Thank you for your answer. Sorry for that. Please find the entire debug log below. peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Instantiating module "ntlm_auth" from file /etc/freeradius/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "ntdomain" from file /etc/freeradius/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 37680 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=251, length=246 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0201000f016162656e6b656d6f756e Message-Authenticator = 0x1b5aad0ef8877762ea2832178b4e0ab1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 0: Preceding "if" was taken ++ ... skipping else for request 0: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 1 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 251 to 172.16.2.254 port 32769 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd2ead553f96bd63d5fd0e3e5f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=252, length=401 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0202009819800000008e1603010089010000850301536a43a6444bca59bfbbdf23e1910b4f04015192225639f4786e7f40b6822ef500004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100 State = 0x2eaf4ccd2ead553f96bd63d5fd0e3e5f Message-Authenticator = 0xb7ab88c129f84efe838c9e455df34eae # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 1: Preceding "if" was taken ++ ... skipping else for request 1: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 2 length 152 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 142 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0089], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0550], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 252 to 172.16.2.254 port 32769 EAP-Message = 0x0103040019c0000006ec1603010039020000350301536a43a901ec5af2e220c3545bda41f6f503016e8d45900d46f694f27ecb346a00c01400000dff01000100000b00040300010216030105500b00054c000549000546308205423082042aa0030201020209009163e378a45e4373300d06092a864886f70d0101050500306e310b3009060355040613024348310d300b06035504081304566175643111300f060355040a13084e65787468696e6b310b3009060355040b130249543110300e060355040313074954205465616d311e301c06092a864886f70d010901160f6974406e65787468696e6b2e636f6d301e170d3134303330353039353933 EAP-Message = 0x335a170d3139303631323039353933335a3081a2310b3009060355040613024348310d300b06035504081304566175643111300f060355040713084c617573616e6e653111300f060355040a13084e65787468696e6b3110300e060355040b13074954205465616d312c302a06035504031323636973636f2d7377632d323530302d312e696e7472612e6e65787468696e6b2e636f6d311e301c06092a864886f70d010901160f6974406e65787468696e6b2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba39cee32672aca7bbf26026be98e0563338f575ae8f93fe4c62b12c9c1653938f7b7b146284 EAP-Message = 0xe7ead531d6472e71d052af2cc834d48bb7db7ecf3c9256bee6aba1ef3d4033d01c5b5b6cc3979ca3c1a79ee5b008a93cbeb3a71e3afb7045181e4816d533c96a4f97c416888fab2567e3418d2bd9b717cf2d12e0f794ffe7a079526b86d88fc1071dfed371972c22f92dbe2ead837f56d54ac4dc8198458eb1bc853742594a383051f9cc7d587b1a54e5effe71ba0d66c0714469ee79c4908f9db05685971c97464787fb7de17249367db0298994a6bdc7a58c4e107b76d44c97a4d2b7eebbab98fa128487a5bce934f777335da34da5ed7004e1896f734122370203010001a38201ac308201a830090603551d1304023000301106096086480186f842 EAP-Message = 0x0101040403020640300b0603551d0f0404030203f830130603551d25040c300a06082b06010505070301303506096086480186f842010d042816264e65787468696e6b204f70656e53534c2047656e657261746564204365727469666963617465304e0603551d11044730458223636973636f2d7377632d323530302d312e696e7472612e6e65787468696e6b2e636f6d8210636973636f2d7377632d323530302d31820c3137322e31362e322e323534301d0603551d0e04160414d3f2b3a6d48a468f738ff5dd6056d3f384a6dbee301f0603551d23041830168014fb320a0d0c3081f1517718946a7797aee67a6e08303206096086480186f84201 EAP-Message = 0x0404251623687474703a2f2f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd2fac553f96bd63d5fd0e3e5f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=253, length=255 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x020300061900 State = 0x2eaf4ccd2fac553f96bd63d5fd0e3e5f Message-Authenticator = 0xe14e3c9ead9b88944258c7934f444fe8 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 2: Preceding "if" was taken ++ ... skipping else for request 2: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 253 to 172.16.2.254 port 32769 EAP-Message = 0x010402fc190069742e6e65787468696e6b2e6c6f63616c2f63612d63726c2e70656d30340603551d1f042d302b3029a027a0258623687474703a2f2f69742e6e65787468696e6b2e6c6f63616c2f63612d63726c2e70656d303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f69742e6e65787468696e6b2e6c6f63616c2f300d06092a864886f70d0101050500038201010016fde58d60d1a9567e825fa65720dabad5ecfafc8ee146c6312a4b60983808a1261d94e1c4e84f4a70d770e8262a217f43a23cf034e86179aa921287198553fecea4f1277b811692a530321194137b17ef47c5b261ac36c8211e EAP-Message = 0x617b4e14cdd8dda6627de232040efd97d69c71d926d44869e59e91fcfcb8f90a5875aa9ddec2417dfa82c35980e7dacbb7fdd7a6247b961ff3fe0db906a8544982cc72fa100fd5a799e809eb4b9c4e0dac5728573f0b95aae8439a55528227d946fc1efae3ad8c28cacf093b62f6a27950ae3ea2ca391717334744d73ecfcd0152b3cc7b9eed59c5ece62c91846fc0e126fa1d2bdc3a8f4a9d1f806f9487fabae3a214d59d6f160301014b0c0001470300174104ddfa1e9eb4aba37ed9f6718df44b350c01e5c0093d17eb66b67d037ffa765aa658bc9dcc5821bfcdea7ae0f3d602799c2b379b9174f157c9ae136e9ad5025dee0100ade26975d9f952 EAP-Message = 0x14c06d26f4651e8c66cb7783fd9a10d4acc500dee83c016b4f71de3f62610299b67fffb8e3abb449ebbde99b782d1d0a94ff53a490f9ea4c536dfbb4c68495a9dd26ac4c51b5088194d5089e7cf8e7d621a97af03f57c209b19046f57ed1b8e41f4e5a9d5a9104e02bae4d32b070788a28e9902470c569a5cae54cfbe2f97114e8bbc9ac422ebe62766528e8471dd31c785fecfeeb14c539c305df7590314b2bdbf8e8f2399a116a26b2b36e2065b2ac08f052f330cd473ed2c1f39a4272a951c5f31b9fa9b3586e671e7be73d7954bac2d0c7c72718fde0b9ed77f1e65bbf2a384c2f9fbeb18d44ce443a9700e9335962cb4dd0dd689e503216030100 EAP-Message = 0x040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd2cab553f96bd63d5fd0e3e5f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=254, length=393 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x02040090198000000086160301004610000042410479a5816fc4469badb7b96f2d7834854fdf750af1fe94bffa525defcf879bc6a05ea66400643db7ec9869c4c9f54149817a136f75e79b19d35d57851568f75d3a14030100010116030100302bed7dd77900cb202884e16b48589fbeaabf7e297a3a96d813c0b95baad8fe84b3e2692c838db3aba4ace134e7747aa2 State = 0x2eaf4ccd2cab553f96bd63d5fd0e3e5f Message-Authenticator = 0x92ac34611d403b2f0799da5552ffeccf # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 3: Preceding "if" was taken ++ ... skipping else for request 3: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 254 to 172.16.2.254 port 32769 EAP-Message = 0x010500411900140301000101160301003041d0c407f76f5234af15ff78f9ec99228fca6447b2ab593c26d7b33fb092deb4b7608eda7cefa100d7610e35623831dd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd2daa553f96bd63d5fd0e3e5f Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=255, length=255 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x020500061900 State = 0x2eaf4ccd2daa553f96bd63d5fd0e3e5f Message-Authenticator = 0x64b278fc4d4e892fdf0eaf6de21b6250 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 4: Preceding "if" was taken ++ ... skipping else for request 4: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 255 to 172.16.2.254 port 32769 EAP-Message = 0x0106002b1900170301002017ab6fcfec80bac56aef6061cc21dd5936e5f17ba6871bd39c0e0f39f03b5250 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd2aa9553f96bd63d5fd0e3e5f Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=0, length=292 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0206002b1900170301002050a7b15799682707695b0ecca644c907cd9b7126153b23cbffbfc55d36a93a4a State = 0x2eaf4ccd2aa9553f96bd63d5fd0e3e5f Message-Authenticator = 0x154a6f183ef57ed2759cdb84d248eb7b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 5: Preceding "if" was taken ++ ... skipping else for request 5: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - user1 [peap] Got inner identity 'user1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000f016162656e6b656d6f756e server { [peap] Setting User-Name to user1 Sending tunneled request EAP-Message = 0x0206000f016162656e6b656d6f756e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user1" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 6 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700241a0107001f1057083219cce753ec4da2946e4cf315b96162656e6b656d6f756e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a5cdbc96a5bc19791d80465670c3e25 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700241a0107001f1057083219cce753ec4da2946e4cf315b96162656e6b656d6f756e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6a5cdbc96a5bc19791d80465670c3e25 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 172.16.2.254 port 32769 EAP-Message = 0x0107004b190017030100405edb4c91479e44b4fbd4542db40e3bee3aed09237d3fd39be1dca6f7b6dfb6d151c78bbac47a3e6a5d0b5a17ac2aa81e942f6c966bc1f04f21e41e3af729237e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd2ba8553f96bd63d5fd0e3e5f Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=1, length=356 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0207006b190017030100605ec951545ca8b0283435811c00367d135a3573a01c484b2c3caef30d1dc21d48e463ec0edeb61f0531bef4bc621f666ed6c370d3d9c56c9449a448beeaac32fc3efbbcb3fb01b47dcd98a26a9b2231b051870ed9701c6232b1e3cb83764bda9d State = 0x2eaf4ccd2ba8553f96bd63d5fd0e3e5f Message-Authenticator = 0x322b09af70b49fce3659602a50ef58fb # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 6: Preceding "if" was taken ++ ... skipping else for request 6: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700451a0207004031e4a9b4721b606c910d4cbfae477a37e30000000000000000279a92d632ac266295b6bf7ddcd03019b97daabbcf55de3a006162656e6b656d6f756e server { [peap] Setting User-Name to user1 Sending tunneled request EAP-Message = 0x020700451a0207004031e4a9b4721b606c910d4cbfae477a37e30000000000000000279a92d632ac266295b6bf7ddcd03019b97daabbcf55de3a006162656e6b656d6f756e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user1" State = 0x6a5cdbc96a5bc19791d80465670c3e25 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 7 length 69 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: user1 [mschap] Told to do MS-CHAPv2 for user1 with NT-Password [mschap] expand: %{Stripped-User-Name} -> user1 [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=user1 [mschap] Creating challenge hash with username: user1 [mschap] expand: %{mschap:Challenge} -> 8ca1377208f1742e [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=8ca1377208f1742e [mschap] expand: %{mschap:NT-Response} -> 279a92d632ac266295b6bf7ddcd03019b97daabbcf55de3a [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=279a92d632ac266295b6bf7ddcd03019b97daabbcf55de3a [mschap] expand: --require-membership-of=%{request:NTLM-Group-Required} -> --require-membership-of= Could not parse into seperate domain/name parts! Exec-Program output: (null) (0xc000000d) Exec-Program-Wait: plaintext: (null) (0xc000000d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect (mschap: External script says (null) (0xc000000d)): [user1] (from client 172.16.2.254 port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 1 to 172.16.2.254 port 32769 EAP-Message = 0x0108002b19001703010020feb623eb0bb3dca917592b6afe1500709bd79b96337e135d970d06b8997c26d0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eaf4ccd28a7553f96bd63d5fd0e3e5f Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=2, length=292 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0208002b1900170301002019b84798928d1bde9fcf75002a3e1044b6dd2fa2cce8da7f6cab1292767e66cb State = 0x2eaf4ccd28a7553f96bd63d5fd0e3e5f Message-Authenticator = 0x290721d82f147cc6fc88b27c5d3b81b1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 7: Preceding "if" was taken ++ ... skipping else for request 7: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [user1] (from client 172.16.2.254 port 3 cli bc-92-6b-aa-aa-aa) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 2 to 172.16.2.254 port 32769 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=3, length=246 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0201000f016162656e6b656d6f756e Message-Authenticator = 0xef0454742ef67005127515ded256b71a # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 8: Preceding "if" was taken ++ ... skipping else for request 8: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 1 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 3 to 172.16.2.254 port 32769 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25d866e67d724fec8265bde908 Finished request 8. Going to the next request Waking up in 2.0 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=4, length=401 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0202009819800000008e1603010089010000850301536a43a90310de667ed488f873dba4d02a4f737c10edfb934fa6f18c237690fd00004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100 State = 0xd864ff25d866e67d724fec8265bde908 Message-Authenticator = 0x2cf136d506f7df502ecc34ba6b7a30f3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 9: Preceding "if" was taken ++ ... skipping else for request 9: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 2 length 152 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 142 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0089], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0550], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 172.16.2.254 port 32769 EAP-Message = 0x0103040019c0000006ec1603010039020000350301536a43acb352e63dd22a952054553efabbaeec15d08d106ee74feb27ecbda89000c01400000dff01000100000b00040300010216030105500b00054c000549000546308205423082042aa0030201020209009163e378a45e4373300d06092a864886f70d0101050500306e310b3009060355040613024348310d300b06035504081304566175643111300f060355040a13084e65787468696e6b310b3009060355040b130249543110300e060355040313074954205465616d311e301c06092a864886f70d010901160f6974406e65787468696e6b2e636f6d301e170d3134303330353039353933 EAP-Message = 0x335a170d3139303631323039353933335a3081a2310b3009060355040613024348310d300b06035504081304566175643111300f060355040713084c617573616e6e653111300f060355040a13084e65787468696e6b3110300e060355040b13074954205465616d312c302a06035504031323636973636f2d7377632d323530302d312e696e7472612e6e65787468696e6b2e636f6d311e301c06092a864886f70d010901160f6974406e65787468696e6b2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba39cee32672aca7bbf26026be98e0563338f575ae8f93fe4c62b12c9c1653938f7b7b146284 EAP-Message = 0xe7ead531d6472e71d052af2cc834d48bb7db7ecf3c9256bee6aba1ef3d4033d01c5b5b6cc3979ca3c1a79ee5b008a93cbeb3a71e3afb7045181e4816d533c96a4f97c416888fab2567e3418d2bd9b717cf2d12e0f794ffe7a079526b86d88fc1071dfed371972c22f92dbe2ead837f56d54ac4dc8198458eb1bc853742594a383051f9cc7d587b1a54e5effe71ba0d66c0714469ee79c4908f9db05685971c97464787fb7de17249367db0298994a6bdc7a58c4e107b76d44c97a4d2b7eebbab98fa128487a5bce934f777335da34da5ed7004e1896f734122370203010001a38201ac308201a830090603551d1304023000301106096086480186f842 EAP-Message = 0x0101040403020640300b0603551d0f0404030203f830130603551d25040c300a06082b06010505070301303506096086480186f842010d042816264e65787468696e6b204f70656e53534c2047656e657261746564204365727469666963617465304e0603551d11044730458223636973636f2d7377632d323530302d312e696e7472612e6e65787468696e6b2e636f6d8210636973636f2d7377632d323530302d31820c3137322e31362e322e323534301d0603551d0e04160414d3f2b3a6d48a468f738ff5dd6056d3f384a6dbee301f0603551d23041830168014fb320a0d0c3081f1517718946a7797aee67a6e08303206096086480186f84201 EAP-Message = 0x0404251623687474703a2f2f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25d967e67d724fec8265bde908 Finished request 9. Going to the next request Waking up in 1.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=5, length=255 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x020300061900 State = 0xd864ff25d967e67d724fec8265bde908 Message-Authenticator = 0xc23739ad862e1f6d0f7c7239e03e0bae # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 10: Preceding "if" was taken ++ ... skipping else for request 10: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 172.16.2.254 port 32769 EAP-Message = 0x010402fc190069742e6e65787468696e6b2e6c6f63616c2f63612d63726c2e70656d30340603551d1f042d302b3029a027a0258623687474703a2f2f69742e6e65787468696e6b2e6c6f63616c2f63612d63726c2e70656d303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f69742e6e65787468696e6b2e6c6f63616c2f300d06092a864886f70d0101050500038201010016fde58d60d1a9567e825fa65720dabad5ecfafc8ee146c6312a4b60983808a1261d94e1c4e84f4a70d770e8262a217f43a23cf034e86179aa921287198553fecea4f1277b811692a530321194137b17ef47c5b261ac36c8211e EAP-Message = 0x617b4e14cdd8dda6627de232040efd97d69c71d926d44869e59e91fcfcb8f90a5875aa9ddec2417dfa82c35980e7dacbb7fdd7a6247b961ff3fe0db906a8544982cc72fa100fd5a799e809eb4b9c4e0dac5728573f0b95aae8439a55528227d946fc1efae3ad8c28cacf093b62f6a27950ae3ea2ca391717334744d73ecfcd0152b3cc7b9eed59c5ece62c91846fc0e126fa1d2bdc3a8f4a9d1f806f9487fabae3a214d59d6f160301014b0c000147030017410478a4de69f4ad8220c537254cde9c4deab819de7b146976789b2620542928416358ba8b2046213d41b5a9e76e55eb80ef78267fe9ce67ae3ff3634883ea66d425010086a95017326c77 EAP-Message = 0x0b10f25ecac6eaf376eb49651546583a864cefedad7e433a296055474d89a606922ae82089f12e1bf5a70c0b427523a7c2e1a25a768c6e5a5e27bf693afa3e0ff073f9ec18c7940b7f39ee2e177bd253fec7e888e311aa8d44588b4cecd03d8406faf2eb4b2a186462f7b2d39861f452fc1289df0e485b09e55170de247779b33f7071d4662e146c3146d3c593837839fcedbed60590e5f57897b9aab5f8de56cc3bb02fd6f8ea0c6b67b17799b141e22e805aa335ae6970ee6904a393bdd0387de567ffb34bf399e0f29f2c735bae242897cf28c03559c848440775c4805cf4d32df122541b8a36c13ff5a7786fea547693ee40d4f7761bb016030100 EAP-Message = 0x040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25da60e67d724fec8265bde908 Finished request 10. Going to the next request Waking up in 1.8 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=6, length=393 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x02040090198000000086160301004610000042410465523734a03ce7e9294aa90ab1bdf73edf995304ed48594a22b89d9fda69b9e3f16fd81e69efb8c429c6978eb49954ab7ae742e075a49f9348d192b9da94a08b14030100010116030100300941f6b3bdb0e41dcd8db6feb7b532b06cc311d8a104046aa3a5ee388dfc7910abfcad52a634822025a635079bd931e1 State = 0xd864ff25da60e67d724fec8265bde908 Message-Authenticator = 0x2cd9b972ebdbfb770feea1c7084f121c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 11: Preceding "if" was taken ++ ... skipping else for request 11: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 6 to 172.16.2.254 port 32769 EAP-Message = 0x01050041190014030100010116030100309ef6c697a3b591a0093d0e8820f8730c6e3aa04fbaceda76a9bfe6de1f460580aa5c1ad747bd56b16b322d53efe5d6a5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25db61e67d724fec8265bde908 Finished request 11. Going to the next request Waking up in 1.5 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=7, length=255 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x020500061900 State = 0xd864ff25db61e67d724fec8265bde908 Message-Authenticator = 0xd3ac100b594700e6e1e5022e10700a62 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 12: Preceding "if" was taken ++ ... skipping else for request 12: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 7 to 172.16.2.254 port 32769 EAP-Message = 0x0106002b19001703010020ebe2fa589f360ffc2ce812a7f1082a300c2f308607cc2100a483cd8636a2bb50 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25dc62e67d724fec8265bde908 Finished request 12. Going to the next request Waking up in 1.5 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=8, length=292 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0206002b190017030100202ed0c0fa87656289851bde561203fc530a4bc5695c2853429bf542f985236d01 State = 0xd864ff25dc62e67d724fec8265bde908 Message-Authenticator = 0x8d7853676140a0cf23c34a159f23ca9f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 13: Preceding "if" was taken ++ ... skipping else for request 13: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 6 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - user1 [peap] Got inner identity 'user1' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0206000f016162656e6b656d6f756e server { [peap] Setting User-Name to user1 Sending tunneled request EAP-Message = 0x0206000f016162656e6b656d6f756e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user1" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 6 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700241a0107001f10dd48fc50339afd40eeb45d1a42c441d16162656e6b656d6f756e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x26cbc59926ccdf9d42d5aad01356b8d4 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700241a0107001f10dd48fc50339afd40eeb45d1a42c441d16162656e6b656d6f756e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x26cbc59926ccdf9d42d5aad01356b8d4 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 8 to 172.16.2.254 port 32769 EAP-Message = 0x0107004b1900170301004060a123198a4de75c4dea3082f6c982779e62e1320dad9a47d826e932a14cb74274e6f0a83d978599d93402f2d936b680e1b94fff0381a1014e70dc4d2553396e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25dd63e67d724fec8265bde908 Finished request 13. Going to the next request Waking up in 1.5 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=9, length=356 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0207006b190017030100607c3790d7ef3ab9b4bd3afdbc886ab2858d4ae0245c2c6c319fcc6e2779dd178d925be524703ea209f9ca275622178ace50e7e0799597ee87472655dc67e4367455be9555df9f705d26b133793e6b600fffd16456de72dd1da02e9413d1fe75f4 State = 0xd864ff25dd63e67d724fec8265bde908 Message-Authenticator = 0xafc5c3ea6de3504bbe6465406721cb95 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 14: Preceding "if" was taken ++ ... skipping else for request 14: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700451a0207004031f9f5cbb4ddaf2892719829fd9bb26356000000000000000014db6cd3d628987cf96dc4c9029301b17f7ea5c2837b8874006162656e6b656d6f756e server { [peap] Setting User-Name to user1 Sending tunneled request EAP-Message = 0x020700451a0207004031f9f5cbb4ddaf2892719829fd9bb26356000000000000000014db6cd3d628987cf96dc4c9029301b17f7ea5c2837b8874006162656e6b656d6f756e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "user1" State = 0x26cbc59926ccdf9d42d5aad01356b8d4 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 7 length 69 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: user1 [mschap] Told to do MS-CHAPv2 for user1 with NT-Password [mschap] expand: %{Stripped-User-Name} -> user1 [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=user1 [mschap] Creating challenge hash with username: user1 [mschap] expand: %{mschap:Challenge} -> 758a3904d98ee0d6 [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=758a3904d98ee0d6 [mschap] expand: %{mschap:NT-Response} -> 14db6cd3d628987cf96dc4c9029301b17f7ea5c2837b8874 [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=14db6cd3d628987cf96dc4c9029301b17f7ea5c2837b8874 [mschap] expand: --require-membership-of=%{request:NTLM-Group-Required} -> --require-membership-of= Could not parse into seperate domain/name parts! Exec-Program output: (null) (0xc000000d) Exec-Program-Wait: plaintext: (null) (0xc000000d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect (mschap: External script says (null) (0xc000000d)): [user1] (from client 172.16.2.254 port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 9 to 172.16.2.254 port 32769 EAP-Message = 0x0108002b19001703010020df11358c618d7724dc94e50e988bc104feceb801687c7f6d3e521f967399a96e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd864ff25de6ce67d724fec8265bde908 Finished request 14. Going to the next request Waking up in 1.5 seconds. rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=10, length=292 User-Name = "user1" Calling-Station-Id = "bc-92-6b-aa-aa-aa" Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP" NAS-Port = 3 Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4" NAS-IP-Address = 172.16.2.254 NAS-Identifier = "cisco-ap-1" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "168" EAP-Message = 0x0208002b1900170301002096139b810b608b186b59db65e9d832b454b9f15a4445131330c212922c7e56db State = 0xd864ff25de6ce67d724fec8265bde908 Message-Authenticator = 0x75af079e0a94a782e2a349b17eb87ef9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") expand: %{request:NAS-IP-Address} -> 172.16.2.254 ? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE ++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...} +++[request] returns notfound ++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound ++ ... skipping elsif for request 15: Preceding "if" was taken ++ ... skipping else for request 15: Preceding "if" was taken ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [ntdomain] No '\' in User-Name = "user1", looking up realm NULL [ntdomain] Found realm "NULL" [ntdomain] Adding Stripped-User-Name = "user1" [ntdomain] Adding Realm = "NULL" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [user1] (from client 172.16.2.254 port 3 cli bc-92-6b-aa-aa-aa) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 15 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 15 Sending Access-Reject of id 10 to 172.16.2.254 port 32769 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.5 seconds. Cleaning up request 0 ID 251 with timestamp +6 Cleaning up request 1 ID 252 with timestamp +6 Cleaning up request 2 ID 253 with timestamp +6 Cleaning up request 3 ID 254 with timestamp +6 Cleaning up request 4 ID 255 with timestamp +6 Cleaning up request 5 ID 0 with timestamp +6 Cleaning up request 6 ID 1 with timestamp +6 Waking up in 1.0 seconds. ________________________________________ From: freeradius-users-bounces+antoine.benkemoun=nexthink.com@lists.freeradius.org <freeradius-users-bounces+antoine.benkemoun=nexthink.com@lists.freeradius.org> on behalf of Phil Mayers <p.mayers@imperial.ac.uk> Sent: Wednesday, May 7, 2014 3:55 PM To: freeradius-users@lists.freeradius.org Subject: Re: Setting ntlm_auth parameters depending on NAS-IP-Address On 07/05/14 14:17, Antoine Benkemoun wrote:
What am I doing incorrectly ?
Only sending a tiny portion of the debugging... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html