Ok, I've gotten a little bit further with setting up my multiple SSID stuff. I'm still working with just the test SSID, trying to get PEAP/MSCHAP working, but running into problems with the inner virtual server and would appreciate any further help. It's failing on the inner tunnel with an error that it has no value specified for the auth type, but shouldn't that be set by the eap module? eap.conf excerpt (left out the rest which is mostly default): eap eap_cuesta { default_eap_type = peap peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel-cuesta" } } default: authorize { preprocess auth_log rewrite_called_station_id switch Called-Station-Ssid { case "test" { eap_cuesta } } } authenticate { Auth-Type eap_cuesta { eap_cuesta } } inner tunnel: authorize { suffix eap_cuesta { ok = return } } authenticate { mschap_cuesta } debug output: rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=198, length=199 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x02010019016e6963686f6c61735f6b61727473696f756b6173 Message-Authenticator = 0x87ae80681a5d9a1624592e7a03d518a5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 1 length 25 [eap_cuesta] No EAP Start, assuming it's an on-going EAP conversation ++++[eap_cuesta] returns updated +++- case test returns updated ++- switch Called-Station-Ssid returns updated Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] EAP Identity [eap_cuesta] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap_cuesta] returns handled Sending Access-Challenge of id 198 to 10.32.33.1 port 32769 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f320b2b565e0f7fc7d47ec4907c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=199, length=297 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x0202006919800000005f160301005a0100005603014e31f9240f214a33a4bd8894295f89f2485c8de4a5fe951c8925b53d8640840300002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000 State = 0x0b294f320b2b565e0f7fc7d47ec4907c Message-Authenticator = 0xb42fd305fcad5be40bd0f9e95ee3af9c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 1: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 2 length 105 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0c9e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap_cuesta] returns handled Sending Access-Challenge of id 199 to 10.32.33.1 port 32769 EAP-Message = 0x0103040019c000000ef416030100310200002d03014e31f929e568bac3df95f77c2bb87c50d07a91af1d409cd407608d6426344028000039010005ff010001001603010c9e0b000c9a000c970003fa308203f6308202dea003020102021022fe7e14527a08952ff9ef9c52bf4145300d06092a864886f70d0101050500303c310b300906035504061302555331153013060355040a130c5468617774652c20496e632e311630140603550403130d5468617774652053534c204341301e170d3131303532353030303030305a170d3132303632303233353935395a30818e310b3009060355040613025553311330110603550408130a43616c69666f72 EAP-Message = 0x6e6961311830160603550407140f53616e204c756973204f626973706f31173015060355040a140e43756573746120436f6c6c656765311a3018060355040b1411436f6d7075746572205365727669636573311b301906035504031412776562617574682e6375657374612e65647530820122300d06092a864886f70d01010105000382010f003082010a02820101009f15ff8560f97eecdd587411089166fd4cb7912243e7ef749efa0042711c51a4760be3f12c8040b732c74d9fd61f98488856931be1c7a7e9dd4cde8ea880ff6c987d616f105b53364b27954b50fd0c819aea713f6c79f207f74608ea6e8dc078bf1933468da308aac820d20db5 EAP-Message = 0xbd6ec9241984e03b8b89498b7900460a68cc0fb3862c48cf373ec61bf8b00d164f8ac3a6de689e02791e6ca962f9ff240ebb1454aa5faf851adf5a8fa4165dda1dc9088dde24eece774a5b5a1378516c775a7adc9ebba4451ce521efdfc7a4a746bcf69f13fb849b1268ea08a9d4f848fea09c8f2b31254ee8539a4821b3bd80b8d0be8e038902862dc173f8a751ceadd698290203010001a381a030819d300c0603551d130101ff04023000303a0603551d1f04333031302fa02da02b8629687474703a2f2f7376722d6f762d63726c2e7468617774652e636f6d2f5468617774654f562e63726c301d0603551d250416301406082b06010505070301 EAP-Message = 0x06082b06010505070302303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300d06092a864886f70d0101050500038201010045eaf219ea3a1fa6c09d0ee57c85150014266321401baa5bd7c2d4dc9cbbcb2f2185f79aafc84002be5d69fa756a90e3c86e939a126e52264eec048b2e504766202bc98b579d9e5ea1282ba64fff433703df9f516dbd70061663c1dda87a77e2b322c7a41e92fe95230f640dd325fa507e2cfd866f0fd38c1c669f172bbd7da6f5cd68e9ec7bd4b14f1f1c84fe7eb04d53323b3363e8885ac0245a9cc10f764c08005c645236691b98cd7e EAP-Message = 0x9e5989b2aa987714d0fddc68 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f320a2a565e0f7fc7d47ec4907c Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=200, length=198 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x020300061900 State = 0x0b294f320a2a565e0f7fc7d47ec4907c Message-Authenticator = 0x2e92fa9ed958c953d95ae54113f28fdf # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 2: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 3 length 6 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap_cuesta] returns handled Sending Access-Challenge of id 200 to 10.32.33.1 port 32769 EAP-Message = 0x010403fc19401ab7c901f7cacc5dc99ee49a03ad3f7add0082f5ef21975afb68b7b500c0410af294a94801ae63e82746f1e02a752b0a58318447d1c5e8042cfa73eeaaffc6404dc4c3a435fe9859790004703082046c30820354a00302010202104d5f2c3408b24c20cd6d507e244dc9ec300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f EAP-Message = 0x72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3130303230383030303030305a170d3230303230373233353935395a303c310b300906035504061302555331153013060355040a130c5468617774652c20496e632e311630140603550403130d5468617774652053534c20434130820122300d06092a864886f70d01010105000382010f003082010a028201010099e4855b76497d2f05d8c5acc8c8a9d3dc98e6d734a62f0cf22226d8a3c9144c8f05a445e8140c5890051ab7c5c106a580afbb1d496b523488c359e7ef6bc427418c2b661dd0e0a3979819344b41d5 EAP-Message = 0x98d5c705ada2e4d7ed0cad4fc1b5b021fd3e5053b2c490d0d430676c9af10e74c4c2dc8ae897ffc992ae018a560a9832b00023ec901a60c3edbb3acb0f639f0d44c952e12596bfed5095897f5614b1b7611d1c078c3a2cf7ff80de3945d5af1ad178d8c7716aa319a7325021e9f20ea1c613034448d166a85257d711b4938be5999f5de77851e54df6b759b476b509374d0638137a1c08985cc4484acb52a0a9f8b19d8e7b79b0202f3c96a8116247bb110203010001a381fb3081f8303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d30120603551d130101ff040830 EAP-Message = 0x060101ff02010030340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e7468617774652e636f6d2f5468617774655043412e63726c300e0603551d0f0101ff04040302010630280603551d110421301fa41d301b3119301706035504031310566572695369676e4d504b492d322d39301d0603551d0e04160414a7a283bb3445403dfcd5304f12b93ea1019ff6db301f0603551d230418301680147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d01010505000382010100802280e06cc89516d7572687f37234dbc67256273ed396f62e2591a53e3397a74be52ffb257d2f0761fa6f83744c4c537220 EAP-Message = 0xa47acf5151568188 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f32092d565e0f7fc7d47ec4907c Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=201, length=198 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x020400061900 State = 0x0b294f32092d565e0f7fc7d47ec4907c Message-Authenticator = 0x7038af0d4fd451feee45202ac75de030 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 3: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 4 length 6 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap_cuesta] returns handled Sending Access-Challenge of id 201 to 10.32.33.1 port 32769 EAP-Message = 0x010503fc1940b06d1f362cc82bb18899c1fe44ab48517cd8f244642ad871a7fb1a2ff9198d34b223bfc44c551d8e44e8aa5d9add9ffd03c7ba24438d2d4744dbf6d898c8b2f9daefed295c6912fad123960fbf9c0df2794553379a562fe8571070f6ee890c49899ac123f5c22acc41cf22ab656eb794826d2f405f58deeb952ba672685219912aae759d4e92e6cade54ea18ab253ce664a6791f267d61ed7dd2e57155d893177c1438303cdf86e34cad49e39759ce1b9b2bcedc65d40b286b4e84465144f733082d589721ae0004243082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d0101050500 EAP-Message = 0x3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b13 EAP-Message = 0x1f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d EAP-Message = 0x079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d0101050500038201010079 EAP-Message = 0x11c04bb391b6fcf0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f32082c565e0f7fc7d47ec4907c Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=202, length=198 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x020500061900 State = 0x0b294f32082c565e0f7fc7d47ec4907c Message-Authenticator = 0xa5ccd7e50332c38dca61f485a9f66168 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 4: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 5 length 6 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap_cuesta] returns handled Sending Access-Challenge of id 202 to 10.32.33.1 port 32769 EAP-Message = 0x010603181900e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 EAP-Message = 0x160301020d0c0002090080a9ee3b7f4679d9a63fc5c7ae4dbfcc3388f359e11e7598ae7784d0ef1f39c9598b3eff3f3249f7be4198cf531149687b04183a2d01159f84572866d9d1e2ec0bf2b3799d9df5be606f42f8d39afbb16e6fc3848ca68b31bb76574697c42b752ba909a223db09a7cccd97105a1de3ba2a240e137549a9a6db21ef457a60e8d6e3000102008043cb33a3b1cdf98c5ab7b3c39483884af9742947f5349014ae4612e8ca8ba0ede7346cc8ea9057e2964c7c0394d66871fe8ddf19091951225dc524d1c3f9c2130430ecc8790876dbe9586d1aefabc4abe2868e21668d312752b01fb18446da25caf2ced8f132034e5c4515a318 EAP-Message = 0x1c7d0a3da1a99d2a9a2cac50d36bc5f593904401006ffdb2596d189b15e46f3f0a75563852262db7822590734ca847da281a8624dc5b13781f897f57ffe3dc81571fe13dac5f66e6a9d82197a7bde78fca4bfa1260d53293a36bab00a73ee04c916cefcb731134083364202b650718dca794508f87fd2702bb91312ac9fe107ca5b3a7bd16306484febffe8aabba817e8beff80c0ac7d202774b6d60633a090d79d10b4a5f785bf404de6f2a3ba3dad650031da95c57bc924ff9448145a2826c959aabf647cf7be3ec163d302d436a212a25e0252dd03e20d04719cf847c59d683ad3e012491ace7577fdeec54f8e55c95e1607e31f6f7487e6209e57c EAP-Message = 0x8c9aab9075f52827454acb4b1951b439e90cb50eff23a8b316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f320f2f565e0f7fc7d47ec4907c Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=203, length=400 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x020600d01980000000c6160301008610000082008005dbc3a800670febecbc396824a12d948cd3887f69a8abecfc2962525cb1db3633db4800c9c33e0998d294c0eb38d5773f2d2afa903d943b890a08a041cef8aefd8a878843662729465cb4a02ee4b3cf76407452ac601db3be4141488e9394573b7fba681af73f8f4704d75f332066a3960c92c12f6895ffbe0e5731c342f47414030100010116030100306f54f713f087e86982f8f7f3fceb803cc0bb18eaf1c99e8734236472d4125c2dcd5f5057aa4ebde24b3d99117b6204a3 State = 0x0b294f320f2f565e0f7fc7d47ec4907c Message-Authenticator = 0xd6db6f6ff4793a2a9552443d0c1018fc # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 5: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 6 length 208 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap_cuesta] returns handled Sending Access-Challenge of id 203 to 10.32.33.1 port 32769 EAP-Message = 0x0107004119001403010001011603010030a520e40b259dcc9b6416a1dc42c0454203a7ce25ac040965d79794192f8f4990a53a7e7827cff79d19f3e23d37c5f070 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f320e2e565e0f7fc7d47ec4907c Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=204, length=198 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x020700061900 State = 0x0b294f320e2e565e0f7fc7d47ec4907c Message-Authenticator = 0x3ace0154fcc3dfd6a22384253086e96c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 6: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 7 length 6 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap_cuesta] returns handled Sending Access-Challenge of id 204 to 10.32.33.1 port 32769 EAP-Message = 0x0108002b1900170301002023db883d4ddfbb778ec1c2f88473ad61f77e1faa53690b0d2aad50f8ecef0f1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f320d21565e0f7fc7d47ec4907c Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=205, length=288 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x02080060190017030100202fbc79a4613fd76d1b1c4d0fae93b5530714b3e6784db42a7a2bb2191737617c17030100308be6456e767b69e1ec34612bfe4ebc6a007760953ea2284e02808c255510149933cf2f23b45dec6bcedf8d178ed00b7f State = 0x0b294f320d21565e0f7fc7d47ec4907c Message-Authenticator = 0xde78a8e7f10ee56b76ea62acab556a34 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 7: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 8 length 96 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - nicholas_kartsioukas [peap] Got inner identity 'nicholas_kartsioukas' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02080019016e6963686f6c61735f6b61727473696f756b6173 server { PEAP: Setting User-Name to nicholas_kartsioukas Sending tunneled request EAP-Message = 0x02080019016e6963686f6c61735f6b61727473696f756b6173 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "nicholas_kartsioukas" server inner-tunnel-cuesta { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel-cuesta +- entering group authorize {...} [suffix] No '@' in User-Name = "nicholas_kartsioukas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap_cuesta] EAP packet type response id 8 length 25 [eap_cuesta] No EAP Start, assuming it's an on-going EAP conversation ++[eap_cuesta] returns updated Found Auth-Type = eap_cuesta WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel-cuesta Failed to authenticate the user. Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 0 via TLS tunnel) } # server inner-tunnel-cuesta [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap_cuesta] returns handled Sending Access-Challenge of id 205 to 10.32.33.1 port 32769 EAP-Message = 0x0109003b19001703010030eed98c4e756051a6bcfa877bc402b7a66dbcfd377539ec2525c8be1b68e81296d95bcc73b2851fa0b869992b96267a02 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f320c20565e0f7fc7d47ec4907c Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=206, length=288 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x02090060190017030100205762d0e03fb36ee2fa0e68100aa03ea51fdd5123673a53883bab1e33589271e2170301003017185ab8d719ac8095844ae637222aa99b57146fe368f29df8c216ed92cf66f34f9942e3982106d6908a8cc74bbc5358 State = 0x0b294f320c20565e0f7fc7d47ec4907c Message-Authenticator = 0x2a41d17611a097fe5a4625d5848853cb # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 8: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 9 length 96 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap_cuesta] Handler failed in EAP/peap [eap_cuesta] Failed in EAP select ++[eap_cuesta] returns invalid Failed to authenticate the user. Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 29 cli 00-23-4e-ba-6b-f4) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> nicholas_kartsioukas attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 206 to 10.32.33.1 port 32769 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000