Hello Thank you for the replay. I maked another test with user test and password test with radtest and then from a windowsxp-client (should be pap) with radtest test test 127.0.0.1 12 password - all works fine - i see in the log : -------------------------------------------------------------------- rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g==" rlm_ldap: sambaNtPassword -> NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 rlm_ldap: sambaLmPassword -> LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by "test" with password "test" [ldap] user DN: uid=test,ou=users,dc=sb-brixen,dc=it rlm_ldap: (re)connect to mir:389, authentication 1 rlm_ldap: bind as uid=test,ou=users,dc=sb-brixen,dc=it/test to mir:389 rlm_ldap: Bind was successful [ldap] user test authenticated succesfully ++[ldap] returns ok Login OK: [test] (from client localhost port 12) ------------------------------------------------ and here the full log for my windows-client accessing via a cisco wireless switch (maybe he gives me the problems) : Maybe sombody see where i have the problems By luis --------------------------------------------- rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=77, length=170 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x020f00090174657374 Message-Authenticator = 0xf69a987d74a723bbc2981decb8c871a0 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 15 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry test at line 7 ++[files] returns ok [ldap] performing user authorization for test WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test) expand: ou=users,dc=sb-brixen,dc=it -> ou=users,dc=sb-brixen,dc=it rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to mir:389, authentication 0 rlm_ldap: bind as uid=cyrus,dc=sb-brixen,dc=it/niko2006 to mir:389 rlm_ldap: waiting for bind result ... request done: ld 0x81a9290 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=sb-brixen,dc=it, with filter (uid=test) request done: ld 0x81a9290 msgid 2 [ldap] looking for check items in directory... rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g==" rlm_ldap: sambaNtPassword -> NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 rlm_ldap: sambaLmPassword -> LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing MD5-Password from base64 encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 77 to 10.53.240.10 port 32769 EAP-Message = 0x011000160410741fcd7da1e640ba9f4390917645a3ad Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d60a8298d70aca02ffd6ac34c7adfdb Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=78, length=185 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x021000060315 State = 0x8d60a8298d70aca02ffd6ac34c7adfdb Message-Authenticator = 0x3685ed0ea3c294147b81919044eb0a64 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 16 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated request done: ld 0x81a0bf8 msgid 3 ++[unix] returns updated [files] users: Matched entry test at line 7 ++[files] returns ok [ldap] performing user authorization for test WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test) expand: ou=users,dc=sb-brixen,dc=it -> ou=users,dc=sb-brixen,dc=it rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=users,dc=sb-brixen,dc=it, with filter (uid=test) request done: ld 0x81a9290 msgid 3 [ldap] looking for check items in directory... rlm_ldap: userPassword -> User-Password == "{md5}CY9rzUYh03PK3k6DJie09g==" rlm_ldap: sambaNtPassword -> NT-Password == 0x3043423639343838303546373937424632413832383037393733423839353337 rlm_ldap: sambaLmPassword -> LM-Password == 0x3031464335413642453742433639323941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing MD5-Password from base64 encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 78 to 10.53.240.10 port 32769 EAP-Message = 0x011100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d60a8298c71bda02ffd6ac34c7adfdb Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=79, length=239 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x0211003c158000000032160301002d010000290301647180947385016afade07e1c1aee4025498d5914d18863a7986f27daeb480ed000002000a0100 State = 0x8d60a8298c71bda02ffd6ac34c7adfdb Message-Authenticator = 0xc3b4f30b08d8182f2f8e96bb9d1c3481 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 17 length 60 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 50 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 002d], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 084e], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 79 to 10.53.240.10 port 32769 EAP-Message = 0x0112040015c00000088b160301002a02000026030148ec7047e41faf0bd701480470907705dfc6ae3ab32978b9341476c460de398a00000a00160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3038313030373036303033345a170d3039313030373036303033345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0c235d2108f4fdfc41f3e33ca571c24bf08d42565b74d9f4c4b5288dec81daacc4861417676b11a1c15ca654557d37870a4b1deab4c7110a56d8dcfd655 EAP-Message = 0x67910846259d83b55ae79ae7b6e9b3957abf420662abc13c2e27fcf5bc6d6280d94e9032e5e2ada4692ec7780611ae108e2244f0f1e0d31ba4480be0e1bb7cfae51f36216bf6dc2c1c3583597e7add4d96f7d649f5357350db07a98e75ea3623849d6b8e4932458a35e9d2b9f174f75fc9273523c7c719460a33fba0aa07848ec167ba9ebdfdb4657bba38a013810d3cc9707d116ee20129a141d9350984ab5f07989f400602ce01d747197f6bb8cb716b8c8361215a7e14d6d8185358e4d831a53b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101007224e3dafb01754f74 EAP-Message = 0x17687e3cbfc9aae1fd81cef616ed7cdef40e347979775e32610fd34c40d53dc3bed22ee8a21973f0cfe96c0d4dd9ad2aded48ce6cd8f458ac5fb7ecac58acd7327458f706ae8dae101999c6a0e2ce8e8e5057f1994acd5e23aeedf818c65ad0ad3b82340540fd1782b89fb1c7104795f3a45f883609c383ca7290c2259e9ba1324e95733def13dd773ca0c599e7387dfd05fd9c29d204da8421a85d874bc6856cfa5e16bc4df298e1983b454ff461aa66308d427a859c79ef65075506390122cc4b062ddb0839ddad8fe2f439efc581deb4c2886106665ba3fb2bb26cd51dc339b3ec7a2e5fa069a6b6219e4cf560ffc35ac1f2eeb6ec800049b308204 EAP-Message = 0x973082037fa0030201020201 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d60a8298f72bda02ffd6ac34c7adfdb Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=80, length=185 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x021200061500 State = 0x8d60a8298f72bda02ffd6ac34c7adfdb Message-Authenticator = 0x648a50991483b7be0640ef5cd06a5b31 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 18 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 80 to 10.53.240.10 port 32769 EAP-Message = 0x0113040015c00000088b00300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038313030373036303033335a170d3038313130363036303033335a308193310b3009060355040613024652310f300d06035504081306526164697573311230100603550407130953 EAP-Message = 0x6f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b800fce416ece3a7add843bb04c2b40edc73f80788896ad2c56ec4d7e8fb68d48d9b17403ad387f62f4224fd397d0c5d873c62c17844bab1fcd212a19e0957f8fc01576753a15d663b35881d9c8b7f599d4ea7dfe2716e3b200965f400bfb62226a5d956cc3b723b90dc2651c41c95d62b37a5 EAP-Message = 0xc7e3ad95673716d18cf1f843d72391a95ab0208fe0dc76c05b198a2095e3830c5dae1721e3720b0ccdb9547f0b69b6cacdfd9188726b47a52923c055d4e636b87f3cd00bfc454f9118b3eec168db32792d1a3e336189ccc9e0a014a83ca48362ed467ad449d0237448e241616e057cd92cf0c0f8a9e34e3e48d001ce6594068b0081365799a1e7be78198ed0870203010001a381f33081f0301d0603551d0e041604148cc4eb7eea1f20a3d8789e038e8e8304b095a1d03081c00603551d230481b83081b580148cc4eb7eea1f20a3d8789e038e8e8304b095a1d0a18199a48196308193310b3009060355040613024652310f300d0603550408130652 EAP-Message = 0x61646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d0101040500038201010090b34a955dea80cb5e531f57f20e4ce19c7eda9989ca4b9f77016d632bc0787956ff2874084c907df5ccc3871e3c78375c9ca6778ff5aa72b1aaeb2304c9553ee3fdc7f0dbe0932d6356536704353ce7a8f681caef5cd2c85aa5d3c5a9c4 EAP-Message = 0xb9b5d21e94fda70e48d37a63 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d60a8298e73bda02ffd6ac34c7adfdb Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=81, length=185 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x021300061500 State = 0x8d60a8298e73bda02ffd6ac34c7adfdb Message-Authenticator = 0x04c7c433cde93f5907549411693be5a0 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:11 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 19 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 81 to 10.53.240.10 port 32769 EAP-Message = 0x011400a915800000088bbfc7693750c4129758a5306294f4463759b16f7bae93c2731e05abeaeab06fdad57189c07a6ef75b3433076e2d165ed9557e2914dcaa70e04f450b72739246120f5b130ecc138cd6668d0998fbd9e41474a7212981b276d535e29cc76ae5f3065512d3093ac1fece71dc9838641d13969a7ad543768d855c344af83312a85a6fce6b004b9d9442db3975081a0e6f575b826bcbec811916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d60a8298974bda02ffd6ac34c7adfdb Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=82, length=509 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x0214014815800000013e1603010106100001020100186af5eadf773c69da0fb6252f6723fe51cad32b5d9254cef43d20a56985b465203d58645ffb504b899127f37cce6891e3b0eab53bb85400505597999b959fcf422b9b051eedb30faea2a88ec2dddc81bab5f6fda1fe676acc140aeddec921f912ca405dbfb67f9ba8c5050658efa031afa855f3ebbccf22692c6ed3df9ec1c0f153150d96202d2ac4eb8d3e5d8bef436cd9839924fd6f0bde64439b2c63e95431e1f84ce1aea42fb6e170cd1f09a5a157cc5fc9e9b8141feb304de77807d3886745b979b8ef9dc7bbbf77c4c9175f4cffca780f4016427a2e151309aed4ccfa822175f8b8121b7d EAP-Message = 0x4636ce00734021c727568b0b121abd80db2d43786737ebb014030100010116030100287be243965ffa1e3388fda7d72ef09595602e801d906ca2b8adaf5031174d7d0e4ea112fa8262d12d State = 0x8d60a8298974bda02ffd6ac34c7adfdb Message-Authenticator = 0x47bfef45ee4572e17f2bbd52e3dcca49 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:12 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 20 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 318 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 82 to 10.53.240.10 port 32769 EAP-Message = 0x0115003d1580000000331403010001011603010028b3f16a3201dd66a8d32b026ee5919178a05011a7df4888d38c2f49ad7a07a3d25ed4a36f3da49695 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d60a8298875bda02ffd6ac34c7adfdb Finished request 5. Going to the next request Waking up in 4.0 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=83, length=242 User-Name = "test" Calling-Station-Id = "00-40-96-B4-5B-0F" Called-Station-Id = "00-0B-85-95-70-80:prova" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x0215003f1580000000351703010030c9a8dc64815c9dd7f626ba6c6692826ad4cbf8dea0f267d6825fb59b80d67290060d7ce1b062da06c4a255cbc2c26652 State = 0x8d60a8298875bda02ffd6ac34c7adfdb Message-Authenticator = 0xdf9441685dd3878652094fdb63819741 +- entering group authorize {...} ++[preprocess] returns ok expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/10.53.240.10/auth-detail-20081008 expand: %t -> Wed Oct 8 10:33:12 2008 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 21 length 63 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 53 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "test" User-Password = "test" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "test" User-Password = "test" FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop request done: ld 0x81a0bf8 msgid 4 ++[unix] returns updated [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 7 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "test" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CRYPT password check failed): [test] (from client ciscosw port 0 via TLS tunnel) } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [test] (from client ciscosw port 29 cli 00-40-96-B4-5B-0F) Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 83 to 10.53.240.10 port 32769 EAP-Message = 0x04150004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.0 seconds. Cleaning up request 0 ID 77 with timestamp +24 Cleaning up request 1 ID 78 with timestamp +24 Cleaning up request 2 ID 79 with timestamp +24 Cleaning up request 3 ID 80 with timestamp +24 Cleaning up request 4 ID 81 with timestamp +24 Waking up in 0.8 seconds. Cleaning up request 5 ID 82 with timestamp +25 Waking up in 1.0 seconds. Cleaning up request 6 ID 83 with timestamp +25 Ready to process requests. ---------------------------------------------