Hi, using Debian wheezy-backports FreeRADIUS 2.2.5 version with default config and just adding a local user gives me a valid CUI (adding CUI just in authorize for sites-enabled/default and post-auth/inner-tunnel using default policy.conf) with a correct reply in the outer tunnel. Changing the request to PEAP however doesn't yield a CUI at all. Debug is as follows: freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 129.69.5.130 { require_message_authenticator = no secret = ... nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file £Ýç? modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key" certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = ... dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Loading virtual module cui_authorize Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Loading virtual module cui_postauth } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 46437 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=0, length=116 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0x2e831f87883573e120673176e349c655 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 129.69.5.130 port 50355 EAP-Message = 0x010100160410f78837ff9e55c8ab98d9e42bab671589 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e30f2c1d9b347c7ccf2b2608d1 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=1, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020100060319 State = 0x0f2d19e30f2c1d9b347c7ccf2b2608d1 Message-Authenticator = 0x38e3eb7dcafc3d7d6a39dc6fd8ffe5ea # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to 129.69.5.130 port 50355 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e30e2f009b347c7ccf2b2608d1 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=2, length=343 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020200df1980000000d516030100d0010000cc0301202d5c0a4582c1acc323588a1b7ae0c6535cb58ef150ce34b83eeec1ee5a6fb200005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101 State = 0x0f2d19e30e2f009b347c7ccf2b2608d1 Message-Authenticator = 0x8b1028261e559aa78f0284321166af04 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 223 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 213 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00d0], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 003e], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 1523], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to 129.69.5.130 port 50355 EAP-Message = 0x0103040019c0000017c4160301003e0200003a030154fb79c1e9674eb557038e64688e7684cf87dfba1f6970a06c8d229f76f11bf800c014000012ff01000100000b000403000102000f00010116030115230b00151f00151c00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d01 EAP-Message = 0x0901161763612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a EAP-Message = 0x677f7fb69954c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8 EAP-Message = 0xde531e313244d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d4756502 EAP-Message = 0x03010001a382026630820262 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e30d2e009b347c7ccf2b2608d1 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=3, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020300061900 State = 0x0f2d19e30d2e009b347c7ccf2b2608d1 Message-Authenticator = 0xde0a02b59599394e6180743d793f8acb # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 3 to 129.69.5.130 port 50355 EAP-Message = 0x010403fc1940304f0603551d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d EAP-Message = 0x0603551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e69 EAP-Message = 0x2d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de543255 EAP-Message = 0x84da860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e3640806400057a308205763082045ea00302010202071790610927c34d300d06092a864886f70d01010b0500305a310b300906035504061302444531133011060355040a130a44464e2d56657265696e3110300e060355040b130744464e2d504b49312430220603550403131b44464e2d56657265696e2050434120 EAP-Message = 0x476c6f62616c202d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e30c29009b347c7ccf2b2608d1 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=4, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020400061900 State = 0x0f2d19e30c29009b347c7ccf2b2608d1 Message-Authenticator = 0x3fed3380bdf089961004f7686fd7614b # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to 129.69.5.130 port 50355 EAP-Message = 0x010503fc194020473031301e170d3134303531323135303633335a170d3139303730393233353930305a308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763612d67303140756e692d7374757474676172742e646530820122300d06092a864886f70d01010105000382010f003082010a0282010100b46256163df5c1a01ea5a8a947d0e42c1ff12f00c8e4981c7911e0 EAP-Message = 0x1d993904dbd0921cc5c9e56187707d936c71c8c9ac6b78b6c26fbbe2d74bfe222a081c1fd695f4cf875998959be6399d4a8cd105d55c6dc027fe5af3c91df7d1cb7f22bfb755c3741cb3d9e9f2c419ab3f7b23fe0bb32cede77581583ee98f5bed0b184b6b35ff90c86b5c108e6033c2863f66cac0a37b52a19dcf73d1df5929e69ba3a6911bed34abdfe3fac11ef4afeb179f62de6d7d3fa19de826e02cdaab6babb1f3f513fc8788ffb57e5f7ddcbe6031bed66a690cbec898879bb24d114190b003a8c4bb2f243be5777f715c5292580fb52fc3acbb82c0cd9502bf7bf6c6dc5fb365ab0203010001a38202043082020030120603551d130101ff04 EAP-Message = 0x0830060101ff020101300e0603551d0f0101ff04040302010630110603551d20040a300830060604551d2000301d0603551d0e04160414bdad275a2c37cf0d441f721aaab73799112e0204301f0603551d2304183016801449b7c6cfe83d1f7fea447b1329f7f10a703ede6430220603551d11041b3019811763612d67303140756e692d7374757474676172742e64653081880603551d1f048180307e303da03ba0398637687474703a2f2f636470312e7063612e64666e2e64652f676c6f62616c2d726f6f742d63612f7075622f63726c2f636163726c2e63726c303da03ba0398637687474703a2f2f636470322e7063612e64666e2e64652f676c EAP-Message = 0x6f62616c2d726f6f742d63612f7075622f63726c2f636163726c2e63726c3081d706082b060105050701010481ca3081c7303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304706082b06010505073002863b687474703a2f2f636470312e7063612e64666e2e64652f676c6f62616c2d726f6f742d63612f7075622f6361636572742f6361636572742e637274304706082b06010505073002863b687474703a2f2f636470322e7063612e64666e2e64652f676c6f62616c2d726f6f742d63612f7075622f6361636572742f6361636572742e637274300d06092a EAP-Message = 0x864886f70d01010b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e30b28009b347c7ccf2b2608d1 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=5, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020500061900 State = 0x0f2d19e30b28009b347c7ccf2b2608d1 Message-Authenticator = 0x59f590ded9d0e7ef154b49fd0304986e # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 5 to 129.69.5.130 port 50355 EAP-Message = 0x010603fc194005000382010100d5ae2dd26b47df2bc8d51f89856a1e56fbef13c02ff900b885098e17136c896a999b4271698583b75783228784124092bfd9e75827e2436ab9771be8d1ca241722e2a078455cdd1b0c9b18dc0f987be1ab8dab9e2c9faf494f83d175812f26ecf8a3be1270aafa6cb92afda457989a4443fa4516e8fefa0ca479bd93ca992c81987da6b023f9e4bf9a88ed635bb889162d2e07d55d7e2499b4293ed50627fc0959f4b6082cd8bed0e4750545d7f8ee794a627d8589c1ff59ae21913616b21222c3a198935800b3676db35d191d82dbc606ab8f5e2f1ffbd911e6db4b842ac0744d22b2441adfea05616570c56b2741ef EAP-Message = 0x7bcea928a1a2ec296b092f59ff41ee7b0004d9308204d5308203bda0030201020208504ec6f53d11b464300d06092a864886f70d01010b05003071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f742043412032301e170d3134303732323132303832365a170d3139303730393233353930305a305a310b300906035504061302444531133011060355040a130a44464e2d56657265696e3110300e060355040b13074446 EAP-Message = 0x4e2d504b49312430220603550403131b44464e2d56657265696e2050434120476c6f62616c202d2047303130820122300d06092a864886f70d01010105000382010f003082010a0282010100e99bc36785f90daef58d54c39650353d62e96e4ced94d7005b952274d420eb348fd6ecc031040b9981e2a614d252a02823848b7489045e5be0e278c178cb16cb2835397b2d9045d0eda0007a7cbf4a0e1b00c386e95c2b31117b0cf38224438c1c388b6a68009aeedc4f78abd2c6139b76adeede26e8ef01af740fc109a2f66bcebdd3cd14304ff5e5e3a4c8629b821a0327300d0265604dedd109232a96355827d376c671b6901dc4edff35867d6f33b3 EAP-Message = 0xdb0fc511c28a83a1945d416bd8d210f54cfdca51acd9bdef9283bbdaeb8b16565643cfe1d5133da61f2730cd4954dbc913349a7175c56ceaa70b98f9219d27af3ea33939486a8cadc999fbc312f2bd0203010001a382018630820182300e0603551d0f0101ff040403020106301d0603551d0e0416041449b7c6cfe83d1f7fea447b1329f7f10a703ede64301f0603551d2304183016801431c3791bbaf553d717e0897a2d176c0ab32b9d3330120603551d130101ff040830060101ff02010230620603551d20045b30593011060f2b0601040181ad21822c01010402023011060f2b0601040181ad21822c01010403003011060f2b0601040181ad21 EAP-Message = 0x822c010104030130 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e30a2b009b347c7ccf2b2608d1 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=6, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020600061900 State = 0x0f2d19e30a2b009b347c7ccf2b2608d1 Message-Authenticator = 0x1a54ac252d668f7d538e7b6555b61a70 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 6 to 129.69.5.130 port 50355 EAP-Message = 0x010703fc19400f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e303e0603551d1f043730353033a031a02f862d687474703a2f2f706b69303333362e74656c657365632e64652f726c2f44545f524f4f545f43415f322e63726c307806082b06010505070101046c306a302c06082b060105050730018620687474703a2f2f6f637370303333362e74656c657365632e64652f6f63737072303a06082b06010505073002862e687474703a2f2f706b69303333362e74656c657365632e64652f6372742f44545f524f4f545f43415f322e636572300d06092a864886f70d01010b05000382010100632028fd9c218672be39 EAP-Message = 0x4659393225bca9019b0dccca7d419c866d0a6e2cb3135975b133921b612716ffc3b2d53582fb842a0149bd66bb662fb2c2065d6e3f6ee3015a5bca43635c95b6e131a71fd5075f4de665824e32f9c37c7a4bcd4d5c74ee21f27502ec523ed2c96ad390236e496735be7f4d56a4eccc2fcfb7a197a8723ec9bc40d65aa4083dd6bc82c3b7b7328eb12c8e6a6db7350219cff539445863a7240010b0bbfc4eaf6e2f38bba557493fd86e506f2c9796dc1d469a6589cfaeccf2e5d99f53b33ea12f92a9d80bc6841f04c6eb1ee89f7db57ba502f124c524631134cc5a93202a79883a254290a9653b7c86d312152329fc2cdacc395b54170003a33082039f EAP-Message = 0x30820287a003020102020126300d06092a864886f70d01010505003071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f742043412032301e170d3939303730393132313130305a170d3139303730393233353930305a3071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e74657231 EAP-Message = 0x2330210603550403131a44657574736368652054656c656b6f6d20526f6f74204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100ab0ba335e08b2914b11485af3c10e4396f355d4aaeddea618d9549f46f64a31a6066a4a9402284d9d4a5e578930e6801adb94d5c3aced3b8a84240dfcfa3ba82596a921bac1c9ada082b2527f9692347f1e0eb2c7a9bf51302d07e347cc29e3c0059abf5da0cf5323c2bac50dad6c3de8394caa80c99320e0848565b6afbdae1585801495f72413c1506018e5dadaab893b4cd9eeba7e86a2d5234db3aef5c7551dadbf331f9ee719832c45415440cf99b55edaddf1808a0 EAP-Message = 0xa3868a49ee53058f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e3092a009b347c7ccf2b2608d1 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=7, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020700061900 State = 0x0f2d19e3092a009b347c7ccf2b2608d1 Message-Authenticator = 0xe411b216f44884216f98ff81933162c1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 7 to 129.69.5.130 port 50355 EAP-Message = 0x010803fc1900194cd5de58799bd26a1c42abc5d5a7cf680f96e4e161987661c8917cd63e00e2915087e19d0ae6ad97d21dc63a7dcbbcda0334d58e5b01f56a07b716b66e4a7f0203010001a3423040301d0603551d0e0416041431c3791bbaf553d717e0897a2d176c0ab32b9d33300f0603551d13040830060101ff020105300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100946459ad3964e729eb13fe5ac38b1357c80424f07477c060e367fbe989a683bf96827c6ed4c33def9e806ebb29b4987ab13b54eb3917477e1a8e0bfc1f31593104b2ce17f32cc7623655e222d88955b49848aa64fad61c36d844 EAP-Message = 0x785a5a233a5797f57a304fae9f6a4c4b2b8ea003e33ee0a9d4d27bd2b3a8e2723cad9eff8059e49b45b4f63bb0cd39199832e5ea216190e431218e34b1f72f354a8510dae78a3721be5963e0f285883153d45414857079f42e067727752f1fb88af9fec5bad836e483ece765b7bf635af346af819437d4418cd623d61ecff5681b4463a25abaa73559a1e570059b0e235799940a6dba3963288692f31884d8fbd1cf05566457160301024b0c000247030017410443f3dbbc7e14dd9cfeb2546660732128b40f7230fc42ae3ae138d70a1d6d4b6a92cce9054b8ecf7252f5f8db98e0b3b51b2d62f1dd8184b2772cad7d6f1f55c10200a7718ffa5d184f EAP-Message = 0x43e9ad4eac8f9ff23e43bad304e793b068c65d33f22353c0942e8aae60b45460c73aacec16f28152b53a69cffc181d4b9202d9d522791788852d5c6a9734b5e3bf9f7bb9acf2077acc42fdf4162c86a445da1711dd67088dfd9430395b1fc460f44af09a125f98dc91c0d4b5d214e972965a1a2b61dbc7e15d0d53633f6c59507630536faa45188fedf7c96f15f4157e199eccff49fd907f6cc188632f9ba2fcd86bcba8058c1bc0a15175f14376bc9fd03d4df5d5aca7dcb7b160ed160ec8141071065746fee1cb3d2dcf5d1e46687124886cee61b2668dc6a3fefd8dcdaeab8edd5d83b1a18b1ea3d5e5ee466f3d2a7b21419938ad1cd371ec23b903 EAP-Message = 0x98052989ae6349f50f61fe35a5f9fa8a938133a451f1e83fc60ee09d23a280ffdbe7cc59bb0c24e4bf064022dc3c2ae3ed0342ef5f2bf7469150d52536de6efa53997e0399b9b8f015bfb3605845ae40bfcf44491e4cac7a6bcce7e3d5ccec0171a6d742eb01f6b99b6f69332e3ffbd94a5c89c44b958bdb73c735b9f262dfa5a428e56a8288806923d893bebb1e1f63b5cb0afcadd05fbdc7621255625c4f3465aef004856965bf167c5954b23ba91b3f92f8e74b08c64fa6cb2221a6029accf291248fad252650431e449943b8d2958bec548aedf87869c64e5e43948b34546a59ffdafff91a7fbb21590acf33826c6efdb1ca88ffdde9597d50a316 EAP-Message = 0x030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e30825009b347c7ccf2b2608d1 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=8, length=264 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020800901980000000861603010046100000424104a2cd2a9f4a021cb6e92f80290a54c6ecad35b4c5b5c6772758337ad984bcd00aef2daadf43bfb86cd065ba1b02174c0f0c56143aaeed365657919f367380706e14030100010116030100308694539e26113878b883f895257741161738149e6e369e48581ada4a8d7a92ebc1ca2a7ed829aa2cfb90c8148aa73c48 State = 0x0f2d19e30825009b347c7ccf2b2608d1 Message-Authenticator = 0x952f4074b413c1eb75ef0feab136135f # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 8 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 8 to 129.69.5.130 port 50355 EAP-Message = 0x010900411900140301000101160301003034af026b166e872b5fe303e7203e2c348ace34dc6cbbe50264f1745e625011fc26954934a51195d432680193f003d7a9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e30724009b347c7ccf2b2608d1 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=9, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020900061900 State = 0x0f2d19e30724009b347c7ccf2b2608d1 Message-Authenticator = 0x1b9f0c4b7d818951c0ed5941913a1a0a # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 9 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 9 to 129.69.5.130 port 50355 EAP-Message = 0x010a002b190017030100209af10d28c429a73c78e3be5c68b925a2d74aa39f8b3a2b44b2336b0da1a4d62c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e30627009b347c7ccf2b2608d1 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=10, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020a00501900170301002065f6bcc0a100bbce627903cca630123cb8579957b0977235caefd7f0f49d5c941703010020fdc7d7495f3813c254736b434aa291bd50ef7fab33de7797f27636db651f6169 State = 0x0f2d19e30627009b347c7ccf2b2608d1 Message-Authenticator = 0x39e21bdfb0b9d7c8a1853fed184f3998 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 10 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test [peap] Got inner identity 'test' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020a00090174657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020a00090174657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 10 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b001e1a010b001910fa9328be424d72285b6ac13a224bf4c374657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73ef44ad73e45ee6b34d60cb680fe623 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b001e1a010b001910fa9328be424d72285b6ac13a224bf4c374657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73ef44ad73e45ee6b34d60cb680fe623 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 10 to 129.69.5.130 port 50355 EAP-Message = 0x010b003b190017030100308541d28e870b121d89635844c9c96a06e5866f4b58c3fd77808763fdee4e392c04b66f7b43bdfeec46c11ae41d04bef1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e30526009b347c7ccf2b2608d1 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=11, length=248 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020b0080190017030100205b05db516f17b12bcb8ddebd93af9d53567c610c34b1e0b54f585c87a357eb911703010050f298cc24dc0994f57883b2911ca56bef4f188cc63eb0cfa9a4baacb2699c6bb7ef4e7ef12b803c0b29dd4747e448d9c9db397bdbb75430ba7ad5cc6700fe9dc7da89a49750314b6396fbf3ecf9cd1a88 State = 0x0f2d19e30526009b347c7ccf2b2608d1 Message-Authenticator = 0xd8cdd5cd1dda8de7df9eb7cb9c5d139a # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 11 length 128 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020b003f1a020b003a31e9ffdcee4bbc78bc70f699c7b7d18a6a0000000000000000e1bfee3110af879278f74e833f924d04bbcf3e2b6abfaefa0074657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020b003f1a020b003a31e9ffdcee4bbc78bc70f699c7b7d18a6a0000000000000000e1bfee3110af879278f74e833f924d04bbcf3e2b6abfaefa0074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0x73ef44ad73e45ee6b34d60cb680fe623 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 11 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test [mschap] Client is using MS-CHAPv2 for test, we need NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010c00331a030b002e533d30443045354133374237353435393138303937373141463136313142353741453941304136453343 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73ef44ad72e35ee6b34d60cb680fe623 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010c00331a030b002e533d30443045354133374237353435393138303937373141463136313142353741453941304136453343 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73ef44ad72e35ee6b34d60cb680fe623 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 11 to 129.69.5.130 port 50355 EAP-Message = 0x010c005b19001703010050b7ef8497271c47f35e588dcf625984fdee9a02890622c77d75be45f645f1d71195d8d689cdbcf85ac87b088a878064fcd20f47c2d35fee47f3102eb2ed82939bf67ac21ef90f9a6c813b237688f84e3a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e30421009b347c7ccf2b2608d1 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=12, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020c005019001703010020ca23be428a79d9e7be29a585406e4c0f603ea3a45ec2d4c31a650aafbd6b351b1703010020eed02b9ddbc4581e2714ba17dde909e852b162ecde7744834de3fdd29b38c2ac State = 0x0f2d19e30421009b347c7ccf2b2608d1 Message-Authenticator = 0x1c260dc2248591419a9a2ad1c69a3ef7 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 12 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020c00061a03 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020c00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0x73ef44ad72e35ee6b34d60cb680fe623 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 12 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel +group post-auth { ++policy cui_postauth { +++? if (FreeRadius-Proxied-To == 127.0.0.1) ? Evaluating (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE +++? if (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE +++if (FreeRadius-Proxied-To == 127.0.0.1) { ++++? if (outer.request:Chargeable-User-Identity) ? Evaluating (outer.request:Chargeable-User-Identity) -> TRUE ++++? if (outer.request:Chargeable-User-Identity) -> TRUE ++++if (outer.request:Chargeable-User-Identity) { +++++update outer.reply { expand: cui_hash_key -> cui_hash_key expand: %{config:cui_hash_key}%{User-Name} -> test...test expand: %{md5:%{config:cui_hash_key}%{User-Name}} -> af9ff6128f1d96175837a8c519a96afb +++++} # update outer.reply = noop ++++} # if (outer.request:Chargeable-User-Identity) = noop +++} # if (FreeRadius-Proxied-To == 127.0.0.1) = noop +++ ... skipping else for request 12: Preceding "if" was taken ++} # policy cui_postauth = noop +} # group post-auth = noop } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xe4dc1a26c353c090f67b6bf6bd188dc7 MS-MPPE-Recv-Key = 0x272ed321f8edd9f5d647b617dfd8331b EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xe4dc1a26c353c090f67b6bf6bd188dc7 MS-MPPE-Recv-Key = 0x272ed321f8edd9f5d647b617dfd8331b EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 12 to 129.69.5.130 port 50355 Chargeable-User-Identity = "af9ff6128f1d96175837a8c519a96afb" EAP-Message = 0x010d002b190017030100204cba8110b0ea82dc9972b79b9d38cb2222ba46e3b92aa013d7128d8edaf550f0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0f2d19e30320009b347c7ccf2b2608d1 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=13, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020d005019001703010020d1d31246b21acf81673a91a3e1cd7faef80cbf395c4f10008ae4581aca6068f017030100209cc273c58db0b0c8c45243c2012b6a44b3a9bd0d9c914bd8b63197736b036226 State = 0x0f2d19e30320009b347c7ccf2b2608d1 Message-Authenticator = 0xf9bf51fcbcf37c785131d8d7665515fd # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 13 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 13 to 129.69.5.130 port 50355 MS-MPPE-Recv-Key = 0xe6f5c1dbed02dc3b0209016ac4e3a47c134397edcb19159e6d14a9d348265773 MS-MPPE-Send-Key = 0x4378e43173b72fc85dafb172e56307ffc75f73459a1b36bca059a21274cd0266 EAP-Message = 0x030d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" Finished request 13. Going to the next request Waking up in 4.9 seconds. Do you reckon that with PEAP we'd need use_tunneled_reply? Off-topic: why does the debug tell me: "server { # from file £Ýç?" with such a weird file name? TIA! Best, Kilian