:46:6b:f4:bb:28:fc:d5:a1:c4:39:67:48:38:24:25: 89:00:3a:ba OpenSSL: Certificate Policy 1.3.6.1.4.1.40808.1.3.2 CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org' hash=073547d6385e05633e2e810ad0e344cdd22c846f929bc63041a12f0c068cdb08 TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0 buf='/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.org' EAP: Status notification: remote certificate verification (param=success) OpenSSL: RX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 01 2c SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS read server certificate OpenSSL: RX ver=0x303 content_type=22 (handshake/server key exchange) OpenSSL: Message - hexdump(len=300): 0c 00 01 28 03 00 1d 20 ec 42 a2 c9 7b 33 ba 7b 75 87 10 66 0f 24 9d b1 98 8f 18 2a c4 f3 a1 be c6 aa 63 b9 13 ee 06 64 08 04 01 00 71 93 8d 1b 65 54 69 02 3a ba 67 bb a8 06 31 76 e9 fe 7e b4 76 65 02 70 df 1f 10 56 9a 2e 8e 8a e8 32 af 52 9c 07 a2 34 ea 2b 32 e8 91 0f c8 b2 d1 36 b0 37 4b 43 31 27 38 47 c1 58 39 30 a6 41 7b e5 ff e5 f9 30 0a 8d 3a d0 3f 08 e0 1d d0 27 ad 6d b6 6e c5 47 b7 57 67 d9 95 c3 5f 1b f9 9c 80 2c ad 87 1f a2 cd 75 e7 a7 7c dc db a8 14 56 90 d8 e3 9b 1c 9b 89 50 41 cf 8d 2c 46 de 67 47 b1 a0 99 e9 1d 7d 81 35 7d 54 2b 8f 32 3e 1e 46 64 79 17 24 8b 87 8e e0 98 2d ac ae 6c dd 2d 0e 21 eb 5a 51 6b bd 1e ed a9 79 b3 0d 21 26 ce 00 50 ed 33 35 7b 07 af ac 69 7c 1f bf 67 00 7d ac c3 32 8d 74 09 bc 95 16 0d c7 f3 e2 c6 07 fe 9a ae 3f b6 f0 03 c0 01 ae 61 7d 34 76 9d 8f b5 2b a5 da 8f fb 8f 4a 34 34 b9 71 fa fe cb 54 7c 09 0a dd d6 90 3b a1 a8 d9 42 04 6e 94 5a 82 6d bd OpenSSL: RX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 00 cc SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS read server key exchange OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate request) OpenSSL: Message - hexdump(len=204): 0d 00 00 c8 03 01 02 40 00 28 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 03 03 03 01 03 02 04 02 05 02 06 02 00 98 00 96 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 OpenSSL: RX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 00 04 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS read server certificate request OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello done) OpenSSL: Message - hexdump(len=4): 0e 00 00 00 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS read server done OpenSSL: TX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 09 20 OpenSSL: TX ver=0x303 content_type=22 (handshake/certificate) OpenSSL: Message - hexdump(len=2336): 0b 00 09 1c 00 09 19 00 04 15 30 82 04 11 30 82 02 f9 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 32 34 30 32 32 38 30 31 33 32 32 35 5a 17 0d 32 34 30 34 32 38 30 31 33 32 32 35 5a 30 71 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 19 30 17 06 03 55 04 03 0c 10 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 1f 30 1d 06 09 2a 86 48 86 f7 0d 01 09 01 16 10 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 d1 c6 40 45 7c 20 4f 03 e3 c2 98 b4 de b9 79 0c 67 db 36 e0 99 ff 1f c5 fe 86 42 58 0d 3a 09 50 d3 e6 86 88 e0 1d 84 31 46 e6 75 b2 d6 f9 47 3d ba 8c d1 0f 40 b3 fb 58 55 36 75 e8 6d 5f f9 74 68 8d e4 e5 bb 94 64 41 b6 8f 4a 81 31 dc fc 8d f7 6d 25 84 be a3 68 b9 1b 6b 05 4d d1 07 3e 66 ca ce 43 8b 74 35 3b 35 1e 22 40 8d fb a5 96 79 ce 1f 23 04 a6 c0 a7 58 b1 f9 ce 5d f4 4f af 05 c7 b0 23 cc ce 0e 2d 7a ad 2e 60 be 0e 65 2e 5b 3b ad e9 8d d6 b8 df f6 1d 85 0d e9 56 ca b4 fd c5 97 16 52 c6 28 99 aa 32 62 00 11 1b c9 a0 99 57 71 45 75 32 2d 7c 20 3f d4 d7 d0 03 73 5b f2 6e 45 ec 37 35 f7 18 99 bc 3c 16 4d aa 01 89 ea 33 96 9d e7 85 74 e0 3b d1 c6 4d 3e 23 71 7a 7a 35 b7 60 08 94 72 3e 61 98 25 49 d9 03 83 fa 96 a9 a2 42 9a 13 03 e0 2a 07 ee e3 f8 2d 4d 8f 39 02 03 01 00 01 a3 81 90 30 81 8d 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 02 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 63 6f 6d 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 1d 06 03 55 1d 0e 04 16 04 14 bf 8b ee 28 d4 a2 2a ee 30 ba 18 5b 11 76 50 45 1c bc a9 27 30 1f 06 03 55 1d 23 04 18 30 16 80 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 5d ee d5 bf fc 30 3a 44 32 e4 68 16 9d fb 14 6b f5 bd 26 9e 19 6d 22 21 5c 0f 51 42 d7 b5 da ed 63 94 b7 8d 8b f9 41 b4 c9 e9 0b c3 99 71 89 d5 67 25 e9 4e 46 42 01 15 eb 96 08 01 37 18 41 75 53 c0 00 6b 75 fe 76 30 74 bf 66 74 c5 11 2d 6f 6c 4f 75 fc d7 14 20 fb 86 29 80 13 7b 45 1a 95 57 77 14 5d 5d b9 fd f3 6f 6b da 4a bb ff ec 75 f8 f7 de f4 7a af fb db fa aa 41 ef ba 6c 35 b9 1d 46 55 4d 70 a3 da b7 77 e0 8d 19 28 6f 3a 83 5e f1 12 34 1c e0 9a 2b f5 98 73 17 9b d4 0e 45 f5 04 cd e2 08 d3 13 2c a4 30 91 4b 69 4c 5d ab df 94 30 89 61 fd 14 ff d3 59 75 1f cc 29 28 93 a5 c8 96 76 ad ac 6c 48 4a 16 c9 d3 0c df 42 be 93 53 08 69 5e 68 b7 d9 64 d5 09 58 cf f5 45 43 65 f6 02 9a 6a f7 fe 25 c3 9f a6 99 06 b3 f7 94 0e b2 6b 45 41 d5 c9 e3 28 94 80 51 a3 08 44 4c 00 04 fe 30 82 04 fa 30 82 03 e2 a0 03 02 01 02 02 14 25 57 e1 72 8d 04 af e1 d4 dc 8f 3b a7 ed 9f 02 a1 14 24 68 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 32 34 30 32 32 38 30 31 33 32 32 34 5a 17 0d 32 34 30 34 32 38 30 31 33 32 32 34 5a 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 8f d8 eb e0 ef 83 c9 18 7f 25 6e 38 e9 ef 2d 6e f1 e3 65 f0 39 87 f6 41 78 ad 8c 09 9f 79 c9 e1 0f 79 d3 d2 96 a7 5f f7 fe 44 d7 da 66 b8 ba 79 f7 4e c0 c2 f6 da b0 9a 0c 9d 5e 8b d7 25 47 6b 08 a5 df d3 53 d7 d7 e4 69 a9 cf 53 16 bd 19 da 82 0a 61 f3 80 3c 6a a2 e9 5c 37 44 5c 43 ab 09 44 dc 36 06 c4 21 81 04 b2 7c 30 5d 28 0a ee de 42 e7 36 ba c9 1b cb a1 57 fc 93 d0 e1 c0 97 74 cf 06 7d bb 51 2b 71 6b 66 7a 4e ba 19 88 4a ca 06 7a 10 bb 7e c4 cb 28 19 49 2d 2c d2 ab d0 23 eb 49 b2 a8 e0 14 cd b8 a1 19 19 16 09 33 ee 62 71 0f b3 d7 e0 e8 86 b0 83 f7 22 0e 3b e1 22 83 97 0f 5b 34 3c 9c a3 f3 48 b7 28 ec 19 5e 4c fc 27 9d 54 f3 a1 fb 1d 2a e1 8d 03 44 62 2e a8 f4 a5 82 ed 36 79 d3 81 e3 fb d4 0f ca 2c 9e 8c f6 51 f2 dd ba 62 13 12 b8 12 03 fc 91 8f 4d 20 31 02 03 01 00 01 a3 82 01 42 30 82 01 3e 30 1d 06 03 55 1d 0e 04 16 04 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 30 81 d3 06 03 55 1d 23 04 81 cb 30 81 c8 80 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 a1 81 99 a4 81 96 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 82 14 25 57 e1 72 8d 04 af e1 d4 dc 8f 3b a7 ed 9f 02 a1 14 24 68 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 6f 72 67 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 55 5b 2e 66 c6 da 9a 6f fd 14 17 2d be df 3d 1e 53 38 f5 5d a2 58 fa fe b7 8d 26 40 8f 25 e0 4b 82 c5 6c 57 73 e1 5a d3 b0 35 94 6e cc 12 3e 61 00 1c 57 18 bb 69 8e 44 c8 74 1f c4 83 cb 47 e4 92 8f e2 3a 31 df 3b fa a2 51 a3 fd e3 c9 21 43 39 af 97 13 04 50 6b c9 d4 05 d0 c5 d5 5a 1b 10 5e eb 84 42 ae e4 96 82 19 1f 52 4e f1 c9 03 29 fc fb 65 07 6f 6d 71 59 d7 8e 07 6b a5 4d 7a 3e 70 e1 e9 2c db 86 76 2d 74 2d 09 8e 03 a3 a7 5e 8c 27 07 18 ae e5 8d 74 0c 5c ce d0 b9 b6 c3 a2 0b 02 35 4f 8b b6 32 af 96 b1 70 6c 91 d7 ac 96 40 7c fc 68 0f 49 e3 43 da aa 74 4c 3f 36 fc 28 7d 24 33 9c a1 36 b2 28 df 51 b0 92 6c 6e 9d 2c 32 08 05 fb c4 20 e9 be 9e 07 40 9a 20 8e bc 47 45 ab 0c 38 73 95 c2 86 d7 71 47 e1 7a 31 16 8e 56 1d 8e 07 43 9e 91 fc 75 97 bf 4c 3b 2d 05 80 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS write client certificate OpenSSL: TX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 00 25 OpenSSL: TX ver=0x303 content_type=22 (handshake/client key exchange) OpenSSL: Message - hexdump(len=37): 10 00 00 21 20 8d d6 f6 a6 33 0a f7 f9 a6 0e 4e 88 a4 4d 42 bc e3 f9 03 4b 93 b6 eb 6e 75 0f f8 fc 1a 79 cc 7f SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS write client key exchange OpenSSL: TX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 01 08 OpenSSL: TX ver=0x303 content_type=22 (handshake/certificate verify) OpenSSL: Message - hexdump(len=264): 0f 00 01 04 08 04 01 00 19 50 dc 25 20 c7 d1 09 52 26 0f d9 66 db 0e d4 fc 5c 3d 27 f8 39 f9 ca 21 2b 12 35 97 2a 2b 70 e6 70 56 f9 e0 f4 2d 12 3b 49 d6 f3 70 f7 d0 c2 52 2a d4 21 74 d5 f0 36 2d 5f 0a a3 35 ff e7 79 20 a9 09 10 20 86 b6 a6 a8 42 b4 9e 99 1e 7b aa 5a 0c 47 30 c5 bf 8d d1 a9 ec 58 6a 3e 0f 2c 3c 50 32 ab 75 3d 51 a1 2c 74 4c 12 9c f2 5b bb 9d 32 58 0e 77 bf 76 fe c2 f1 d1 4f 48 95 98 ab 5a 0e 35 6c ca 41 4f f4 2f 0f ba 76 c6 7c 86 4e 01 84 c4 f2 bd 64 8b 88 71 59 fe 32 e8 b9 c2 02 b2 7d 00 cf 19 88 2f d7 5c af 8c 2b 9b a3 c0 92 94 33 39 88 4a a4 f0 12 55 c3 94 6d 09 de 15 f8 2f 57 4d 79 da fd d3 8e 7c 5f 6c db 6e 6b c5 3f b8 97 87 c9 da 63 f2 21 6b 28 c5 bb 8a 5f 5d d7 28 7a f3 bf 39 c7 c9 d0 8b 6f 2a e9 0f 03 f1 be d8 1f da e9 d3 0f e3 57 e9 3f c7 4a 14 d6 8b 81 b2 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS write certificate verify OpenSSL: TX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 14 03 03 00 01 OpenSSL: TX ver=0x303 content_type=20 (change cipher spec/) OpenSSL: Message - hexdump(len=1): 01 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS write change cipher spec OpenSSL: TX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 00 28 OpenSSL: TX ver=0x303 content_type=22 (handshake/finished) OpenSSL: Message - hexdump(len=16): 14 00 00 0c a8 6f b1 7e d2 14 c7 c2 de bf 56 20 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS write finished SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3/TLS write finished SSL: SSL_connect - want more data SSL: 2703 bytes pending from ssl_out SSL: Using TLS version TLSv1.2 SSL: 2703 bytes left to be sent out (of total 2703 bytes) SSL: sending 1398 bytes, more fragments will follow EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x55ff45bf6220 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=1408) TX EAP -> RADIUS - hexdump(len=1408): 02 51 05 80 0d c0 00 00 0a 8f 16 03 03 09 20 0b 00 09 1c 00 09 19 00 04 15 30 82 04 11 30 82 02 f9 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 32 34 30 32 32 38 30 31 33 32 32 35 5a 17 0d 32 34 30 34 32 38 30 31 33 32 32 35 5a 30 71 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 19 30 17 06 03 55 04 03 0c 10 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 1f 30 1d 06 09 2a 86 48 86 f7 0d 01 09 01 16 10 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 d1 c6 40 45 7c 20 4f 03 e3 c2 98 b4 de b9 79 0c 67 db 36 e0 99 ff 1f c5 fe 86 42 58 0d 3a 09 50 d3 e6 86 88 e0 1d 84 31 46 e6 75 b2 d6 f9 47 3d ba 8c d1 0f 40 b3 fb 58 55 36 75 e8 6d 5f f9 74 68 8d e4 e5 bb 94 64 41 b6 8f 4a 81 31 dc fc 8d f7 6d 25 84 be a3 68 b9 1b 6b 05 4d d1 07 3e 66 ca ce 43 8b 74 35 3b 35 1e 22 40 8d fb a5 96 79 ce 1f 23 04 a6 c0 a7 58 b1 f9 ce 5d f4 4f af 05 c7 b0 23 cc ce 0e 2d 7a ad 2e 60 be 0e 65 2e 5b 3b ad e9 8d d6 b8 df f6 1d 85 0d e9 56 ca b4 fd c5 97 16 52 c6 28 99 aa 32 62 00 11 1b c9 a0 99 57 71 45 75 32 2d 7c 20 3f d4 d7 d0 03 73 5b f2 6e 45 ec 37 35 f7 18 99 bc 3c 16 4d aa 01 89 ea 33 96 9d e7 85 74 e0 3b d1 c6 4d 3e 23 71 7a 7a 35 b7 60 08 94 72 3e 61 98 25 49 d9 03 83 fa 96 a9 a2 42 9a 13 03 e0 2a 07 ee e3 f8 2d 4d 8f 39 02 03 01 00 01 a3 81 90 30 81 8d 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 02 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 63 6f 6d 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 1d 06 03 55 1d 0e 04 16 04 14 bf 8b ee 28 d4 a2 2a ee 30 ba 18 5b 11 76 50 45 1c bc a9 27 30 1f 06 03 55 1d 23 04 18 30 16 80 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 5d ee d5 bf fc 30 3a 44 32 e4 68 16 9d fb 14 6b f5 bd 26 9e 19 6d 22 21 5c 0f 51 42 d7 b5 da ed 63 94 b7 8d 8b f9 41 b4 c9 e9 0b c3 99 71 89 d5 67 25 e9 4e 46 42 01 15 eb 96 08 01 37 18 41 75 53 c0 00 6b 75 fe 76 30 74 bf 66 74 c5 11 2d 6f 6c 4f 75 fc d7 14 20 fb 86 29 80 13 7b 45 1a 95 57 77 14 5d 5d b9 fd f3 6f 6b da 4a bb ff ec 75 f8 f7 de f4 7a af fb db fa aa 41 ef ba 6c 35 b9 1d 46 55 4d 70 a3 da b7 77 e0 8d 19 28 6f 3a 83 5e f1 12 34 1c e0 9a 2b f5 98 73 17 9b d4 0e 45 f5 04 cd e2 08 d3 13 2c a4 30 91 4b 69 4c 5d ab df 94 30 89 61 fd 14 ff d3 59 75 1f cc 29 28 93 a5 c8 96 76 ad ac 6c 48 4a 16 c9 d3 0c df 42 be 93 53 08 69 5e 68 b7 d9 64 d5 09 58 cf f5 45 43 65 f6 02 9a 6a f7 fe 25 c3 9f a6 99 06 b3 f7 94 0e b2 6b 45 41 d5 c9 e3 28 94 80 51 a3 08 44 4c 00 04 fe 30 82 04 fa 30 82 03 e2 a0 03 02 01 02 02 14 25 57 e1 72 8d 04 af e1 d4 dc 8f 3b a7 ed 9f 02 a1 14 24 68 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 32 34 30 32 32 38 30 31 33 32 32 34 5a 17 0d 32 34 30 34 32 38 30 31 33 32 32 34 5a 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=4 length=1561 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=255 Value: 025105800dc000000a8f16030309200b00091c00091900041530820411308202f9a003020102020102300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3234303232383031333232355a170d3234303432383031333232355a3071310b3009060355040613024652 Attribute 79 (EAP-Message) length=255 Value: 310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3119301706035504030c1075736572406578616d706c652e6f7267311f301d06092a864886f70d010901161075736572406578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d1c640457c204f03e3c298b4deb9790c67db36e099ff1fc5fe8642580d3a0950d3e68688e01d843146e675b2d6f9473dba8cd10f40b3fb58553675e86d5ff974688de4e5bb946441b68f4a8131dcfc8df76d2584bea368b91b6b054dd1073e66cace438b74353b351e22408dfba59679ce1f2304a6c0a758 Attribute 79 (EAP-Message) length=255 Value: b1f9ce5df44faf05c7b023ccce0e2d7aad2e60be0e652e5b3bade98dd6b8dff61d850de956cab4fdc5971652c62899aa326200111bc9a09957714575322d7c203fd4d7d003735bf26e45ec3735f71899bc3c164daa0189ea33969de78574e03bd1c64d3e23717a7a35b7600894723e61982549d90383fa96a9a2429a1303e02a07eee3f82d4d8f390203010001a3819030818d30130603551d25040c300a06082b0601050507030230360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c301d0603551d0e04160414bf8bee28d4a22aee30ba185b117650451cbc Attribute 79 (EAP-Message) length=255 Value: a927301f0603551d2304183016801468e8d758bafd2cf855e599f01d1be1b0497c4543300d06092a864886f70d01010b050003820101005deed5bffc303a4432e468169dfb146bf5bd269e196d22215c0f5142d7b5daed6394b78d8bf941b4c9e90bc3997189d56725e94e46420115eb9608013718417553c0006b75fe763074bf6674c5112d6f6c4f75fcd71420fb862980137b451a955777145d5db9fdf36f6bda4abbffec75f8f7def47aaffbdbfaaa41efba6c35b91d46554d70a3dab777e08d19286f3a835ef112341ce09a2bf59873179bd40e45f504cde208d3132ca430914b694c5dabdf94308961fd14ffd359751fcc292893a5c89676adac Attribute 79 (EAP-Message) length=255 Value: 6c484a16c9d30cdf42be935308695e68b7d964d50958cff5454365f6029a6af7fe25c39fa69906b3f7940eb26b4541d5c9e328948051a308444c0004fe308204fa308203e2a00302010202142557e1728d04afe1d4dc8f3ba7ed9f02a1142468300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c652043657274696669636174652041 Attribute 79 (EAP-Message) length=145 Value: 7574686f72697479301e170d3234303232383031333232345a170d3234303432383031333232345a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d Attribute 24 (State) length=18 Value: edd2cd8eee83c0b549867676db0ddfbf Attribute 80 (Message-Authenticator) length=18 Value: 1213b7b549a42a80cf22c97939bd0db2 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 64 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=4 length=64 Attribute 79 (EAP-Message) length=8 Value: 015200060d00 Attribute 80 (Message-Authenticator) length=18 Value: cd281f4551bdcfb766e10e04929a11e1 Attribute 24 (State) length=18 Value: edd2cd8ee980c0b549867676db0ddfbf STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=82 len=6) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=82 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=6) - Flags 0x00 SSL: 1305 bytes left to be sent out (of total 2703 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x55ff45bd66e0 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=1311) TX EAP -> RADIUS - hexdump(len=1311): 02 52 05 1f 0d 00 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 8f d8 eb e0 ef 83 c9 18 7f 25 6e 38 e9 ef 2d 6e f1 e3 65 f0 39 87 f6 41 78 ad 8c 09 9f 79 c9 e1 0f 79 d3 d2 96 a7 5f f7 fe 44 d7 da 66 b8 ba 79 f7 4e c0 c2 f6 da b0 9a 0c 9d 5e 8b d7 25 47 6b 08 a5 df d3 53 d7 d7 e4 69 a9 cf 53 16 bd 19 da 82 0a 61 f3 80 3c 6a a2 e9 5c 37 44 5c 43 ab 09 44 dc 36 06 c4 21 81 04 b2 7c 30 5d 28 0a ee de 42 e7 36 ba c9 1b cb a1 57 fc 93 d0 e1 c0 97 74 cf 06 7d bb 51 2b 71 6b 66 7a 4e ba 19 88 4a ca 06 7a 10 bb 7e c4 cb 28 19 49 2d 2c d2 ab d0 23 eb 49 b2 a8 e0 14 cd b8 a1 19 19 16 09 33 ee 62 71 0f b3 d7 e0 e8 86 b0 83 f7 22 0e 3b e1 22 83 97 0f 5b 34 3c 9c a3 f3 48 b7 28 ec 19 5e 4c fc 27 9d 54 f3 a1 fb 1d 2a e1 8d 03 44 62 2e a8 f4 a5 82 ed 36 79 d3 81 e3 fb d4 0f ca 2c 9e 8c f6 51 f2 dd ba 62 13 12 b8 12 03 fc 91 8f 4d 20 31 02 03 01 00 01 a3 82 01 42 30 82 01 3e 30 1d 06 03 55 1d 0e 04 16 04 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 30 81 d3 06 03 55 1d 23 04 81 cb 30 81 c8 80 14 68 e8 d7 58 ba fd 2c f8 55 e5 99 f0 1d 1b e1 b0 49 7c 45 43 a1 81 99 a4 81 96 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 82 14 25 57 e1 72 8d 04 af e1 d4 dc 8f 3b a7 ed 9f 02 a1 14 24 68 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 6f 72 67 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 55 5b 2e 66 c6 da 9a 6f fd 14 17 2d be df 3d 1e 53 38 f5 5d a2 58 fa fe b7 8d 26 40 8f 25 e0 4b 82 c5 6c 57 73 e1 5a d3 b0 35 94 6e cc 12 3e 61 00 1c 57 18 bb 69 8e 44 c8 74 1f c4 83 cb 47 e4 92 8f e2 3a 31 df 3b fa a2 51 a3 fd e3 c9 21 43 39 af 97 13 04 50 6b c9 d4 05 d0 c5 d5 5a 1b 10 5e eb 84 42 ae e4 96 82 19 1f 52 4e f1 c9 03 29 fc fb 65 07 6f 6d 71 59 d7 8e 07 6b a5 4d 7a 3e 70 e1 e9 2c db 86 76 2d 74 2d 09 8e 03 a3 a7 5e 8c 27 07 18 ae e5 8d 74 0c 5c ce d0 b9 b6 c3 a2 0b 02 35 4f 8b b6 32 af 96 b1 70 6c 91 d7 ac 96 40 7c fc 68 0f 49 e3 43 da aa 74 4c 3f 36 fc 28 7d 24 33 9c a1 36 b2 28 df 51 b0 92 6c 6e 9d 2c 32 08 05 fb c4 20 e9 be 9e 07 40 9a 20 8e bc 47 45 ab 0c 38 73 95 c2 86 d7 71 47 e1 7a 31 16 8e 56 1d 8e 07 43 9e 91 fc 75 97 bf 4c 3b 2d 05 80 16 03 03 00 25 10 00 00 21 20 8d d6 f6 a6 33 0a f7 f9 a6 0e 4e 88 a4 4d 42 bc e3 f9 03 4b 93 b6 eb 6e 75 0f f8 fc 1a 79 cc 7f 16 03 03 01 08 0f 00 01 04 08 04 01 00 19 50 dc 25 20 c7 d1 09 52 26 0f d9 66 db 0e d4 fc 5c 3d 27 f8 39 f9 ca 21 2b 12 35 97 2a 2b 70 e6 70 56 f9 e0 f4 2d 12 3b 49 d6 f3 70 f7 d0 c2 52 2a d4 21 74 d5 f0 36 2d 5f 0a a3 35 ff e7 79 20 a9 09 10 20 86 b6 a6 a8 42 b4 9e 99 1e 7b aa 5a 0c 47 30 c5 bf 8d d1 a9 ec 58 6a 3e 0f 2c 3c 50 32 ab 75 3d 51 a1 2c 74 4c 12 9c f2 5b bb 9d 32 58 0e 77 bf 76 fe c2 f1 d1 4f 48 95 98 ab 5a 0e 35 6c ca 41 4f f4 2f 0f ba 76 c6 7c 86 4e 01 84 c4 f2 bd 64 8b 88 71 59 fe 32 e8 b9 c2 02 b2 7d 00 cf 19 88 2f d7 5c af 8c 2b 9b a3 c0 92 94 33 39 88 4a a4 f0 12 55 c3 94 6d 09 de 15 f8 2f 57 4d 79 da fd d3 8e 7c 5f 6c db 6e 6b c5 3f b8 97 87 c9 da 63 f2 21 6b 28 c5 bb 8a 5f 5d d7 28 7a f3 bf 39 c7 c9 d0 8b 6f 2a e9 0f 03 f1 be d8 1f da e9 d3 0f e3 57 e9 3f c7 4a 14 d6 8b 81 b2 14 03 03 00 01 01 16 03 03 00 28 1b 31 eb fa 83 cb d9 c6 cc ed cb 99 07 68 8b 82 af 46 f8 2e 76 e0 76 60 84 2d e8 36 2f 37 9e 14 65 8b 64 e7 8e 6c 8b c6 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=5 length=1464 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=255 Value: 0252051f0d00706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101008fd8ebe0ef83c9187f256e38e9ef2d6ef1e365f03987f64178ad8c099f79c9e10f79d3d296a75ff7fe44d7da66b8ba79f74ec0c2f6dab09a0c9d5e8bd725476b08a5dfd353d7d7e469a9cf5316bd19da820a61f3803c6aa2e95c37445c43ab0944dc3606c4218104b27c305d280aeede42e736bac91bcba157fc93d0e1c09774cf067dbb512b716b667a4eba19884aca067a10bb7ec4cb2819492d2cd2abd023eb49b2a8e014cd Attribute 79 (EAP-Message) length=255 Value: b8a11919160933ee62710fb3d7e0e886b083f7220e3be12283970f5b343c9ca3f348b728ec195e4cfc279d54f3a1fb1d2ae18d0344622ea8f4a582ed3679d381e3fbd40fca2c9e8cf651f2ddba621312b81203fc918f4d20310203010001a38201423082013e301d0603551d0e0416041468e8d758bafd2cf855e599f01d1be1b0497c45433081d30603551d230481cb3081c8801468e8d758bafd2cf855e599f01d1be1b0497c4543a18199a48196308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120 Attribute 79 (EAP-Message) length=255 Value: 301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747982142557e1728d04afe1d4dc8f3ba7ed9f02a1142468300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100555b2e66c6da9a6ffd14172dbedf3d1e5338f55da258fafeb78d26408f25e04b82c56c5773e15ad3b035946ecc123e61001c5718bb698e44c8741fc483cb47e4928f Attribute 79 (EAP-Message) length=255 Value: e23a31df3bfaa251a3fde3c9214339af971304506bc9d405d0c5d55a1b105eeb8442aee49682191f524ef1c90329fcfb65076f6d7159d78e076ba54d7a3e70e1e92cdb86762d742d098e03a3a75e8c270718aee58d740c5cced0b9b6c3a20b02354f8bb632af96b1706c91d7ac96407cfc680f49e343daaa744c3f36fc287d24339ca136b228df51b0926c6e9d2c320805fbc420e9be9e07409a208ebc4745ab0c387395c286d77147e17a31168e561d8e07439e91fc7597bf4c3b2d0580160303002510000021208dd6f6a6330af7f9a60e4e88a44d42bce3f9034b93b6eb6e750ff8fc1a79cc7f16030301080f000104080401001950dc2520c7d109 Attribute 79 (EAP-Message) length=255 Value: 52260fd966db0ed4fc5c3d27f839f9ca212b1235972a2b70e67056f9e0f42d123b49d6f370f7d0c2522ad42174d5f0362d5f0aa335ffe77920a909102086b6a6a842b49e991e7baa5a0c4730c5bf8dd1a9ec586a3e0f2c3c5032ab753d51a12c744c129cf25bbb9d32580e77bf76fec2f1d14f489598ab5a0e356cca414ff42f0fba76c67c864e0184c4f2bd648b887159fe32e8b9c202b27d00cf19882fd75caf8c2b9ba3c092943339884aa4f01255c3946d09de15f82f574d79dafdd38e7c5f6cdb6e6bc53fb89787c9da63f2216b28c5bb8a5f5dd7287af3bf39c7c9d08b6f2ae90f03f1bed81fdae9d30fe357e93fc74a14d68b81b21403030001 Attribute 79 (EAP-Message) length=48 Value: 0116030300281b31ebfa83cbd9c6ccedcb9907688b82af46f82e76e07660842de8362f379e14658b64e78e6c8bc6 Attribute 24 (State) length=18 Value: edd2cd8ee980c0b549867676db0ddfbf Attribute 80 (Message-Authenticator) length=18 Value: d805d0771672ef58541bec3f5cde98e9 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 119 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=5 length=119 Attribute 79 (EAP-Message) length=63 Value: 0153003d0d80000000331403030001011603030028e100ea24e0de696191dadcd86e3ad167f1173edcc253566723fe0bf06e8cab5a58d10a790b8d69aa Attribute 80 (Message-Authenticator) length=18 Value: 7c0302c4097364468fd1529ac929cd4b Attribute 24 (State) length=18 Value: edd2cd8ee881c0b549867676db0ddfbf STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=83 len=61) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=83 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=61) - Flags 0x80 SSL: TLS Message Length: 51 OpenSSL: RX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 14 03 03 00 01 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS write finished OpenSSL: RX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 00 28 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS read change cipher spec OpenSSL: RX ver=0x303 content_type=22 (handshake/finished) OpenSSL: Message - hexdump(len=16): 14 00 00 0c 47 aa b4 c6 17 0e 0c 8e 8e bb 13 fb SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3/TLS read finished SSL: (where=0x20 ret=0x1) SSL: (where=0x1002 ret=0x1) SSL: 0 bytes pending from ssl_out OpenSSL: Handshake finished - resumed=0 SSL: No Application Data included SSL: Using TLS version TLSv1.2 SSL: No data to be sent out EAP-TLS: Done EAP-TLS: Derived key - hexdump(len=64): 7a a7 6b 29 a7 94 b6 00 68 af a3 38 f3 e9 81 8e ed ed 0f cd ce c6 86 75 05 41 9d 8e fe cb d6 58 aa d4 d0 1d 9b 83 70 28 08 14 54 09 b4 a4 ba 60 f5 bd 0d a9 9b 8a 07 f3 98 a7 5c 1e 31 2b d5 69 EAP-TLS: Derived EMSK - hexdump(len=64): 08 2e e3 b6 ce 7e c1 6e 68 d2 8e c9 c3 2f 98 81 f5 86 32 f0 ba 0f 81 be 63 49 71 3d 6f 28 03 0e 8a 2d 76 cc 38 98 ca 0f ba b5 6a 50 b3 15 24 bc 0a 51 cb 37 b4 9b c7 a2 bf 3e 6b 20 9a ea 17 24 EAP-TLS: Derived Session-Id - hexdump(len=65): 0d fe d5 af 5e 92 5e df 28 8b 3a 05 6a 3b 3e a9 8e 41 47 b3 cf ff ee 88 27 e6 3c 15 56 17 56 73 0a f6 1d 14 e6 50 35 ac cc f7 f1 01 ae 2d e5 43 a9 bd 8e f9 d6 1c 9c d4 e1 36 2e a6 74 a4 39 c0 9f SSL: Building ACK (type=13 id=83 ver=0) EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC eapRespData=0x55ff45bb9560 EAP: Session-Id - hexdump(len=65): 0d fe d5 af 5e 92 5e df 28 8b 3a 05 6a 3b 3e a9 8e 41 47 b3 cf ff ee 88 27 e6 3c 15 56 17 56 73 0a f6 1d 14 e6 50 35 ac cc f7 f1 01 ae 2d e5 43 a9 bd 8e f9 d6 1c 9c d4 e1 36 2e a6 74 a4 39 c0 9f EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 53 00 06 0d 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=6 length=149 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 025300060d00 Attribute 24 (State) length=18 Value: edd2cd8ee881c0b549867676db0ddfbf Attribute 80 (Message-Authenticator) length=18 Value: ee207023ce0751ba3bfe31c5a0eea8b1 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 184 bytes from RADIUS server Received RADIUS message RADIUS message: code=2 (Access-Accept) identifier=6 length=184 Attribute 26 (Vendor-Specific) length=58 Value: 000001371134868a899f3acfd82648dfbf7c03ea7935a7869aca0dced9dc09e97dcccb5401b7260ffcae0ab0cee7fdc0eec9cf91724d8941 Attribute 26 (Vendor-Specific) length=58 Value: 0000013710348d0655c6e2447c1257c63d90a459a8bdd11ce29bcd59f7d0db5d03a405a1b7cf8f4e308971a6df4d4e599ce6bc162c1b4f8b Attribute 79 (EAP-Message) length=6 Value: 03530004 Attribute 80 (Message-Authenticator) length=18 Value: 05bfc525ab78a654cc6d7861a36e6584 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 12 (Framed-MTU) length=6 Value: 994 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station MS-MPPE-Send-Key (sign) - hexdump(len=32): aa d4 d0 1d 9b 83 70 28 08 14 54 09 b4 a4 ba 60 f5 bd 0d a9 9b 8a 07 f3 98 a7 5c 1e 31 2b d5 69 MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 7a a7 6b 29 a7 94 b6 00 68 af a3 38 f3 e9 81 8e ed ed 0f cd ce c6 86 75 05 41 9d 8e fe cb d6 58 decapsulated EAP packet (code=3 id=83 len=4) from RADIUS server: EAP Success EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: Status notification: completion (param=success) EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete Cancelling authentication timeout State: DISCONNECTED -> COMPLETED EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: result=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): 7a a7 6b 29 a7 94 b6 00 68 af a3 38 f3 e9 81 8e ed ed 0f cd ce c6 86 75 05 41 9d 8e fe cb d6 58 No EAP-Key-Name received from server WPA: Clear old PMK and PTK EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS God bless you, Thank you again!!! Regards On Wed, 28 Feb 2024 at 10:54, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 28, 2024, at 12:10 AM, Lucas Guimaraes via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
For a few days, I'm trying to test FreeRADIUS server to see how EAP-TLS authentication works on Wifi through a POC first.
So far, I think I could advance pretty well since I didn't know very much about the EAP-TLS authentication method.
It can be a bit finicky to configure, but that's largely due to the fact that there are a lot of technical details to get right. That's the nature of EAP-TLS.
The expectation using FreeRADIUS is to see this POC working proporly using the method EAP-TLS but I'm at a certain point where I don't understand why I'm not getting an Access-Accept where should contain the MS-MPPE-Recv-Key and MS-MPPE-Send-Key attributes too.
The server only sends those attribute if the EAP authentication works.
Instead, what I'm understanding is, the server output is kind saying "...Auth-Type sub-section not found. Ignoring...."
The supplicant is going EAP, but somehow the EAP configuration has been removed from the "default" virtual server.
I'd suggest also reading http://wiki.freeradius.org/radiusd-X
That page describes how to read the debug output, and what to look for.
... server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type
Note that there's no reference to "eap".
/etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type
And there's no reference to "eap" here, either.
(0) Received Access-Request Id 0 from 127.0.0.1:47287 to 127.0.0.1:1812 length 146 (0) User-Name = "user@example.org" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) EAP-Message = 0x02e400150175736572406578616d706c652e6f7267
A packet with EAP, good.
(0) eap: Peer sent EAP Response (code 2) ID 228 length 21 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok
The EAP module is being run in the "authorize" section.
(0) Found Auth-Type = eap (0) Auth-Type sub-section not found. Ignoring.
And there's no "Auth-Type EAP" section.
Why? Someone deleted it from the default configuration.
About the certs, all the certs were generated by the ./bootstrap script and nothing was changed from the original files.
The debug output shows this isn't true.
Someone edited the configuration files to remove "eap" from the "authenticate" section. And that change broke the server.
So... don't do that.
Please, I kindly ask for this help to manage to authenticate with EAP-TLS.
Go back to the default configuration files. They work.
At the minimum, compare the default configuration files with the local versions. You'll note that the "authenticate" section in the default files has "eap", and your local copy doesn't have that.
Alan DeKok.
-- Atenciosamente, IT Technical Support +55 11 96797-7832 -- AVISO DE CONFIDENCIALIDAD Este mensaje de correo electrónico y sus adjuntos pueden contener información confidencial o legalmente privilegiada y está destinado únicamente al uso de los destinatarios. Esta prohibido a las personas o entidades que no sean los destinatarios de este correo cualquier tipo de modificación, copia, distribución, divulgación, retención o uso de la información que contiene. La divulgación no autorizada, difusión, distribución, copia o la adopción de cualquier acción basada en la información aquí contenida, está prohibida. No puede garantizarse que los correos electrónicos estén libres de errores, ya que pueden ser interceptados, enmendados o contener virus. Cualquier persona que se comunique con nosotros por correo electrónico se considera que ha aceptado estos riesgos. El Propietario de los datos no se hace responsable de errores u omisiones en este mensaje y niega cualquier responsabilidad por cualquier daño que surja del uso del correo electrónico y no se responsabiliza por su uso abusivo, contrario a la moral, a las buenas costumbres o a la ley, o realizado fuera de las competencias laborales del autor del mail. CONFIDENTIALITY NOTICE This e-mail message and any attachments may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or any action in reliance on the information herein is prohibited. It is prohibited to persons or entities that are not the recipient(s) of this email any modification, copying, distribution, disclosure, retention or use of the information contained therein. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. The Data Owner is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.