I am posting full log with first is radtest accepted and others are failde login from wifi client with 2 different accounts... FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Mar 29 2010 at 15:58:09 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.3.1 { require_message_authenticator = no secret = "amerika7452" shortname = "ciscorouter" nastype = "cisco" } client 192.168.3.3 { require_message_authenticator = no secret = "amerika7452" shortname = "AP_Prveposchodie" nastype = "other" } client 192.168.3.2 { require_message_authenticator = no secret = "amerika7452" shortname = "AP_Druheposchodie" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "amerika7452" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_sql Module: Instantiating sql sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "radius" password = "uPq7cP9wMhMDMjyh" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/var/log/freeradius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 5 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime = NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime = NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 34571, id=92, length=55 User-Name = "123" User-Password = "123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> 123 rlm_sql (sql): sql_set_user escaped user --> '123' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '123' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "123" rlm_pap: Using clear text password "123" rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [123/123] (from client localhost port 1812) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 92 to 127.0.0.1 port 34571 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 92 with timestamp +10 Ready to process requests. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=119 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000801313233 Message-Authenticator = 0xefb6ee4d88c5de31b2808aeaabbb5e7f +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> 123 rlm_sql (sql): sql_set_user escaped user --> '123' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '123' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010100160410067b70733dcd38b8291e5f17a2720acd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e66733918c0f9543479c82591 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=135 Cleaning up request 1 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e66733918c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060319 Message-Authenticator = 0x6fa3c5c56bd9374326c39055674f9e39 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> 123 rlm_sql (sql): sql_set_user escaped user --> '123' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '123' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e67702418c0f9543479c82591 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=209 Cleaning up request 2 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e67702418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202005019800000004616030100410100003d03014bb4bc83fed9c1c47c98d2472920397e85b03463108acace89d1212cd3337a7800001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x9fba80024fc68c5163800fc95c4419ad +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 70 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 07a1], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x0103040019c0000007fe160301004a0200004603014bb4bc3cedbc5d837c56ea5137ec6b0171b17af239998a062ee186277a93d965203384c6cbe86dec141946c5770b5f5ed1fcda003f07248f4726bb5b4ffd29e7be00040016030107a10b00079d00079a000369308203653082024da003020102020101300d06092a864886f70d0101040500306a310b300906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a204341301e170d313030333239 EAP-Message = 0x3136313031395a170d3230303332363136313031395a3069310b300906035504061302534b310f300d06035504081306526164697573310c300a060355040a13034b4b5a311f301d060355040313164b4b5a20536572766572204365727469666963617465311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a30820122300d06092a864886f70d01010105000382010f003082010a0282010100d579693bfaece2c1322a55a64dd6bdc6af206a59a7f2e64626cbb3c8b4fb6b392fc24786ecbe9f34025216491731e390d05aba630f277d7f6d7ee9727a07aefc5c9841b56d7941841b391db2e5539b8f7c9e7d0638d676601d43dd EAP-Message = 0x7bf0a40d796a102473637db3a35f438b9e4af0bbe0d01b86f864dcfcefacb9759c512548c942950fc8e28e9bafaa996b4afd136cf207aadab3511930e8d4d92748410554f89c428d00d4cc98f543f9ffe16ab3e7051cbd5810044bc52297d09f4fd66f6b38f6274de4e7d2bd4254f18830910526fc989954cd85f27628207aa3f7f2cfcd48bbf3f70be736e37f204ef0302bd63208c499702197be97fe7f95c0a7202d36c30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010084609cecd6d3b00a7f600da98eb18901b726f84eb884a6e1c3d9ffc45c4b2c83ca79d09319ca EAP-Message = 0xcb5ee3fc021b6be9460b31b3cfddd12fd883da847b76fe46a14be8379b1ab0e0d1620b045b18d4894655d9ddf9c99fa250524d4c90e6d0fcf257996a68eee1b3a12c145adb3068ea616435d56a8a8c8eca84178019730efb7db3701e30572c4fd71eb8a7f25833b8e9b155288a56a0f2da707859a1aa990b94eff3a2a9097670c78ab12b358c117a5b99e359d1daefbed75689ef97c3c198ceb0f58b0a1022ef5b8e1cb74af315c35e9e24362ce43ad86a505b297330c783e731d2b86bd5334758f67db59e266b1f555fb01575d62311aacdc125837aa7cadeb000042b308204273082030fa003020102020900ac4020fc7454ca94300d06092a864886 EAP-Message = 0xf70d0101050500306a310b30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e64712418c0f9543479c82591 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=135 Cleaning up request 3 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e64712418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0x58f1c6897251c0190ea2fd2ac695e9af +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010403fc19400906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a204341301e170d3130303332393136313135395a170d3130303432383136313135395a306a310b300906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a20434130820122 EAP-Message = 0x300d06092a864886f70d01010105000382010f003082010a0282010100a1b39f27a494fb2d6f5e163b41709b6c7d670595b5b2094a71957d4edf6a1753254fef52b606ced87269a80069f4b86b7ae5492bad1d93432794412c85e8cb75d08597ff66fa17cc1e91afbf2739d36a16c289b78389a0073cb7b1d05f55d6a358f5a24d84bc62d0a4009101aa40a95316f9b50209f0b731256a10b504a3d024349307536efdd7128f104ca554b82782b73bfa1f86b9d9a5b1f77e8c6bba0617ae1c7b51fb95f36791cdb08dde834cd8faae43b7af81fbb3728475860332ca7935a2d74a879e4c3e3bcb8313eea755454622b4400de27b13e73f1eb1d8f67bf9 EAP-Message = 0xab41c984962c6810454a41aad17e3e0f46870753d5e76875ad6fcfc4648ba52d0203010001a381cf3081cc301d0603551d0e041604149a7c6fd4e6f2837aeb3607242cdc7cb5ad8bc69930819c0603551d2304819430819180149a7c6fd4e6f2837aeb3607242cdc7cb5ad8bc699a16ea46c306a310b300906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a204341820900ac4020fc7454ca94300c0603551d13040530030101ff300d06092a86 EAP-Message = 0x4886f70d010105050003820101003181c959e5f84a0ae2a187457617b6a4563fad6a9fc317891362c3f5ec8266983cadd56bde7e3e57d2d189c6d01722ba93fb820ec83e21a68bb8e45f8b42e0e47f188020cababe8d9971009d43daacab4dc89237e134ab6ac1b48d8e174ab1c94b2e7261ce7e3fb4c802b8dbb47b58bfd98bbbc6c89cc1d4f0eb727e16309e631e14ca91d0937e4fa529125e4116d536b3ac9ebe91873a0bdba3ab3bfb3a6ab7d349d5b1c537617cc81296b70884994e5595626cf97a3ff6f9fec75eecea28130173d4fae7186353df4663ced8bb67f9964dae6aa7e43471ad282fa8629c0a4126eb37a592ef4dbcde01e694b9256f EAP-Message = 0x0eaabc8560dd656e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e65762418c0f9543479c82591 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=135 Cleaning up request 4 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e65762418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0xf70cb3dc846b94996049a79331a9a356 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010500181900ce06fa04b0dba2f6ae16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e62772418c0f9543479c82591 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=451 Cleaning up request 5 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e62772418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020501401980000001361603010106100001020100577e96d8c409c105721fb2b9f83489849a2dd841eefe7da6c0b51359f171f7dc0f62c42ce47748de3ccc3fef0a61baf3b084848c5ca8547e6de7cc94ba2ec73c1c4f8f30d61495032ab57e35b1bd1c9fcefedc65aac06736f096009ae5e159951a34cb8ac658252e033ca77bbc6f1431252ece0b94504a709cc86e1046b7fc835a7929207705e5b1d2ed5b3e5912666238a59e8725512bd5231e981acf9b21aba8ce82e226a75bfaba9bc2bc694449be10a1fb8f7ef2f56a985bc72d82eec90efac854436ef97595a65e00fc97693a95778acc4f2b7549b4ba673bbd6a977cf99825b7919d09b8e6 EAP-Message = 0x37ae8307386da9a444292eec12497526a455a9215fe750221403010001011603010020560d51f197badcb69582d91d84b797c8239c0aedfa1df58f1c18090dc82b2df4 Message-Authenticator = 0xb82c7b3eb2cb2bd13ac350a9e0982bdb +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x0106003119001403010001011603010020c5c290d110c1c6b81a6c1c8e15dc903e668eaed8f298c7a436d6768cdfcbdf51 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e63742418c0f9543479c82591 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=135 Cleaning up request 6 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e63742418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061900 Message-Authenticator = 0xd483882af20d521d7f580979e2f27133 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x01070020190017030100158459c4f8f2dfc2f1b6b98fc6cb859070ba60773363 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e60752418c0f9543479c82591 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=160 Cleaning up request 7 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e60752418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207001f19001703010014b056d90384636556333d6feefb416a1dde840c76 Message-Authenticator = 0x0e7dc12d1d3b3f40545f4fe0a1ca198a +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 31 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - 123 PEAP: Got tunneled EAP-Message EAP-Message = 0x0207000801313233 PEAP: Got tunneled identity of 123 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to 123 PEAP: Sending tunneled request EAP-Message = 0x0207000801313233 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "123" server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001d1a010800181034b648a7ca776e033f81e3768ffb903f313233 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae49dd0aae41c7b2ff4db56c61fe8872 PEAP: Processing from tunneled session code 0x81b8f70 11 EAP-Message = 0x0108001d1a010800181034b648a7ca776e033f81e3768ffb903f313233 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae49dd0aae41c7b2ff4db56c61fe8872 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x0108003419001703010029e466cb5716a0436c5d11902e4d0bb11d6e05f995cc10b786dff009aa883564f89c51fad980babbe746 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e617a2418c0f9543479c82591 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=214 Cleaning up request 8 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e617a2418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800551900170301004a0b982a6ed2e5c3d6d889c7484feaea43da62618eb60e8b5a9cb0b76cd1e02ba99144f42debde680a29455064933f4e5bece6561305da274582d2326d01c38fb07d8c9bf8d16f3c45b22f Message-Authenticator = 0xe28e64981aff83c048f7a1c4e3a18adf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 85 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Got tunneled EAP-Message EAP-Message = 0x0208003e1a0208003931c18aabf24b6c2efc7a588ebdc7134b740000000000000000fcdcc23f2ae0ecad715899443f6a4d8ad3b6a583fa9238a600313233 PEAP: Setting User-Name to 123 PEAP: Sending tunneled request EAP-Message = 0x0208003e1a0208003931c18aabf24b6c2efc7a588ebdc7134b740000000000000000fcdcc23f2ae0ecad715899443f6a4d8ad3b6a583fa9238a600313233 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "123" State = 0xae49dd0aae41c7b2ff4db56c61fe8872 server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 62 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for 123 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [123/<via Auth-Type = EAP>] (from client ciscorouter port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81b8f70 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010900261900170301001be1bd984b584aa1d06568832111475b8d71d5d24df7ea22c454e3e4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e6e7b2418c0f9543479c82591 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=167 Cleaning up request 9 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e6e7b2418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001b0e3905c958b77a26c5f49d89bcc618c6d6252d6a9e9156dd418ad3 Message-Authenticator = 0xf55b29e57abb32fccbc8e9927e2217a6 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [123/<via Auth-Type = EAP>] (from client ciscorouter port 44 cli 001e650ece6c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 123 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 10 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 10 Sending Access-Reject of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 10 ID 0 with timestamp +101 Ready to process requests. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=123 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000a01706f6b7573 Message-Authenticator = 0xb85f05786382f2c54ea0261ba6222d68 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> pokus rlm_sql (sql): sql_set_user escaped user --> 'pokus' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'pokus' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x0101001604101191f37f5df77c76fb6de3e51bf5d7fa Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b4bd529a2654aefb6456b1e9 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=137 Cleaning up request 11 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b4bd529a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060319 Message-Authenticator = 0x3dc7a47b7c7588595fbc8527fe0f87eb +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> pokus rlm_sql (sql): sql_set_user escaped user --> 'pokus' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'pokus' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b5be4f9a2654aefb6456b1e9 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=211 Cleaning up request 12 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b5be4f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202005019800000004616030100410100003d03014bb4bccc5dc9e90125f42c50bbc9cbab888d4bbfc9578ffeaf076597fbce203b00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x15033f5962cc41ebb0b69b6d91ddedc8 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 70 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 07a1], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x0103040019c0000007fe160301004a0200004603014bb4bc85e47df6958850c0d3447f338d476af4314f875aafca2c8b6fe901692b20780806347b4a01c0bf6457fd7fdda91f59bfad9a9fbaf7d59b12cdd5aa4d602400040016030107a10b00079d00079a000369308203653082024da003020102020101300d06092a864886f70d0101040500306a310b300906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a204341301e170d313030333239 EAP-Message = 0x3136313031395a170d3230303332363136313031395a3069310b300906035504061302534b310f300d06035504081306526164697573310c300a060355040a13034b4b5a311f301d060355040313164b4b5a20536572766572204365727469666963617465311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a30820122300d06092a864886f70d01010105000382010f003082010a0282010100d579693bfaece2c1322a55a64dd6bdc6af206a59a7f2e64626cbb3c8b4fb6b392fc24786ecbe9f34025216491731e390d05aba630f277d7f6d7ee9727a07aefc5c9841b56d7941841b391db2e5539b8f7c9e7d0638d676601d43dd EAP-Message = 0x7bf0a40d796a102473637db3a35f438b9e4af0bbe0d01b86f864dcfcefacb9759c512548c942950fc8e28e9bafaa996b4afd136cf207aadab3511930e8d4d92748410554f89c428d00d4cc98f543f9ffe16ab3e7051cbd5810044bc52297d09f4fd66f6b38f6274de4e7d2bd4254f18830910526fc989954cd85f27628207aa3f7f2cfcd48bbf3f70be736e37f204ef0302bd63208c499702197be97fe7f95c0a7202d36c30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010084609cecd6d3b00a7f600da98eb18901b726f84eb884a6e1c3d9ffc45c4b2c83ca79d09319ca EAP-Message = 0xcb5ee3fc021b6be9460b31b3cfddd12fd883da847b76fe46a14be8379b1ab0e0d1620b045b18d4894655d9ddf9c99fa250524d4c90e6d0fcf257996a68eee1b3a12c145adb3068ea616435d56a8a8c8eca84178019730efb7db3701e30572c4fd71eb8a7f25833b8e9b155288a56a0f2da707859a1aa990b94eff3a2a9097670c78ab12b358c117a5b99e359d1daefbed75689ef97c3c198ceb0f58b0a1022ef5b8e1cb74af315c35e9e24362ce43ad86a505b297330c783e731d2b86bd5334758f67db59e266b1f555fb01575d62311aacdc125837aa7cadeb000042b308204273082030fa003020102020900ac4020fc7454ca94300d06092a864886 EAP-Message = 0xf70d0101050500306a310b30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b6bf4f9a2654aefb6456b1e9 Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=137 Cleaning up request 13 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b6bf4f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0xa3cfa8d724cac46cbb0c741ea6180333 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010403fc19400906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a204341301e170d3130303332393136313135395a170d3130303432383136313135395a306a310b300906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a20434130820122 EAP-Message = 0x300d06092a864886f70d01010105000382010f003082010a0282010100a1b39f27a494fb2d6f5e163b41709b6c7d670595b5b2094a71957d4edf6a1753254fef52b606ced87269a80069f4b86b7ae5492bad1d93432794412c85e8cb75d08597ff66fa17cc1e91afbf2739d36a16c289b78389a0073cb7b1d05f55d6a358f5a24d84bc62d0a4009101aa40a95316f9b50209f0b731256a10b504a3d024349307536efdd7128f104ca554b82782b73bfa1f86b9d9a5b1f77e8c6bba0617ae1c7b51fb95f36791cdb08dde834cd8faae43b7af81fbb3728475860332ca7935a2d74a879e4c3e3bcb8313eea755454622b4400de27b13e73f1eb1d8f67bf9 EAP-Message = 0xab41c984962c6810454a41aad17e3e0f46870753d5e76875ad6fcfc4648ba52d0203010001a381cf3081cc301d0603551d0e041604149a7c6fd4e6f2837aeb3607242cdc7cb5ad8bc69930819c0603551d2304819430819180149a7c6fd4e6f2837aeb3607242cdc7cb5ad8bc699a16ea46c306a310b300906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a204341820900ac4020fc7454ca94300c0603551d13040530030101ff300d06092a86 EAP-Message = 0x4886f70d010105050003820101003181c959e5f84a0ae2a187457617b6a4563fad6a9fc317891362c3f5ec8266983cadd56bde7e3e57d2d189c6d01722ba93fb820ec83e21a68bb8e45f8b42e0e47f188020cababe8d9971009d43daacab4dc89237e134ab6ac1b48d8e174ab1c94b2e7261ce7e3fb4c802b8dbb47b58bfd98bbbc6c89cc1d4f0eb727e16309e631e14ca91d0937e4fa529125e4116d536b3ac9ebe91873a0bdba3ab3bfb3a6ab7d349d5b1c537617cc81296b70884994e5595626cf97a3ff6f9fec75eecea28130173d4fae7186353df4663ced8bb67f9964dae6aa7e43471ad282fa8629c0a4126eb37a592ef4dbcde01e694b9256f EAP-Message = 0x0eaabc8560dd656e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b7b84f9a2654aefb6456b1e9 Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=137 Cleaning up request 14 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b7b84f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0xaf95dc5e8bc109bd496444d13cb7b37f +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010500181900ce06fa04b0dba2f6ae16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b0b94f9a2654aefb6456b1e9 Finished request 15. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=453 Cleaning up request 15 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b0b94f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020501401980000001361603010106100001020100023a7b095e535c2174f9b63c1a4b99040bc7f85ca4d747a2a8be8bc1347829d41f20405592585e9d9f2ba6325a62ac1ad8d351dbec78303f23588e6dced5a4c536633d94abf57d7dfddc0dc2d076846daaf562dc0e191279ad35f540d6eb810b9d5f38fb7d28308393810036447b1f9a21815206574117efc45ebf7f56223771c63fce0907027945f69088568e5be174f68c042b5c0e3641a2805edae378195e477e8ad7b575a25a9705f9ae0a6da5182165735e1408d0b35bc2e5853e4cdbdf8f18313bda568961f81911b26346b068c886e10b2c609cdfa8c4c864af20b4b795c9b45d271d5dba EAP-Message = 0xf198007180c16f746aeb2266cf5faf7b83098e9b91e53683140301000101160301002018aa6e182c4d1678a4ea10665c7480c24b50e37bac8745e2ff7fe2570e4ba22b Message-Authenticator = 0xc9c6bc817d9fb8abcdefc16b5179b620 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x0106003119001403010001011603010020afc67012f55ae30e1d97c24bb6cba15d8703864f7df3e4b310a8068222efcfdd Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b1ba4f9a2654aefb6456b1e9 Finished request 16. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=137 Cleaning up request 16 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b1ba4f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061900 Message-Authenticator = 0x3d065021dd804e5c8fb91e6058170fba +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x01070020190017030100154abd16005b7ba52d8a20d1768c7510e2f88f49868b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b2bb4f9a2654aefb6456b1e9 Finished request 17. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=164 Cleaning up request 17 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b2bb4f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02070021190017030100162be7b16e55c97cbfda261c4be13183c4dd01c00606ea Message-Authenticator = 0xec05fbfc78a9a7262003b9b009af0d1d +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 33 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - pokus PEAP: Got tunneled EAP-Message EAP-Message = 0x0207000a01706f6b7573 PEAP: Got tunneled identity of pokus PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to pokus PEAP: Sending tunneled request EAP-Message = 0x0207000a01706f6b7573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "pokus" server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001f1a0108001a103c9a250911e1ad30afaed5bcb9c5ee00706f6b7573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x81b96fc381b175d869dfc719100d29c1 PEAP: Processing from tunneled session code 0x81b5128 11 EAP-Message = 0x0108001f1a0108001a103c9a250911e1ad30afaed5bcb9c5ee00706f6b7573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x81b96fc381b175d869dfc719100d29c1 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010800361900170301002b70b6783f00c3f1d85ae06803a523ea543fbbb8886d75c6fbdbaa8e71123e6b8007b3b7a6bb09aa7589af48 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b3b44f9a2654aefb6456b1e9 Finished request 18. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=218 Cleaning up request 18 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b3b44f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800571900170301004c98ee9b705e0a9b8041ecbee05adcb51c08c1edf9a195ae5667a9c155dc050c0511ab8b3aac21630149e5fefaf9dab8136ce8fb32d34f9accb05dff53db3e2ce2e13a37abdfa71d1ad9b09470 Message-Authenticator = 0x51967c88196131db97363ef9f79d73e3 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 87 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Got tunneled EAP-Message EAP-Message = 0x020800401a0208003b31b0b136330d519f80a3f96ad2a674eecb00000000000000005bb9070272ab0df2637c3318ac6ee4bfbabecf70a0a16da600706f6b7573 PEAP: Setting User-Name to pokus PEAP: Sending tunneled request EAP-Message = 0x020800401a0208003b31b0b136330d519f80a3f96ad2a674eecb00000000000000005bb9070272ab0df2637c3318ac6ee4bfbabecf70a0a16da600706f6b7573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "pokus" State = 0x81b96fc381b175d869dfc719100d29c1 server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 64 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for pokus with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [pokus/<via Auth-Type = EAP>] (from client ciscorouter port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81b7820 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010900261900170301001bd3d5deb3a1b8b775d8f66878c399a4f98b94f38060b0bd21451d74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696bcb54f9a2654aefb6456b1e9 Finished request 19. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=169 Cleaning up request 19 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696bcb54f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001bb82564c0558ebfa0155cac5c0a8a20b725a110b4719573333a7195 Message-Authenticator = 0xd411b960b2053b66dc3f61d32db347e6 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [pokus/<via Auth-Type = EAP>] (from client ciscorouter port 44 cli 001e650ece6c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> pokus attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 20 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 20 Sending Access-Reject of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 20 ID 0 with timestamp +174 Ready to process requests.