On 2015-01-27 14:17, Alan DeKok wrote:
On Jan 27, 2015, at 3:56 AM, the2nd@otpme.org wrote:
btw. rlm_python examples do not show how to handle mschap requests. it would be of much help to have an example.
No.
Read RFC 2548. Or, the source code to rlm_mschap. This is already available to you.
the output of authData i send in my last mail is just what i receive from rlm_python. there is nothing i have invented. its just a "log authData" from within the authenticate() function
Which is YOUR MODULE. And YOUR PYTHON CODE. i.e. something you invented.
I’ll be clear. I don’t wan to see that data. I don’t know what “authData” is, and I don’t care. You’re assuming that I magically know everything about what you’re doing, without you explaining it.
sorry i dont want to be rude but it's just not true what you say. authData is send from rlm_python to the authenticate() function of the module it loads. i just used the example prepaid.py module that comes with freeradius as a "template". and it does exactly what you call "my invention". it uses authData to get a tuple with authentication data (e.g. username and password): http://fossies.org/dox/freeradius-server-2.2.6/prepaid_8py_source.html so its not my code that sets this tuple and its nothing i have invented. and all i want to know is if it is possible to get "%{mschap:Challenge}" and "%{mschap:NT-Response}" in this tuple to verify an mschap request just like it can be done with the ntlm_auth statement from within the mschap module. and i think thats a valid use case when someone wants to integrate an otp solution with freeradius using rlm_python. so here is the debug output of two request and the corresponding config. the first one is using my python script as a replacement of ntlm_auth from within the mschap module and succeeds. the second one uses rlm_python and my module. you can see in the debug ouput whats in authData (one of the lines that starts with otpme.py) because i used the provided log function to log it. # OTPme ntlm mschap otpme_ntlm { ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' '%{%{otpme_ntlm:Challenge}:-00}' '%{%{otpme_ntlm:NT-Response}:-00}' '%{NAS-Identifier}' '%{Client-IP-Address}'" } python otpme_mod { module = otpme mod_instantiate = ${.module} func_instantiate = instantiate mod_detach = ${.module} func_detach = detach mod_authenticate = ${.module} func_authenticate = authenticate } authenticate { Auth-Type EAP { eap } Auth-Type MS-CHAP { otpme_ntlm } } authorize { eap mschap } radiusd: FreeRADIUS Version 2.2.5, for host i686-pc-linux-gnu, built on Jan 18 2015 at 12:00:30 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/cache including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/otpme including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/dhcp_sqlippool including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/radrelay including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/script including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/otpme main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var/lib" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = no allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "test123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file TÚJ·? modules { } # modules } # server server otpme { # from file /etc/raddb/sites-enabled/otpme modules { Module: Creating Auth-Type = OTPme Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" virtual_server = "otpme" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "otpme" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "otpme" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_mschap Module: Instantiating module "otpme_ntlm" from file /etc/raddb/modules/otpme mschap otpme_ntlm { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' '%{%{otpme_ntlm:Challenge}:-00}' '%{%{otpme_ntlm:NT-Response}:-00}' '%{NAS-Identifier}' '%{Client-IP-Address}'" allow_retry = yes } Module: Linked to module rlm_python Module: Instantiating module "otpme_mod" from file /etc/raddb/modules/otpme python_init done python otpme_mod { mod_instantiate = "otpme" func_instantiate = "instantiate" mod_authenticate = "otpme" func_authenticate = "authenticate" mod_detach = "otpme" func_detach = "detach" } Module: Checking authorize {...} for more modules to load Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 10.219.195.1 port = 1812 client 10.219.195.18 { require_message_authenticator = no secret = "123" shortname = "host1" } } Listening on authentication address 10.219.195.1 port 1812 as server otpme Ready to process requests. otpme.py: OTPme config verfied successful. otpme.py: Instantiated OTPme module. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=0, length=126 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01746573747573657231 Message-Authenticator = 0xc6a9d4db12aa9a3fa241a3810c655494 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 0 to 10.219.195.1 port 37538 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7562a6491fd890a063366da0 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=1, length=352 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100de190016030100d3010000cf0301a741278a0cfb95e7f7ad572b9e9003e26a0ec3d1cedb3a61ee7b35b95ad3c9f600005cc014c00a0039003800880087c00fc00500350084c013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc00200050004c012c00800160013c00dc003000a0015001200090014001100080006000300ff0201000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101 State = 0x7563bf7e7562a6491fd890a063366da0 Message-Authenticator = 0x06b5d1eac47be747a523dea518b88a2a server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 1 length 222 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00d3], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 003e], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 03b0], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 1 to 10.219.195.1 port 37538 EAP-Message = 0x0102040019c000000551160301003e0200003a030112a80abf015913dfd18591767af8d31a7421918e78e906539842667c9a347e4a00c014010012ff01000100000b000403000102000f00010116030103b00b0003ac0003a90003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043 EAP-Message = 0x6572746966696361746520417574686f72697479301e170d3132303231303230303231305a170d3133303230393230303231305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100f46fbd0d756be26abb5b67573414398205c75b8b1be90ccc43cf479af3c7f570486eb9fdb02a372634b4 EAP-Message = 0x050bd49743d559c1385ac25268b1bee7e0cee585acb8a5102811cb568f31bd6218b97efdc6be84a789697cea6a68dab56cd9e40f0867b4ec2b986610c608405e0b7c426fb8fe04da36c2732ed8aa14d0f4b53b69c6c07150fd4188ef935a66c030681cfe0d5ea6fa80045d8319c5a0b141e34926225185b384273a50058dc27d20beb6b78dc4ed76f694ffda1e3849b93755ec9bf02bf5a99ee9222835cc95f3bfced8a01b47d2c84ef6a86bea8b7251091fdf968cd084d1ea1c02658e535c2875e429af9ad21e1b5cda55e4d42ade8f1b82b31294830203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7 EAP-Message = 0x0d0101040500038201010019c7c020438aafabfe2ef98eb3ebd302687dae3411309deef7a228bcbdd1bfd2ae45c75a39a25ecd53599efc38a56e0a288ee208f7d129dd3daf9197e3b1bd93bfb2d0433eadfe846ac9c97a65f35d322df5e5458e7e49a99354e40410e95d8874862216107c02a51cd428a60755e41d0158e5a1fabb979f37432005e065f4533599dd248c67032723dca1b3acbcc775e775fd5e010d4405e86306fb1af2dc4da0af01f0f17c9a2d5e55d1e895d4ac185cb3371e648c1a1e71fd27080c1adf3804251dd0c75aea734be1fc83af0699d5a0c0f9f6d5afff00d688edf74177ad4357711e6d4eb5cca9b72eb493fb7c3a83b396 EAP-Message = 0xad17d75da15a7cac2ecd58db Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7461a6491fd890a063366da0 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=2, length=136 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0x7563bf7e7461a6491fd890a063366da0 Message-Authenticator = 0xf10086a8043a391d9f34e5f93ac3d50b server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 2 to 10.219.195.1 port 37538 EAP-Message = 0x0103016119006f2a160301014b0c0001470300174104313b9aa0b47dcbd72975dce05e6792a55cfd1795f077bf4fbcd4551aceb77ad0d9c4d7b18f1519161fe31fca376fef874ec04f7500e0a080a0a4206ac1e1181901008c409456515256c7de3459d577d98c718eb260e12a90f176144628753528a4dce40e66677fe27cf8755a3693ef0db80d6bdd8a543a718cb3934a5655ebbf4b5f493608cafd6c4b102edae1eb15b740c7c1afba58620f1fc02c44ca6a490ef703291d417c09bae2d842456ef205e48ceb5f2c782e0f523c895b0d0ea06d6f3ce3eb67377fe4a16f70e6474c096b03289227db4c2f12ec3cb5dffdeb7cf4bccdf21d714a610e EAP-Message = 0x3fb128087eba6bf1a6acc03786ed2ff39ae3823f1e4f9e374204f03bfbbec021ce768b36d290f9666f60a8756cd061e70332b48dc4bac07e8c38abba380f561dd996017f4392e2199a5fa06c886057d47e170e42cc8c7a414f796a16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7760a6491fd890a063366da0 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=3, length=270 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0203008c190016030100461000004241043c8e62e48361799a71777b230786c6ddbd899d9257d73d5fb4d730366671f8f166c0ea2577fcc68ed3e21899edf5b82f7e401f1cb99f7a973c2d35315c619c6d1403010001011603010030543bfb94bffc0be1b81e3e1268ac126fd2d73fb6306e806798e1d651ead4190a74e521db1561c4e16f1acdc896c4afb6 State = 0x7563bf7e7760a6491fd890a063366da0 Message-Authenticator = 0xc6e998f7aef0baef668d678ad3ffd5de server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 3 length 140 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 3 to 10.219.195.1 port 37538 EAP-Message = 0x0104004119001403010001011603010030dafc2aa3b8b15dcb31e8774f67876afb903a651d8f475b94647d45668ca9abde22ffbea12f0e799b6acc4b4900860181 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7667a6491fd890a063366da0 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=4, length=136 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0x7563bf7e7667a6491fd890a063366da0 Message-Authenticator = 0x8e3735680df6daec47a50279795ae18c server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 4 to 10.219.195.1 port 37538 EAP-Message = 0x0105002b190017030100208fda5e20590d922d9602dbd0e299d5e1ef0027e5d663ef326913f07d313c790d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7166a6491fd890a063366da0 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=5, length=226 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0205006019001703010020f3832f06ae8629d40538b61ce86c6b65a6801b4d6c40550d32837dc2aa108b2a1703010030c5e43a0106ae6b61e4d3277abb002bc86b7c0ebffba9c48199aecddad8885ad112753e1d114e2dd391572ace81722539 State = 0x7563bf7e7166a6491fd890a063366da0 Message-Authenticator = 0xf1cf3918a83a26b7efae51172bf43dfb server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 5 length 96 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - testuser1 [peap] Got inner identity 'testuser1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0205000e01746573747573657231 server otpme { [peap] Setting User-Name to testuser1 Sending tunneled request EAP-Message = 0x0205000e01746573747573657231 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 5 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group EAP = handled } # server otpme [peap] Got tunneled reply code 11 EAP-Message = 0x010600231a0106001e1084108f423e2fec5767ad08fc69bbd564746573747573657231 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbfdadb2bbfdcc100d33b37b4334ad1a9 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010600231a0106001e1084108f423e2fec5767ad08fc69bbd564746573747573657231 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbfdadb2bbfdcc100d33b37b4334ad1a9 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 5 to 10.219.195.1 port 37538 EAP-Message = 0x0106004b19001703010040a5594e26652fc133151ca57e9cbc052085294fc31795e67abdaf52d8b88e62fedbdb73905c7faa45de2062d5a9bdaf4291ee698b57b07f39609cac5d0cc44452 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7065a6491fd890a063366da0 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=6, length=274 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02060090190017030100206028167c17fb23fa70e50cb5672a1971e68abea603c5020ef8b19b08e5620ac317030100607afabbdd1caff01b58f4e307fbef41481f55ab7b4137d9f1807bd84a8ee609d235885d2c995004bd6bcaa467679d50c7e8706c383c326ae5cb6f573a651e2279568a55493eb3712e15b84ef90de1b0402743a46cc92a0b09bdaee4d5858a1bab State = 0x7563bf7e7065a6491fd890a063366da0 Message-Authenticator = 0x82a114c11feb9e1259540ea7e6bab80e server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 6 length 144 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020600441a0206003f31c6209eb3e4f1c334ec156850e8e831c90000000000000000b30b7de20b87d7158c571ff2bbffa75e2751147babd02c7100746573747573657231 server otpme { [peap] Setting User-Name to testuser1 Sending tunneled request EAP-Message = 0x020600441a0206003f31c6209eb3e4f1c334ec156850e8e831c90000000000000000b30b7de20b87d7158c571ff2bbffa75e2751147babd02c7100746573747573657231 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser1" State = 0xbfdadb2bbfdcc100d33b37b4334ad1a9 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 6 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/otpme [mschapv2] +group MS-CHAP { [otpme_ntlm] Creating challenge hash with username: testuser1 [otpme_ntlm] Client is using MS-CHAPv2 for testuser1, we need NT-Password [otpme_ntlm] expand: %{Stripped-User-Name} -> [otpme_ntlm] ... expanding second conditional [otpme_ntlm] expand: %{User-Name} -> testuser1 [otpme_ntlm] expand: %{%{User-Name}:-None} -> testuser1 [otpme_ntlm] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> testuser1 [otpme_ntlm] Creating challenge hash with username: testuser1 [otpme_ntlm] expand: %{otpme_ntlm:Challenge} -> a9696cdff7c89500 [otpme_ntlm] expand: %{%{otpme_ntlm:Challenge}:-00} -> a9696cdff7c89500 [otpme_ntlm] expand: %{otpme_ntlm:NT-Response} -> b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71 [otpme_ntlm] expand: %{%{otpme_ntlm:NT-Response}:-00} -> b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71 [otpme_ntlm] expand: %{NAS-Identifier} -> [otpme_ntlm] expand: %{Client-IP-Address} -> 10.219.195.1 Exec output: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4 Exec plaintext: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4 [otpme_ntlm] Exec: program returned: 0 [otpme_ntlm] adding MS-CHAPv2 MPPE keys ++[otpme_ntlm] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group EAP = handled } # server otpme [peap] Got tunneled reply code 11 EAP-Message = 0x010700331a0306002e533d30344339463830304333304639343241304638354242383238353431363743303646463436463744 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbfdadb2bbeddc100d33b37b4334ad1a9 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700331a0306002e533d30344339463830304333304639343241304638354242383238353431363743303646463436463744 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbfdadb2bbeddc100d33b37b4334ad1a9 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 6 to 10.219.195.1 port 37538 EAP-Message = 0x0107005b19001703010050b81a606209effd7af621dd30534a25262dcd73b33bb75ecbe99f623722ea4b19c97b5d573dacc032fdecdff2a035a96501daa76d8e60c8e05c1dbabc576156be1695acabc01aaad9a50ab7fe1e403163 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e7364a6491fd890a063366da0 Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=7, length=210 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0207005019001703010020f1da00695d99bd592351f25e17e5cfc05b9d96fd110091997c4647c88e90256b1703010020d1fead54c4bf7c06d67f3146e1d450280bcbf7d5338190f43d98fb6171704322 State = 0x7563bf7e7364a6491fd890a063366da0 Message-Authenticator = 0xcdce9a9c5e9d1cf664f2543ff31f4e90 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700061a03 server otpme { [peap] Setting User-Name to testuser1 Sending tunneled request EAP-Message = 0x020700061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser1" State = 0xbfdadb2bbeddc100d33b37b4334ad1a9 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group EAP = ok Login OK: [testuser1] (from client host1 port 0 cli 02-00-00-00-00-01 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. } # server otpme [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x6bf9caf3f1b3e8007b6775fa29593fc8 MS-MPPE-Recv-Key = 0x3ccb89c970dc74d2c6926747980e8a29 EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testuser1" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x6bf9caf3f1b3e8007b6775fa29593fc8 MS-MPPE-Recv-Key = 0x3ccb89c970dc74d2c6926747980e8a29 EAP-Message = 0x03070004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testuser1" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 7 to 10.219.195.1 port 37538 EAP-Message = 0x0108003b19001703010030fdf7d5232e0e4e9a4e84310efa211c13c6c91e2e1fd52ff7b32d4a553db3776149177d11c40a5775df92fece70c5b47f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7563bf7e726ba6491fd890a063366da0 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=8, length=226 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020800601900170301002064fbbb5b85581cd88640e2d2cef6a2b4c933da3a036f165687094fd61ff8796d170301003045dcae79cc3449aaf7a524e7d9f7c341e524501c8004254369db68458339dfd3e87789d08cfa71428f400639bdbdf7ba State = 0x7563bf7e726ba6491fd890a063366da0 Message-Authenticator = 0x8ceeb6ced09ceff25ff156dbf5daef45 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 8 length 96 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = "testuser1" [eap] Freeing handler ++[eap] = ok +} # group EAP = ok Login OK: [testuser1] (from client host1 port 0 cli 02-00-00-00-00-01) } # server otpme WARNING: Empty post-auth section. Using default return values. Sending Access-Accept of id 8 to 10.219.195.1 port 37538 User-Name = "testuser1" MS-MPPE-Recv-Key = 0x08dd033d2e35356c3aad01d0345683f412dcca316db9625ec07bdb697635d1e4 MS-MPPE-Send-Key = 0xcf24fb6cf74db5618f535c557eca41e00f8ad8fb82ff506fd1a690b498a23dbd EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 8. Going to the next request Waking up in 4.8 seconds. authenticate { Auth-Type EAP { eap } Auth-Type MS-CHAP { update request { Tmp-Octets-0 := "%{mschap:Challenge}" Tmp-Octets-1 := "%{mschap:NT-Response}" } otpme_mod } } authorize { eap update request { Tmp-Octets-0 := "%{mschap:Challenge}" Tmp-Octets-1 := "%{mschap:NT-Response}" } } } radiusd: FreeRADIUS Version 2.2.5, for host i686-pc-linux-gnu, built on Jan 18 2015 at 12:00:30 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/cache including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/otpme including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/dhcp_sqlippool including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/radrelay including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/script including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/otpme main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var/lib" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = no allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "test123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file T:N·? modules { } # modules } # server server otpme { # from file /etc/raddb/sites-enabled/otpme modules { Module: Creating Auth-Type = OTPme Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" virtual_server = "otpme" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "otpme" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "otpme" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_python Module: Instantiating module "otpme_mod" from file /etc/raddb/modules/otpme python_init done python otpme_mod { mod_instantiate = "otpme" func_instantiate = "instantiate" mod_authenticate = "otpme" func_authenticate = "authenticate" mod_detach = "otpme" func_detach = "detach" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 10.219.195.1 port = 1812 client 10.219.195.1 { require_message_authenticator = no secret = "123" shortname = "host1" } } Listening on authentication address 10.219.195.1 port 1812 as server otpme Ready to process requests. otpme.py: OTPme config verfied successful. otpme.py: Instantiated OTPme module. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=0, length=126 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01746573747573657231 Message-Authenticator = 0xcf54d7ba4a3e53ec15ab9662706461f1 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 0 to 10.219.195.1 port 33824 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994b65b8dfd5d7ed270cbb0d2f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=1, length=352 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100de190016030100d3010000cf03016dd1fdb03ffdd213827520ea5f7c184dde487465683f7196aa5cbe666e837e3000005cc014c00a0039003800880087c00fc00500350084c013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc00200050004c012c00800160013c00dc003000a0015001200090014001100080006000300ff0201000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101 State = 0x4b64a1994b65b8dfd5d7ed270cbb0d2f Message-Authenticator = 0x3263975944a89f7d15c2cdcfcea94db5 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 1 length 222 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00d3], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 003e], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 03b0], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 1 to 10.219.195.1 port 33824 EAP-Message = 0x0102040019c000000551160301003e0200003a0301e30c8c45a37d5610ca7ff2fbc4db6ebeea682cbbac43e98c8aadc1f7ecaee7f300c014010012ff01000100000b000403000102000f00010116030103b00b0003ac0003a90003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043 EAP-Message = 0x6572746966696361746520417574686f72697479301e170d3132303231303230303231305a170d3133303230393230303231305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100f46fbd0d756be26abb5b67573414398205c75b8b1be90ccc43cf479af3c7f570486eb9fdb02a372634b4 EAP-Message = 0x050bd49743d559c1385ac25268b1bee7e0cee585acb8a5102811cb568f31bd6218b97efdc6be84a789697cea6a68dab56cd9e40f0867b4ec2b986610c608405e0b7c426fb8fe04da36c2732ed8aa14d0f4b53b69c6c07150fd4188ef935a66c030681cfe0d5ea6fa80045d8319c5a0b141e34926225185b384273a50058dc27d20beb6b78dc4ed76f694ffda1e3849b93755ec9bf02bf5a99ee9222835cc95f3bfced8a01b47d2c84ef6a86bea8b7251091fdf968cd084d1ea1c02658e535c2875e429af9ad21e1b5cda55e4d42ade8f1b82b31294830203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7 EAP-Message = 0x0d0101040500038201010019c7c020438aafabfe2ef98eb3ebd302687dae3411309deef7a228bcbdd1bfd2ae45c75a39a25ecd53599efc38a56e0a288ee208f7d129dd3daf9197e3b1bd93bfb2d0433eadfe846ac9c97a65f35d322df5e5458e7e49a99354e40410e95d8874862216107c02a51cd428a60755e41d0158e5a1fabb979f37432005e065f4533599dd248c67032723dca1b3acbcc775e775fd5e010d4405e86306fb1af2dc4da0af01f0f17c9a2d5e55d1e895d4ac185cb3371e648c1a1e71fd27080c1adf3804251dd0c75aea734be1fc83af0699d5a0c0f9f6d5afff00d688edf74177ad4357711e6d4eb5cca9b72eb493fb7c3a83b396 EAP-Message = 0xad17d75da15a7cac2ecd58db Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994a66b8dfd5d7ed270cbb0d2f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=2, length=136 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0x4b64a1994a66b8dfd5d7ed270cbb0d2f Message-Authenticator = 0xd493ce90415969edf6127c50518c4732 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 2 to 10.219.195.1 port 33824 EAP-Message = 0x0103016119006f2a160301014b0c0001470300174104c35e1963d7c639e085a97c24ea72d92f1e54a9c3d40601612667935afed91c7e062825adabadbcaaa2e5877d536c97e1c7ff4dc71b6f858ef51ab39e994893a20100ed9a2ab740d608a5af8c78409adc8740485b9272dba98663bf51085574cbbb9b62498605e8e499b209a7d60b342b66cc358cf9d60f7aae06ef74a235029005b5cb2ac163eb10055f71cd1128d08f936a488f05a0a03f28d7273842619aa230a3369d9f2f4da9e9dc5e1b723cdad594c2be13d2565f09e35af1e538132fab155aaf1d4821c29865ae5713ba1ab4f83751b9d8fa86fb72fa6f654befc3d8b7501b7d85e8f2ae EAP-Message = 0x5ae3f1212861427e208fc889607a04e9be505a4bebf43d98c1cdaf81f37d55d5e3af85e9dc6f5a62e947d766721825ad29b442a69f905c9c3e0eade42647199419879001f2ddb7e69a7dda56655e77a3ad2f1e37be2e84e64ff43616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994967b8dfd5d7ed270cbb0d2f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=3, length=270 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0203008c190016030100461000004241042b60cdd4c6bdeb200c77d3d537f674a5631b755a80b7982bf733ce33320ca0407225180646fa6f0093ad6a5105188aceb1863f63f3c136aeef6c368e1502d95314030100010116030100301d71fea144c432c55f558ba0b49ff5aac18fdd3009aac62e72f7eb39968e8d48f96f2995dbe2c5710ad2f69464f980c2 State = 0x4b64a1994967b8dfd5d7ed270cbb0d2f Message-Authenticator = 0x237e70a50554e023763eb64c066aec55 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 3 length 140 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 3 to 10.219.195.1 port 33824 EAP-Message = 0x01040041190014030100010116030100308c4cd23b129b4d6b112e48ee7cb711c51f995451c68db430c60ca062db367ee570205bff7eb8aafdd934683d574fcea4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994860b8dfd5d7ed270cbb0d2f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=4, length=136 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0x4b64a1994860b8dfd5d7ed270cbb0d2f Message-Authenticator = 0x69e82b0f4e465e073eae3a268b674f06 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 4 to 10.219.195.1 port 33824 EAP-Message = 0x0105002b1900170301002082cd7593171297731f9bb967c298eede87b931f7d0196983be108cd4531492cc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994f61b8dfd5d7ed270cbb0d2f Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=5, length=226 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0205006019001703010020f274ddb4f22667dabece5f95d79dc8c045a661d70905a752d35466f03c2370da1703010030ac36bcde5cf6e84853efb3151ae374c0aa7ee14e9c8006e827780b890ba08a2dea53d647d1d7cc2e3566a9ec976b9510 State = 0x4b64a1994f61b8dfd5d7ed270cbb0d2f Message-Authenticator = 0x03569fa4ad0362141f844f4a5996a0ad server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 5 length 96 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - testuser1 [peap] Got inner identity 'testuser1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0205000e01746573747573657231 server otpme { [peap] Setting User-Name to testuser1 Sending tunneled request EAP-Message = 0x0205000e01746573747573657231 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 5 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group EAP = handled } # server otpme [peap] Got tunneled reply code 11 EAP-Message = 0x010600231a0106001e109718a01768fd75c1209b1c257a4fd2be746573747573657231 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xef3dc50aef3bdf904f03abafc54a8a4c [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010600231a0106001e109718a01768fd75c1209b1c257a4fd2be746573747573657231 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xef3dc50aef3bdf904f03abafc54a8a4c [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 5 to 10.219.195.1 port 33824 EAP-Message = 0x0106004b190017030100406aa431b9b62079ba567d85b917f35ae0772924c9078e8f667416ecd10508d012726fe8dc02954fbadd6cd4765eb4f330a844677a7b942260db20f71f09470a41 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994e62b8dfd5d7ed270cbb0d2f Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=6, length=274 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02060090190017030100207a5f44949cd792d5be3b6de4a1138d8079d27c4ca89126a4d8e3fd3aaac5935e1703010060e4da27ea84d607fdb3157877e788ac0d83626bd5395d96a07e5e15657af37466f3b9924c963a823c3582b10a9e78f6a82412aeda1ee37e0fdce65d394e687036c68abf7502a489efa24de7049e236a6b4fc5f15756d873deab341407af3a1af2 State = 0x4b64a1994e62b8dfd5d7ed270cbb0d2f Message-Authenticator = 0xdda1b35918197604282ed1da107008e8 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 6 length 144 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231 server otpme { [peap] Setting User-Name to testuser1 Sending tunneled request EAP-Message = 0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "testuser1" State = 0xef3dc50aef3bdf904f03abafc54a8a4c NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 6 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/otpme [mschapv2] +group MS-CHAP { [mschapv2] ++update request { [mschapv2] Creating challenge hash with username: testuser1 [mschapv2] expand: %{mschap:Challenge} -> 7b0455c972d1cf5a [mschapv2] expand: %{mschap:NT-Response} -> 29e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be [mschapv2] ++} # update request = noop otpme.py: (('EAP-Message', '0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231'), ('FreeRADIUS-Proxied-To', '127.0.0.1'), ('User-Name', '"testuser1"'), ('State', '0xef3dc50aef3bdf904f03abafc54a8a4c'), ('NAS-IP-Address', '127.0.0.1'), ('Calling-Station-Id', '"02-00-00-00-00-01"'), ('Framed-MTU', '1400'), ('NAS-Port-Type', 'Wireless-802.11'), ('Connect-Info', '"CONNECT 11Mbps 802.11b"'), ('EAP-Type', 'MS-CHAP-V2'), ('MS-CHAP-Challenge', '0x9718a01768fd75c1209b1c257a4fd2be'), ('MS-CHAP2-Response', '0x0665ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be'), ('MS-CHAP-User-Name', '"testuser1"'), ('Tmp-Octets-0', '0x37623034353563393732643163663561'), ('Tmp-Octets-1', '0x323965353161646262353865613463613962663339643833323730303633396330663265656265666239383930306265')) ++[otpme_mod] = fail +} # group MS-CHAP = fail [eap] Freeing handler ++[eap] = reject +} # group EAP = reject Failed to authenticate the user. Login incorrect: [testuser1] (from client host1 port 0 cli 02-00-00-00-00-01 via TLS tunnel) } # server otpme [peap] Got tunneled reply code 3 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group EAP = handled } # server otpme Sending Access-Challenge of id 6 to 10.219.195.1 port 33824 EAP-Message = 0x0107003b19001703010030bafab3f8b086bdb25e11ee4102f959f8a15afe60af25cb7ea51226f50fc22739f1360c3ae4f23b9c3bd64220403469b2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4b64a1994d63b8dfd5d7ed270cbb0d2f Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=7, length=226 User-Name = "testuser1" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02070060190017030100201475fdf487cb7c5cdbc28275c523942e9478b881702b3715bf41f14e37fd571517030100309264cd7daa17a72f42129836e9fa9d36b3fc98994441970908d89a5fce9831c0cc84703d6d6a4c5d027561bd9da36fe7 State = 0x4b64a1994d63b8dfd5d7ed270cbb0d2f Message-Authenticator = 0xa10e2442d21c4201b6110b4f3f0e9ef5 server otpme { # Executing section authorize from file /etc/raddb/sites-enabled/otpme +group authorize { [eap] EAP packet type response id 7 length 96 [eap] Continuing tunnel setup. ++[eap] = ok ++[mschap] = noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE ++? if (!control:Auth-Type) -> FALSE +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/otpme +group EAP { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group EAP = invalid Failed to authenticate the user. Login incorrect: [testuser1] (from client host1 port 0 cli 02-00-00-00-00-01) } # server otpme Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 7 to 10.219.195.1 port 33824 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds.