MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5
Hi, we're currently trying to get MACSEC (802.1ae) configured on a Cisco WS-C3750X-48P running IP base 15.0(2)SE7 on customer facing ports. For authentication we've got a radiator 4.14 as radius proxy configured on the switch and forward all (in this case only EAP) requests onto a FreeRADIUS 2.2.5+dfsg-0.1~bpo70+1 (Debian wheezy backports). The authenticating client is a Win7 (x86_64) running AnyConnect 3.1.06079. As per http://lists.freeradius.org/pipermail/freeradius-users/2013-February/065041.... MACSEC should be working ok (since around 2.2.1 or 2.2.2) when uncommenting the relevant part in sites-enabled/default (which we've done). Yet, we do see: - with PEAP: ... Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Badly formatted EAP Message: Ignoring the packet [eap] Failed in handler ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. This seems to be identical whether use_mppe is set to 'yes' or 'no' in modules/mschap. - with EAP-TTLS just an empty EAP-Key-Name/reply:EAP-Session-Id (in sites-enabled/default) Even though EAP-TTLS is sending an Access-Accept I don't get the AnyConnect supplicant to be happy about it and the auth is stuck in an authentication loop without actually getting connectivity to the system. Since all of the relevant howtos I could find on the 'net either cover only the switch config alone or a combination of switch and Cisco ISE I'd like to raise the question whether anyone around here has gotten a similar setup up and running already. If anyone has a good starting point to continue debugging further I'm all ears. TIA! Best regards, Kilian -- Kilian Krause Netze und Kommunikationssysteme (NKS) Informations- und Kommunikationszentrum der Universität Stuttgart (IZUS) Technische Informations- und Kommunikationsdienste (TIK, ehem. RUS) Tel.: +49 (711) 685-64512 Fax.: +49 (711) 685-54512 (PC) Fax.: +49 (711) 68 23 57 Allmandring 30a 70550 Stuttgart DEUTSCHLAND
Hi,
we're currently trying to get MACSEC (802.1ae) configured on a Cisco WS-C3750X-48P running IP base 15.0(2)SE7 on customer facing ports.
For authentication we've got a radiator 4.14 as radius proxy configured on the switch and forward all (in this case only EAP) requests onto a FreeRADIUS 2.2.5+dfsg-0.1~bpo70+1 (Debian wheezy backports). The authenticating client is a Win7 (x86_64) running AnyConnect 3.1.06079.
As per http://lists.freeradius.org/pipermail/freeradius-users/2013-February/065041.... MACSEC should be working ok (since around 2.2.1 or 2.2.2) when uncommenting the relevant part in sites-enabled/default (which we've done).
1) full debug log is very useful 2) what happens when you send the request directly to FR?
Since all of the relevant howtos I could find on the 'net either cover only the switch config alone or a combination of switch and Cisco ISE I'd like to raise the question whether anyone around here has gotten a similar setup up and running already.
ensure you send back the right VSAs on Access-Accept - see the Cisco ISE docs - cisco sometimes also document other RADIUS platforms...but rarely.. and check to see what they are saying to configure the ISE with alan
Hi Alan,
we're currently trying to get MACSEC (802.1ae) configured on a Cisco WS- C3750X-48P running IP base 15.0(2)SE7 on customer facing ports.
For authentication we've got a radiator 4.14 as radius proxy configured on the switch and forward all (in this case only EAP) requests onto a FreeRADIUS 2.2.5+dfsg-0.1~bpo70+1 (Debian wheezy backports). The authenticating client is a Win7 (x86_64) running AnyConnect 3.1.06079.
As per http://lists.freeradius.org/pipermail/freeradius-users/2013- February/065041.html MACSEC should be working ok (since around 2.2.1 or 2.2.2) when uncommenting the relevant part in sites-enabled/default (which we've done).
1) full debug log is very useful
Here you go: http://fex.rus.uni-stuttgart.de:8080/fop/cEx9dqNJ/logs.zip
2) what happens when you send the request directly to FR?
The above logs are created with direct authentication from switch to FR.
Since all of the relevant howtos I could find on the 'net either cover only the switch config alone or a combination of switch and Cisco ISE I'd like to raise the question whether anyone around here has gotten a similar setup up and running already.
ensure you send back the right VSAs on Access-Accept - see the Cisco ISE docs - cisco sometimes also document other RADIUS platforms...but rarely.. and check to see what they are saying to configure the ISE with
Well, what "right" VSAs might that be? Send Cisco-Avpair:linksec-policy=must-secure even though it's already configured on the switchport itself? Sounds not too obvious, but might be worth a try. TIA! Best, Kilian
Hello, We're using rlm_rest module, which is called in the post-proxy section of FreeRADIUS. Trying to benchmark our setup, we noticed the following: - FreeRADIUS cannot handle more than a handful of requests per second. - only one, or two threads are used at the same time. We've tried to use rlm_rest in other sections instead of post-proxy (for instance, authorize or pre-proxy) to do the exact same thing. In this setup, the benchmark looks very different. FreeRADIUS handles many requests per second, and all the threads get busy. (the bottleneck is the server queried through rest, which is expected) I do not understand what happens in post-proxy. Is there some limitation on requests parallel processing in this section ? Thanks for your help, Nicolas. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Feb 27, 2015, at 6:36 AM, Chaigneau, Nicolas <nicolas.chaigneau@capgemini.com> wrote:
Trying to benchmark our setup, we noticed the following: - FreeRADIUS cannot handle more than a handful of requests per second. - only one, or two threads are used at the same time.
Some modules cannot be multi-threaded. The server implements mutexes to be sure that the modules are used only by one thread. If that module is used, *and* it takes a long time to do it’s work, then all threads will block on that module.
I do not understand what happens in post-proxy. Is there some limitation on requests parallel processing in this section ?
No. And the rest module doesn’t behave any differently in post-proxy. What other modules are you running in post-proxy? Arran and I have discussed instrumenting the server to track time spent in a module. That’s useful, but would destroy performance in a production environment. Still, for debugging it can be very helpful. Alan DeKok.
Hi Alan, Le 27/02/2015 14:35, Alan DeKok a écrit :
Some modules cannot be multi-threaded. The server implements mutexes to be sure that the modules are used only by one thread. If that module is used, *and* it takes a long time to do it’s work, then all threads will block on that module.
We agree. But reading the source code, rlm_rest is multi-thread compliant (RLM_TYPE_THREAD_SAFE). So we're assuming that there is no mutex for the rest module.
And the rest module doesn’t behave any differently in post-proxy.
The weird thing is that if we move the use of rlm_rest in another section like pre-proxy, there is no blocking issue any more.
What other modules are you running in post-proxy?
At that time, this is the only one, precisely in order to analyse the bottleneck issue. Let's see some facts: - We have a remote radius server that always answer immediately with an Access-Accept. - We have a REST server that delivers a JSON response in around 100 ms. - Our freeradius is configured to proxy requests to the remote radius server and to call the REST server before or after the request to the remote radius server. We used radperf for benchmark (-p 500). The results: - No REST request at all => freeradius handles 3800 requests per sec approximately. - if the REST server is called in pre-proxy => 1100 r/s. All the threads of the pool are active. - if the REST server is called in post-proxy => between 70and 150 r/s with a lot of variation between our tests. Less than half of available threads are active. Thank you for your help, -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mar 2, 2015, at 8:34 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
The weird thing is that if we move the use of rlm_rest in another section like pre-proxy, there is no blocking issue any more.
Except the rest module doesn’t have a pre-proxy or post-proxy method. So… what exactly are you doing?
We used radperf for benchmark (-p 500). The results: - No REST request at all => freeradius handles 3800 requests per sec approximately. - if the REST server is called in pre-proxy => 1100 r/s. All the threads of the pool are active. - if the REST server is called in post-proxy => between 70and 150 r/s with a lot of variation between our tests. Less than half of available threads are active.
Is the behaviour the same if you change rest for another module? Alan DeKok.
Le 02/03/2015 14:59, Alan DeKok wrote:
Except the rest module doesn't have a pre-proxy or post-proxy method. So... what exactly are you doing?
We changed it in order to allow calling it in pre- or post-proxy section. Anyway, we reproduced the issue with another module, see above.
Is the behaviour the same if you change rest for another module?
Yes. We wrote a simple module, which sleeps a little every time it is invoked (see attached file). We replaced rlm_rest with it and launched the benchmark tests again, with the exact same results: - pre-proxy: 1250 r/s, all threads are active. - post-proxy: 42 r/s, only part of the available threads are active. I'm wondering if there is a critical section in proxy replies handling which may explain such results ? Btw, we are using 3.0.x branch of FreeRADIUS. Regards, -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mar 2, 2015, at 11:02 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
Yes. We wrote a simple module, which sleeps a little every time it is invoked (see attached file). We replaced rlm_rest with it and launched the benchmark tests again, with the exact same results: - pre-proxy: 1250 r/s, all threads are active. - post-proxy: 42 r/s, only part of the available threads are active.
That’s bad.
I'm wondering if there is a critical section in proxy replies handling which may explain such results ?
No. There’s code which handles the post-proxy packet. But that does the same thing whether or not there are any modules in post-proxy. And the code dealing with modules in post-proxy is *exactly* the same for post-proxy, authorize, authenticate, etc. Ive managed to do 50K PPS proxying with the standard config. So it makes me wonder what else is going on. What happens when you use the “ok” module instead of your custom one? It might be down to bad interactions with the scheduler. Alan DeKok.
Hi Alan, Le 02/03/2015 17:14, Alan DeKok wrote :
What happens when you use the “ok” module instead of your custom one? It might be down to bad interactions with the scheduler.
Do you mean the "always" module ? No problem at all with it, the rate is very good with an invocation in post-proxy section. To be honest, we used custom-made modules for years without any problem, but they all execute very quickly (around 2 or 3 ms). The issue seems to appear if there are blocking (or time-consuming ?) operations in post-proxy and I'm not sure it is related to modules. So far, we encountered the issue with: - rlm_rest requesting a high loaded REST server. - rlm_exec invoking the /bin/sleep command (however in this case the rate is as bad in pre-proxy as in post-proxy so we can't rely on the result). - rlm_lrs which calls usleep(). During this tests, we do not see high CPU or memory consumption. This is like FreeRadius have nothing to do. If it's a scheduler problem, should we not see that all threads are active, but blocked somewhere ? Regards, -- /LRS/ This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Le 03/03/2015 11:01, "RESTOUX, Loïc" wrote :
If it's a scheduler problem, should we not see that all threads are active, but blocked somewhere ?
Another thoughts about this: a network analysis seems to show that the bottleneck is not in post-proxy handling, but upstream. We know that radperf is sending as much requests as we told him (with -p 500 argument), but the rate of outgoing proxied requests is far lower. See the graphs above: - rlm_lrs invoked in pre-proxy section: http://postimg.org/image/nvga69qwx/ - rlm_lrs invoked in post-proxy section: http://postimg.org/image/oyjo6mjgh/ So, is it possible that FreeRadius slows down the proxied requests sent to the remote radius, for instance in order to be sure to have always enough available threads to deal with the responses ? Note that our max_outstanding parameter is set to 4096. Should we care of other parameters in the proxy section ? Regards, -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mar 3, 2015, at 6:00 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
Another thoughts about this: a network analysis seems to show that the bottleneck is not in post-proxy handling, but upstream. We know that radperf is sending as much requests as we told him (with -p 500 argument), but the rate of outgoing proxied requests is far lower.
Which would seem to be the problem then.
So, is it possible that FreeRadius slows down the proxied requests sent to the remote radius, for instance in order to be sure to have always enough available threads to deal with the responses ?
No. It sends packets as fast as it can.
Note that our max_outstanding parameter is set to 4096. Should we care of other parameters in the proxy section ?
The default configuration should work. I have no idea how a module running in post-proxy can cause *outgoing* packets to slow down. Alan DeKok.
Le 03/03/2015 14:38, Alan DeKok wrote:
I have no idea how a module running in post-proxy can cause *outgoing* packets to slow down.
Ok. Does someone have any idea on how we can investigate this ? I'm starting to consider adding some statistics to monitor how long a request is pending between its reception in FreeRADIUS and its emission to the remote radius server, but any other suggestion is welcome. Regards, -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mar 3, 2015, at 11:17 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
Ok. Does someone have any idea on how we can investigate this ?
Instrument the server to see where it’s spending its time.
I'm starting to consider adding some statistics to monitor how long a request is pending between its reception in FreeRADIUS and its emission to the remote radius server, but any other suggestion is welcome.
No idea. I’ve never seen anything like this. My tests show 20K pps or more for proxying. If you can’t get that on a commodity system. something is very, very, broken. Alan DeKok.
Le 03/03/2015 17:29, Alan DeKok a écrit :
No idea. I’ve never seen anything like this. My tests show 20K pps or more for proxying. If you can’t get that on a commodity system. something is very, very, broken.
Do you mean that you reach 20K pps with time-consuming processing in post-proxy ? It's a critical point, because it means that there is something bad in our overall environment, not in FreeRADIUS. -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Yes. If you've got any time consuming processes in the live path then you will have radius issues. The post-auth is party of the live path and therefore if there are delays, the response from the radius server will be impacted. Look at your systems and your data processing flow. Check where time is spent and see if what you are doing is needed in the live path. It may be that what you are doing can be done out of band. 20k auths/s, proxied, with vanilla config on basic server is basic. Stick some slow ldap and sql stuff in and you have immediate performance impact alan
On Mar 4, 2015, at 3:53 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
Do you mean that you reach 20K pps with time-consuming processing in post-proxy ?
I mean there’s 20K PPS with a carefully crafted configuration. So FreeRADIUS *can* do 20Kpps proxying.
It's a critical point, because it means that there is something bad in our overall environment, not in FreeRADIUS.
Yes. There is nothing in the server which is designed to destroy performance. The server core is designed to run as fast as possible. But… if you use EAP (TLS), performance drops about 90%. That’s due to the CPU overhead of calculating the RSA keys. If you use a database, performance drops a similar amount. Because databases have to write to disk, and disks are slow. I have *never* seen the server proxy 100 pps, even with complex rules in pre and post-proxy. So there’s something weird about your local system. Alan DeKok.
Le 04/03/2015 13:54, Alan DeKok a écrit :
I have *never* seen the server proxy 100 pps, even with complex rules in pre and post-proxy. So there’s something weird about your local system.
I considered this, but everything seems normal. Then I returned to source code... And I noticed that the post-proxy section could be invoked by the master thread, which explains every symptoms. If the master thread is blocked, it does not handle incoming requests et replies from the remote radius any more. In which cases does the master invoke post-proxy section ? Regards, -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mar 4, 2015, at 11:14 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
Then I returned to source code... And I noticed that the post-proxy section could be invoked by the master thread, which explains every symptoms. If the master thread is blocked, it does not handle incoming requests et replies from the remote radius any more.
It *can* do post-proxy in the master thread. But only if it’s single threaded.
In which cases does the master invoke post-proxy section ?
When it’s single threaded. In normal cases, it runs the proxy reply back through the thread queue. Where a child thread picks it up. You should be able to test this by looking at the current thread ID. If it’s the same as the master thread, it’s a problem. Alan DeKok.
Le 04/03/2015 17:28, Alan DeKok a écrit :
You should be able to test this by looking at the current thread ID. If it’s the same as the master thread, it’s a problem.
That's what I did, and... there is a problem. :-) It's not single threaded as I see child threads running, too. What is the next step ? Is there something I should check in the configuration, that may explain this behaviour ? Or should I fill an issue on the github repository ? Thank you for you help, -- logo Capgemini Restoux Loïc Communications & Energie-Utilities | AS France Capgemini | Rennes Tel: +33 2 99 27 82 30 www.fr.capgemini.com <http://www.fr.capgemini.com> People matter, results count. ------------------------------------------------------------------------ /Capgemini is a trading name used by the Capgemini Group of companies which includes CAPGEMINI TECHNOLOGY SERVICES SAS, a company registered in France (RCS : 479 766 842 – APE 6202 A NANTERRE) whose registered office is at 5/7, rue Frédéric Clavel – 92287 Suresnes cedex / This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mar 4, 2015, at 12:42 PM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
Le 04/03/2015 17:28, Alan DeKok a écrit :
You should be able to test this by looking at the current thread ID. If it’s the same as the master thread, it’s a problem.
That's what I did, and... there is a problem. :-) It's not single threaded as I see child threads running, too.
OK.
What is the next step ? Is there something I should check in the configuration, that may explain this behaviour ? Or should I fill an issue on the github repository ?
I’ve double-checked the proxy state machine. I’ve pushed some changes which simplify it, to the v3.0.x branch. They also make it easier to verify that the post-proxy section is always called from a child thread. I’ve done some simple testing, so it works in the normal case. Please check out the code and make sure it works, and fixes the problem. Alan DeKok.
Hi Alan, Le 04/03/2015 19:27, Alan DeKok a écrit :
Please check out the code and make sure it works, and fixes the problem.
I just tested it with our minimalist configuration, and everything works fine. Now I can see all the available threads working, and consuming-time processing in pre-proxy and in post-proxy give the same overall rate . I still have to test it with our complete configuration using rlm_rest module, but I'm very confident. I'll let you know the final results. Thanks a lot for your help, we really appreciate it ! :-) -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mar 5, 2015, at 4:21 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
I just tested it with our minimalist configuration, and everything works fine. Now I can see all the available threads working, and consuming-time processing in pre-proxy and in post-proxy give the same overall rate .
That’s good news.
I still have to test it with our complete configuration using rlm_rest module, but I'm very confident. I'll let you know the final results.
Thanks.
Thanks a lot for your help, we really appreciate it ! :-)
It’s what I do. Rumors of me being mean are just not true. Alan DeKok.
I think we found some regressions, not sure they're related to your fix, though. First, it seems that if a "Post-Proxy-Type Fail" section exists, it is invoked instead of the regular post-proxy. I deleted the "Post-Proxy-Type Fail" section as a dirty workaround. Then we experiment very strange things in the evaluation of the virtual server. For instance: (7) if ("%{proxy-reply:Packet-Type}" == "Access-Accept") { (7) EXPAND %{proxy-reply:Packet-Type} (7) --> Access-Accept (7) if ("%{proxy-reply:Packet-Type}" == "Access-Accept") -> FALSE I'm currently trying to debug this last one. Regards, -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mar 5, 2015, at 11:17 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
I think we found some regressions, not sure they're related to your fix, though.
First, it seems that if a "Post-Proxy-Type Fail" section exists, it is invoked instead of the regular post-proxy. I deleted the "Post-Proxy-Type Fail" section as a dirty workaround.
That’s due to some dictionary file changes. I’ve pushed a fix.
Then we experiment very strange things in the evaluation of the virtual server. For instance: (7) if ("%{proxy-reply:Packet-Type}" == "Access-Accept") { (7) EXPAND %{proxy-reply:Packet-Type} (7) --> Access-Accept (7) if ("%{proxy-reply:Packet-Type}" == "Access-Accept") -> FALSE
I'm currently trying to debug this last one.
That works for me. Alan DeKok.
Hi, Le 05/03/2015 17:37, Alan DeKok a écrit :
That’s due to some dictionary file changes. I’ve pushed a fix.
I confirmed, it's working now.
Then we experiment very strange things in the evaluation of the virtual server. That works for me.
To summarize, all the literal strings loaded from the configuration of the virtual server have bad length (same thing for the regexp, see my other thread in the list). The stored lengths in "value pair" (?) always exceed the real length from 2 or 3 characters... I have no idea why, and I give up for the moment. I tried to fight against the parser, but I lost. :) -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mar 6, 2015, at 9:01 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
I confirmed, it's working now.
That’s good.
To summarize, all the literal strings loaded from the configuration of the virtual server have bad length (same thing for the regexp, see my other thread in the list). The stored lengths in "value pair" (?) always exceed the real length from 2 or 3 characters…
That shouldn’t happen. What OS / version are you using? Maybe we can reproduce it here.
I have no idea why, and I give up for the moment. I tried to fight against the parser, but I lost. :)
The data goes through a *lot* of layers before it’s interpreted at run-time. So that’s hard to track. Alan DeKok.
Le 06/03/2015 15:49, Alan DeKok a écrit :
That shouldn’t happen. What OS / version are you using? Maybe we can reproduce it here.
Linux RHEL 6.4 (Santiago). Talloc 2.1.0. Feel free to ask if you need any other information. Thank you for your help. -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
I feel suspicious with the functions condition_tokenize(), tmpl_afrom_str() and tmpl_alloc(). I think that the length used for tmpl_alloc() includes the quotes, and the value is stored directly in vpt->len. Unfortunatly, I don't dare to fix it myself, I'm pretty sure I'll break everything else. :) -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mar 6, 2015, at 11:10 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
I feel suspicious with the functions condition_tokenize(), tmpl_afrom_str() and tmpl_alloc(). I think that the length used for tmpl_alloc() includes the quotes, and the value is stored directly in vpt->len.
It shouldn’t be. If you have “correct_escapes = yes”, then vpt->len is the length of the data in vpt->name. If it’s not, there’s a problem.
Unfortunatly, I don't dare to fix it myself, I'm pretty sure I'll break everything else. :)
Even tracking down where the length goes wrong should be helpful. Alan DeKok.
Hi, Le 06/03/2015 19:32, Alan DeKok a écrit :
If you have “correct_escapes = yes”, then vpt->len is the length of the data in vpt->name. If it’s not, there’s a problem. You're right. I did NOT set correct_escapes in my configuration, and now all is working (including the length of regexps) when correct_escape = true. So I assume that the default value is false, right ? That may explain why you couldn't reproduce it.
Thank you very much ! Still, I cannot figure out why the behaviour is not the same with correct_escape = false. We do not use backslashes in our configuration.
Even tracking down where the length goes wrong should be helpful. I added some logs to track down the issue. The line to be parsed is: if ("%{proxy-reply:Packet-Type}" == "Access-Accept") {
Here's the result (I focus on the RHS here, but same result with LHS) with correct_escape=false: BEGIN condition_tokenize(start=("%{proxy-reply:Packet-Type}" == "Access-Accept") {) BEGIN condition_tokenize(start="%{proxy-reply:Packet-Type}" == "Access-Accept") {) CONT condition_tokenize - Grab the RHS BEGIN condition_tokenize_string( start="Access-Accept") {, op=0x 0 ) END condition_tokenize_string() => 15 CONT condition_tokenize - Grab the RHS => rhs=Access-Accept, type=25, slen=15 CONT condition_tokenize(): try to extract a string from rhs Access-Accept (type=25) BEGIN tmpl_afrom_str(in=Access-Accept, inlen=16) CONT tmpl_afrom_str( type=T_DOUBLE_QUOTED_STRING ) END tmpl_alloc(name=Access-Accept, len=16) => vpt-name=Access-Accept, vpt->len=16 END tmpl_afrom_str() => vpt->name=Access-Accept, vpt->len=16, return=16 CONT condition_tokenize - Grab the RHS BEGIN condition_tokenize_string( start="Access-Accept") , op=0x 0 ) END condition_tokenize_string() => 15 CONT condition_tokenize - Grab the RHS => rhs=Access-Accept, type=25, slen=15 CONT condition_tokenize(): try to extract a string from rhs Access-Accept (type=25) BEGIN tmpl_afrom_str(in=Access-Accept, inlen=15) CONT tmpl_afrom_str( type=T_DOUBLE_QUOTED_STRING ) END tmpl_alloc(name=Access-Accept, len=15) => vpt-name=Access-Accept, vpt->len=15 END tmpl_afrom_str() => vpt->name=Access-Accept, vpt->len=15, return=15 END condition_tokenize(start="%{proxy-reply:Packet-Type}" == "Access-Accept") ) => 49 END condition_tokenize(start=("%{proxy-reply:Packet-Type}" == "Access-Accept") ) => 50 Then with correct_escape=true: BEGIN condition_tokenize(start=("%{proxy-reply:Packet-Type}" == "Access-Accept") {) BEGIN condition_tokenize(start="%{proxy-reply:Packet-Type}" == "Access-Accept") {) CONT condition_tokenize - Grab the RHS BEGIN condition_tokenize_string( start="Access-Accept") {, op=0x 0 ) END condition_tokenize_string() => 15 CONT condition_tokenize - Grab the RHS => rhs=Access-Accept, type=25, slen=15 CONT condition_tokenize(): try to extract a string from rhs Access-Accept (type=25) BEGIN tmpl_afrom_str(in=Access-Accept, inlen=13) CONT tmpl_afrom_str( type=T_DOUBLE_QUOTED_STRING ) END tmpl_alloc(name=Access-Accept, len=13) => vpt-name=Access-Accept, vpt->len=13 END tmpl_afrom_str() => vpt->name=Access-Accept, vpt->len=13, return=13 CONT condition_tokenize - Grab the RHS BEGIN condition_tokenize_string( start="Access-Accept") , op=0x 0 ) END condition_tokenize_string() => 15 CONT condition_tokenize - Grab the RHS => rhs=Access-Accept, type=25, slen=15 CONT condition_tokenize(): try to extract a string from rhs Access-Accept (type=25) BEGIN tmpl_afrom_str(in=Access-Accept, inlen=13) CONT tmpl_afrom_str( type=T_DOUBLE_QUOTED_STRING ) END tmpl_alloc(name=Access-Accept, len=13) => vpt-name=Access-Accept, vpt->len=13 END tmpl_afrom_str() => vpt->name=Access-Accept, vpt->len=13, return=13 END condition_tokenize(start="%{proxy-reply:Packet-Type}" == "Access-Accept") ) => 49 END condition_tokenize(start=("%{proxy-reply:Packet-Type}" == "Access-Accept") ) => 50 As you can see, the vpt-len differs. HTH, -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mar 9, 2015, at 6:48 AM, RESTOUX, Loïc <loic.restoux@capgemini.com> wrote:
You're right. I did NOT set correct_escapes in my configuration, and now all is working (including the length of regexps) when correct_escape = true. So I assume that the default value is false, right ? That may explain why you couldn't reproduce it.
Yes.
Thank you very much !
Still, I cannot figure out why the behaviour is not the same with correct_escape = false. We do not use backslashes in our configuration. ... END condition_tokenize_string() => 15 CONT condition_tokenize - Grab the RHS => rhs=Access-Accept, type=25, slen=15 CONT condition_tokenize(): try to extract a string from rhs Access-Accept (type=25) BEGIN tmpl_afrom_str(in=Access-Accept, inlen=16)
Thats the difference, and enough for me to push a fix. Please try the v3.0.x branch now. It should work. Alan DeKok.
Hi, Le 09/03/2015 15:01, Alan DeKok a écrit : Thats the difference, and enough for me to push a fix. Please try the v3.0.x branch now. It should work. It does ! Thank you again for your work. -- LRS This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On 02/03/15 16:02, "RESTOUX, Loïc" wrote:
Le 02/03/2015 14:59, Alan DeKok wrote:
Except the rest module doesn't have a pre-proxy or post-proxy method. So... what exactly are you doing?
We changed it in order to allow calling it in pre- or post-proxy section.
Completely unrelated, but for future reference note you can call a different "section" handler, like this: post-proxy { rest.authorize } ...if a module doesn't have a handler for a given section.
On Feb 26, 2015, at 3:29 AM, Krause, Kilian <krause@tik.uni-stuttgart.de> wrote:
Yet, we do see: - with PEAP: ... Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Badly formatted EAP Message: Ignoring the packet
That should be pretty obvious. This is a textbook case of what *not* to do. i.e. Post *part* of the debug output. Ignore the error message. It can’t be important, right?
This seems to be identical whether use_mppe is set to 'yes' or 'no' in modules/mschap.
Hmmm… editing the server configuration will make the client magically start sending correct EAP packets?
- with EAP-TTLS just an empty EAP-Key-Name/reply:EAP-Session-Id (in sites-enabled/default)
Even though EAP-TTLS is sending an Access-Accept I don't get the AnyConnect supplicant to be happy about it and the auth is stuck in an authentication loop without actually getting connectivity to the system.
Then there’s likely a problem with EAP. Not with Macsec.
Since all of the relevant howtos I could find on the 'net either cover only the switch config alone or a combination of switch and Cisco ISE I'd like to raise the question whether anyone around here has gotten a similar setup up and running already.
How about trying it *without* macsec? If it doesn’t work, then the problem isn’t macsec. This is a basic “divide and conquer” problem solving skill.
If anyone has a good starting point to continue debugging further I'm all ears.
Read the debug output? Post *all* of it here, so that the experts can read it, and explain it to you? Alan DeKok.
Hi Alan,
On Feb 26, 2015, at 3:29 AM, Krause, Kilian <krause@tik.uni-stuttgart.de> wrote:
Yet, we do see: - with PEAP: ... Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Badly formatted EAP Message: Ignoring the packet
That should be pretty obvious.
This is a textbook case of what *not* to do. i.e. Post *part* of the debug output. Ignore the error message. It can’t be important, right?
If there would have been anything above that would have looked like an error, I'd surely have copied it here. For now I was hoping this is sort of a FAQ (well, probably MACSEC is still somewhat too new to be actually widespread enough and call this question "frequent") and there might be an easy and short way to fixing this.
This seems to be identical whether use_mppe is set to 'yes' or 'no' in modules/mschap.
Hmmm… editing the server configuration will make the client magically start sending correct EAP packets?
As you may see here, I'm not yet fully understanding which part of the state machine between server and client is stopping where. It may or may not be the FR or the client or the EAP. I just don't know yet. And exactly that is what I'm trying to find out first.
- with EAP-TTLS just an empty EAP-Key-Name/reply:EAP-Session-Id (in sites-enabled/default)
Even though EAP-TTLS is sending an Access-Accept I don't get the AnyConnect supplicant to be happy about it and the auth is stuck in an authentication loop without actually getting connectivity to the system.
Then there’s likely a problem with EAP. Not with Macsec.
Ok. Then we should look at that first I guess.
Since all of the relevant howtos I could find on the 'net either cover only the switch config alone or a combination of switch and Cisco ISE I'd like to raise the question whether anyone around here has gotten a similar setup up and running already.
How about trying it *without* macsec? If it doesn’t work, then the problem isn’t macsec.
Above you say that the problem isn't with Macsec. And trying without works just fine. The switchport and the vlan is working flawlessly.
This is a basic “divide and conquer” problem solving skill.
If anyone has a good starting point to continue debugging further I'm all ears.
Read the debug output? Post *all* of it here, so that the experts can read it, and explain it to you?
See http://fex.rus.uni-stuttgart.de:8080/fop/cEx9dqNJ/logs.zip and explain it to me then. TIA! Best, Kilian
On Feb 27, 2015, at 3:43 AM, Krause, Kilian <krause@tik.uni-stuttgart.de> wrote:
If there would have been anything above that would have looked like an error, I'd surely have copied it here.
i.e. you’re asking for help, but you’re an expert, and know which things are important and which aren’t. Uh… no. If you’re asking for help, then you shouldn’t argue with the experts. It’s conceited. If you’re an expert, you should be able to solve the problem yourself.
Hmmm… editing the server configuration will make the client magically start sending correct EAP packets?
As you may see here, I'm not yet fully understanding which part of the state machine between server and client is stopping where. It may or may not be the FR or the client or the EAP. I just don't know yet. And exactly that is what I'm trying to find out first.
You really think that the *default configuration* of FreeRADIUS is to break EAP? And that editing the mschap configuration will un-break it? What a bizarre idea. For the record, the client is broken. It’s garbage. It doesn’t implement EAP properly. A small amount of critical thinking would get you there.
Above you say that the problem isn't with Macsec. And trying without works just fine. The switchport and the vlan is working flawlessly.
Did you try with *EAP*? I presume not, otherwise you’d get the “malformed EAP message” again.
See http://fex.rus.uni-stuttgart.de:8080/fop/cEx9dqNJ/logs.zip and explain it to me then.
<sigh> Zip files are annoying. It means you’re forcing people to go through an extra step. There’s nothing like making it as hard as possible for people for people to help you. And when I look at the logs, I see that you’ve gone out of your way to butcher them. Why? You’ve removed the exact information I need to help you. Since you think you’re a genius, you can fix the problem yourself. I can’t help people who don’t want to be helped. Go away. Don’t come back. Alan DeKok.
And when I look at the logs, I see that you’ve gone out of your way to butcher them. Why? You’ve removed the exact information I need to help you.
So you want us to help diagnose EAP issue, but have removed all the EAP data? That's a special kind of special. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi,
And when I look at the logs, I see that you’ve gone out of your way to butcher them. Why? You’ve removed the exact information I need to help you.
So you want us to help diagnose EAP issue, but have removed all the EAP data?
Well, I was still hoping that I'd not need to rip apart my entire testbed config. Now I've removed any production configs so here's the full log with just dummy login data (so that I have permission to post full details to a public mailinglist). The AnyConnect NAM module client EAP profile is attached. The switchport on the 3750-X is configured as: interface GigabitEthernet1/0/1 description MACSEC client port test switchport mode access authentication event linksec fail action authorize vlan 465 authentication order dot1x authentication port-control auto authentication violation protect macsec mka policy downlink dot1x pae authenticator spanning-tree portfast end (both of which pretty much go along the default cisco config guides). FreeRADIUS log for TTLS resulting in EAP-Key-Name = "" looks like this: -(snip)- freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/tls_log including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui_log including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/inner_log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/nksvpn including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/asa_log including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/nksusers including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/control-socket including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/soh including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 5 cleanup_delay = 5 max_requests = 2048 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth+acct" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } realm LOCAL { } realm NULL { } realm unistuttgart.de { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client ar30a-y1t-s5 { ipaddr = 172.18.198.32 require_message_authenticator = no secret = "..." nastype = "other" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "1234" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file £Ýç? modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key" certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt" private_key_password = "..." dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server soh-server { # from file /etc/freeradius/sites-enabled/soh modules { Module: Checking authorize {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/freeradius/freeradius.sock" } } ... adding new socket proxy address * port 60291 ... adding new socket proxy address * port 54640 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/freeradius/freeradius.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=179, length=189 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0201001e01616e6f6e796d6f757340756e697374757474676172742e6465 Message-Authenticator = 0x310082a7764857d8fc1b4627379528d3 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 30 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 179 to 172.18.198.32 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8afb7c52e0195bd1096fdf3655 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=180, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020200060315 Message-Authenticator = 0x81bb5b45fb18e1d020e45c97b7f52b49 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8afb7c52e0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 180 to 172.18.198.32 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8afa7d5ee0195bd1096fdf3655 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=181, length=309 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x02030084150016030100790100007503012852a20547b500b7f68ef9d12f94962911f02b9bef08352b7cf3c5b378604e44000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013 Message-Authenticator = 0x586d094023b3133cfbe8bb88d8db5a54 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8afa7d5ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 132 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0079], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0724], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 181 to 172.18.198.32 port 1645 EAP-Message = 0x0104040015c0000009c0160301003902000035030154f0e94fe7a83b762d5667ec882bbfd0f06fd3b2d7ec8535f098b1bf25f8a43b00c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763 EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699 EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132 EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3 EAP-Message = 0x82026630820262304f060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8af97a5ee0195bd1096fdf3655 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=182, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020400061500 Message-Authenticator = 0x5dc3a2d8909ccccd8d90f283d7ace0a9 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8af97a5ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 182 to 172.18.198.32 port 1645 EAP-Message = 0x0105040015c0000009c01d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d06 EAP-Message = 0x03551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d EAP-Message = 0x7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584 EAP-Message = 0xda860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c0002470300174104717306adc73ae2116704979ca012a0f24e3f1c5a663f1337d0876fef21f49fda2d925793bdd86a53aee79fa992bb5867afc8933b06cde83f4b40c884cfcfc88602003512e658ad4b977080325920eef0c3097430c0a576b56392c375d2e6827846f17cb83d60ca1b7366e5 EAP-Message = 0x1f91362636c010688ed0fe86 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8af87b5ee0195bd1096fdf3655 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=183, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020500061500 Message-Authenticator = 0x5f80016ee1ea7aba8ec45ec2ed178c6d NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8af87b5ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 183 to 172.18.198.32 port 1645 EAP-Message = 0x010601de1580000009c07c9d859cae70d8328c134b9fda8e137f6ec1c905d5be1dd040a05d0f5d575cf34135b7a96ae8904e22eb542f477e2656efd2e01ccadf2e8d1771be619f030a616977456985b76163e5cc34321d39f4bf11861dcdf6ffc8cb7d3e83ce799e12ca3a428eb76447d7684a197f6070e57255a414c26b026e0e5c772fceaca1619b5a8c1c1f25ec3bd8648b1d0985ada3e90d499f12b80bf3023f61c5599e89874facb03f90cb0bde981def4a3c6c2e8bf2635948281d59a0665a4f8ebed8a4e875004e8553e1d146278442ed80fa8c80d5694bf207d75e74052bfd22ece2e925a80636bde2f7c127fdd13fe9bb155547b0ccdd5071 EAP-Message = 0xc0bced3abd58bd13e6cbb5e5a7aa65932163b4e0b7a01d27496bc2691b1bd6a7bf02908dcf94d026b2f2fb6713b44d233879b9a7302283d186138a5a5f35c9ddde1a5b70f3ca14d30625404a4b5935f9ce55ef281445070ff13f44353b125978c5ef6869e13e7b2539f8a6edc07bf906237383b0a2e99d97bb3ca5e1cb9e07ba45c5769ac484563b3cd023c873913b7337ea24768110f4874aece2b49aedfdfe429002be68aed02522c49215fe7f3100aa9d17fb4dd9f3a6251e90138716bb6195f6827a4dbf67484f21c1175a3417c909408120b06a766816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8aff785ee0195bd1096fdf3655 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=184, length=317 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0206008c15001603010046100000424104b9b344ce9c80fac0b0e96aa13dc790e0ad7f743a45781697b6af030caf3a8734993a94cf98f6a340fedd7edebe017649fb70c935ea49a0e16fc5be030434f4641403010001011603010030815eac8e8ad4190f3592bf0b2edb5460d9af5ab93eb394e8694eccad4b37b8d3937c04ab91fdc90b8c117a904aafd2fc Message-Authenticator = 0x1c1e7d855458a8d3098fdde3ddf86dc0 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8aff785ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 140 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 184 to 172.18.198.32 port 1645 EAP-Message = 0x0107004515800000003b14030100010116030100308f79d0300c835c8b34ed32b1c2b16b6a50cb533f73eac3e836846a31376fc8d0b49d9ec87daef85bf39ffc61139f6877 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8afe795ee0195bd1096fdf3655 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=185, length=289 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0207007015001703010020ac062c50d9ede2061baa4d36b348d96df9a5bb540f59059247d70ca88ae9b4d817030100408956d3afb078a498124467d3a3275e14be21441c02a8e1a2140b94290b901d7d00c753c43f2054ac67eb21932538dd9751125125fe701e2135f3c53ac2b85d31 Message-Authenticator = 0x002a15f9b831746e7f863fe263159f15 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8afe795ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 112 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x02000019017465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Got tunneled identity of test@unistuttgart.de [ttls] Setting default EAP type for tunneled EAP session. [ttls] Sending tunneled request EAP-Message = 0x02000019017465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 0 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x0101002e1a0101002910b92948814412ee82da1dd2059e68eda17465737440756e697374757474676172742e6465 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbfd4e25fbfd5f86d9adb2c85cd749c1d [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 185 to 172.18.198.32 port 1645 EAP-Message = 0x0108005f1580000000551703010050546db30172f4a30cb78c76bef5907dad160bec9738a88b265033840f78111003c1e87a6255c1051cd178cf5c67e74601a8cf2676d674546fa30010bf35770fe6f6416061b76cd594b6ab40235bb932ae Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8afd765ee0195bd1096fdf3655 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=186, length=337 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020800a0150017030100202ebd61605ed88be0d5136ef1c728e9260c15de503954daad14e4ce66c34dbf4f1703010070f672c15cdff050d2f92ff3170d5b373b61589c468b06602e18adfdf305eebffa265838a5ec04485ebbbf005f9e7366c7c617b7a4c4906b8e95a13f2ac54db9b707b07099eec7138579f023ceb269b543b8d241b8d2791c2a87fc9daf3e4aa595f3fc5098e96c4ec1adc448c74b66feca Message-Authenticator = 0x9a0f2af59d90000cebe3c65ae9a7c7c3 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8afd765ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 160 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0201004f1a0201004a31231ab1b20e9e7266dbb6e9793d6d477d0000000000000000caceb4606f5dbb180f2e167ecd8b16831b100fc6904f5d2c007465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x0201004f1a0201004a31231ab1b20e9e7266dbb6e9793d6d477d0000000000000000caceb4606f5dbb180f2e167ecd8b16831b100fc6904f5d2c007465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" State = 0xbfd4e25fbfd5f86d9adb2c85cd749c1d Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 1 length 79 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test@unistuttgart.de [mschap] Client is using MS-CHAPv2 for test@unistuttgart.de, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x010200331a0301002e533d30313132353741314341354637444534453235414645424435434333383645324639313941393433 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbfd4e25fbed6f86d9adb2c85cd749c1d [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 186 to 172.18.198.32 port 1645 EAP-Message = 0x0109006f15800000006517030100606afa3de81ad95abe95318904055cf5b34717b07bfd90b68e932f300d5e6cf11daa31c36b6b7b1f3848076ecd1a0793d83cfb3ce74484ded2a4e7c44e4ec206b851368a3c83edf6fd3abd20f8b69e7d3a40a3070272901ed4d7db16f5d94d5a37 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfb7e4b8afc775ee0195bd1096fdf3655 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=187, length=273 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x02090060150017030100201780eedd3729128221269f3b3b3a7f58a2d89300ef0830e3d7d7145fe7ba5d4b1703010030327c8d83df420fdccb646b16bb250328f6c6350e17b0e64c0567d116e7f7ee75a1793cc01f8be15934d02d13e7cdf5c4 Message-Authenticator = 0x1edda8ae512f59ece1179f98c15d471d NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xfb7e4b8afc775ee0195bd1096fdf3655 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 96 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x020200061a03 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x020200061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" State = 0xbfd4e25fbed6f86d9adb2c85cd749c1d Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test@unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [ttls] Got tunneled reply code 2 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x03020004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [ttls] Got tunneled Access-Accept [eap] Freeing handler rlm_eap_ttls: Freeing handler for user test@unistuttgart.de ++[eap] = ok +} # group authenticate = ok Login OK: [anonymous@unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop ++? if (reply:EAP-Session-Id) ? Evaluating (reply:EAP-Session-Id) -> TRUE ++? if (reply:EAP-Session-Id) -> TRUE ++if (reply:EAP-Session-Id) { +++update reply { expand: %{reply:EAP-Session-Id} -> +++} # update reply = noop ++} # if (reply:EAP-Session-Id) = noop +} # group post-auth = noop Sending Access-Accept of id 187 to 172.18.198.32 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "125" Cisco-AVPair = "linksec-policy=must-secure" Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" MS-MPPE-Recv-Key = 0x1a3f17c2d4e9de667dd14ba7b49bc7d9fc0a955ce42e31cdfb0b4440abe6f1f5 MS-MPPE-Send-Key = 0x70ab81030ceb1e3ad83ba5ca90da25d521282d57a85e4d4259ce09beb4fe51bc EAP-Message = 0x03090004 EAP-Key-Name = "" Finished request 8. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 179 with timestamp +9 Cleaning up request 1 ID 180 with timestamp +9 Cleaning up request 2 ID 181 with timestamp +9 Cleaning up request 3 ID 182 with timestamp +9 Cleaning up request 4 ID 183 with timestamp +10 Cleaning up request 5 ID 184 with timestamp +10 Cleaning up request 6 ID 185 with timestamp +10 Cleaning up request 7 ID 186 with timestamp +10 Cleaning up request 8 ID 187 with timestamp +10 Ready to process requests. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=188, length=189 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020a001e01616e6f6e796d6f757340756e697374757474676172742e6465 Message-Authenticator = 0x76855ce7c1ef8e603926873fe80d2a87 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 30 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 188 to 172.18.198.32 port 1645 EAP-Message = 0x010b00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa2002dc0c95b38f2c20d4854 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=189, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020b00060315 Message-Authenticator = 0xc1e04db636efab7c499a294e4c93bfa9 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa2002dc0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 189 to 172.18.198.32 port 1645 EAP-Message = 0x010c00061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa30721c0c95b38f2c20d4854 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=190, length=309 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020c008415001603010079010000750301c2f1b4369136f3777bc4e109387787232dd92fdc245c796ee61018c727854d22000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013 Message-Authenticator = 0x1742a2f140bf698a2c1992fce93c1dd1 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa30721c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 12 length 132 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0079], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0724], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 190 to 172.18.198.32 port 1645 EAP-Message = 0x010d040015c0000009c0160301003902000035030154f0e958a8444f528782eed87574fea205f03a0358a95b68ea2e07199502a63500c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763 EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699 EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132 EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3 EAP-Message = 0x82026630820262304f060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa00621c0c95b38f2c20d4854 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=191, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020d00061500 Message-Authenticator = 0xc4c35c641864cd84c3093628cef924f9 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa00621c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 13 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 191 to 172.18.198.32 port 1645 EAP-Message = 0x010e040015c0000009c01d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d06 EAP-Message = 0x03551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d EAP-Message = 0x7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584 EAP-Message = 0xda860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741045ed75da665b9017435b4038c934abbf5009b4c9f434e0dbeb30cddd33b09a8e60ebaf9f2fbb3db4c6448f4736521d22f6fd8d4799069b9e0a68802e61967d83c0200132563389e87e0d0939a61bc941504e42102ad26102ad7c9ec0262334fe8d5d75fbe837320092c5267 EAP-Message = 0x7ad30d7bf8eaaa6a59cdc965 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa10521c0c95b38f2c20d4854 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=192, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020e00061500 Message-Authenticator = 0x11548231eb4324d6709e5824343e8b14 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa10521c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 14 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 192 to 172.18.198.32 port 1645 EAP-Message = 0x010f01de1580000009c0ddac1d8778aca006f92db8c9b12cf0a3b1728aeeeb14458cd321de258a16854506d2b724202b04d72656c3841d73c78417d2d428525aa458fda37db5f13032ef3d09da5b4ef8cf55930f54c1886e1047c1410f562775ddb0b39bef1c56d2dce25e21c9595361c19c7bb347799cba5bc3640109e4646ba85ad3dae873db1729825d8526af5b6ce008de8cffd161acdb2c335baaf50096eb1c6001e48da87ee9731b8de39364a08a36f1dc69fb143dc91a8b54299f32b9d566f82556d4794e35a522002d8ae2a2eda273552d171c23b373ce1f3bc8fa979ff191ce1dc643ea51bb8232cf65a1b8de03312820c9170e1439f97abc EAP-Message = 0x055efcb625431e5b39e1fbb2e4fd5bda7e8fdc61dcfc2b14ef8650c0e9cd754520f494ba5ed6dcc795bac2c1f8945ea4d5170cb944bf6820d699c4a5c66dc5c6d3d892614ef48b2eeb0b4d39640e313dc453e104608a16b2a83fda6420e64f2f048ced7ea35c331797904c069273e7cff8fb0ebe7e6940a971788e5974f131289298a7a97d582f97c866a343e583592437b7fe850e8a2d00359f40c379b5ff161ee970182c3f10d913b79390a69776b559a85fd7a0cc463a88c565c76063ab51a4fa8ea718481f0441da73c9aecdf5c5eaf02357ee5527f816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa60421c0c95b38f2c20d4854 Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=193, length=317 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020f008c150016030100461000004241047f307f7d8f9130a0e34c02298894e3bd6f51525c7c85d8a035965bcd0044bad7e91c12fdd3fdd263ce4890306f361941c4ee8ea2c5e2201bb78f0b1552400dbd1403010001011603010030a2a4f602103e2801aa9a5cf2f19781dc63b9088011136de288eaf1ec89a14ff7cf7a05186d7f0240f8aa7a6d27c64401 Message-Authenticator = 0x321ca3c9bab12081ad1152823138850c NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa60421c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 15 length 140 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 193 to 172.18.198.32 port 1645 EAP-Message = 0x0110004515800000003b140301000101160301003066454fe53f7ccb6249b2c781509669a56698c3431239e22d750db4784a40f465ce4b7fc7ef593302478ea171eb51a7a4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa71b21c0c95b38f2c20d4854 Finished request 14. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=194, length=289 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0210007015001703010020d41a723e20f08fd833f559bfc02c8d95e82b6db9878674bea608b72dcd5f310017030100407b127a702f6bf9f8798715abdf3a06b99e8494ad2009cd3533868a3ca0f1a86d2d40f34460f0fc2390494ab7684bc86b1831f9da729d0f0632a282218b8fe6fc Message-Authenticator = 0xaf4226d5916ec0201e978f55ced154e8 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa71b21c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 16 length 112 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x02000019017465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Got tunneled identity of test@unistuttgart.de [ttls] Setting default EAP type for tunneled EAP session. [ttls] Sending tunneled request EAP-Message = 0x02000019017465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 0 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x0101002e1a0101002910d6ef0301cbc00cff6103ebb5c86581607465737440756e697374757474676172742e6465 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x090ccac9090dd0e190c6fcc2517b50c6 [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 194 to 172.18.198.32 port 1645 EAP-Message = 0x0111005f158000000055170301005084bc197827291a3343a677a84740837595f94d9652cd844e62e73fa180aaad7f105dc6e8b3192a3586993d481bc1e80ee96a559dcd7d9b299efd904fbf5f497276650b0cee0b01603615a96e7790092c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa41a21c0c95b38f2c20d4854 Finished request 15. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=195, length=337 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021100a015001703010020944874392600ca218d37dd4e8340f39557384fd2d060582e9f50c4a8831103ec170301007024105b6ba4d7f64a40685b11753d739090b183ab748615101a334e5f06a138bba9cf34f19ae39dd6ef043784c700fc59db759aa8c1f546cff06549be5033a32df868401c06d5c27a6ce31041d6fbcef03b479b6ac42b0458f793cc18e4a33e57f8a56c74ddf6f20c54bce8e665b74616 Message-Authenticator = 0x10cabb6de4f1bde23da154f301913900 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa41a21c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 17 length 160 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x0201004f1a0201004a311dfd5207dab8f60e950878b079426b08000000000000000048a5d83eaa13c552bf4eed4ed859f479bf795f9cf8ad98be007465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x0201004f1a0201004a311dfd5207dab8f60e950878b079426b08000000000000000048a5d83eaa13c552bf4eed4ed859f479bf795f9cf8ad98be007465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" State = 0x090ccac9090dd0e190c6fcc2517b50c6 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 1 length 79 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test@unistuttgart.de [mschap] Client is using MS-CHAPv2 for test@unistuttgart.de, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x010200331a0301002e533d39433037323344364432423141343843353843334544354334323838453239424437354234444141 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x090ccac9080ed0e190c6fcc2517b50c6 [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 195 to 172.18.198.32 port 1645 EAP-Message = 0x0112006f15800000006517030100604804557fe41292cc5ddb41c7d68f1d3f0e7779cacfc23348eaf8900d91d57487bab0bbdfbe809cf5fba67328b954b56646118db9404c13c2d01f3f7fe1604f6301399b95e176f99f120d2ffe283b2cab70f27364bab3ed467d944a04c22d82c3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa20b346fa51921c0c95b38f2c20d4854 Finished request 16. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=196, length=273 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021200601500170301002086c674dd2ffefa8889234702e7a8c8e06d5f9213c48b03ba4e2c0f4f6975f34617030100304ec807b42268cb18c83c767893d28b586714315a19969117ad3f9691358042bdf78b7c5d19e2fe62a757edbecb2bb42b Message-Authenticator = 0x45d412d1a225a1bbda13a465655b1b1c NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xa20b346fa51921c0c95b38f2c20d4854 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 18 length 96 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x020200061a03 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x020200061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" State = 0x090ccac9080ed0e190c6fcc2517b50c6 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test@unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [ttls] Got tunneled reply code 2 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x03020004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [ttls] Got tunneled Access-Accept [eap] Freeing handler rlm_eap_ttls: Freeing handler for user test@unistuttgart.de ++[eap] = ok +} # group authenticate = ok Login OK: [anonymous@unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop ++? if (reply:EAP-Session-Id) ? Evaluating (reply:EAP-Session-Id) -> TRUE ++? if (reply:EAP-Session-Id) -> TRUE ++if (reply:EAP-Session-Id) { +++update reply { expand: %{reply:EAP-Session-Id} -> +++} # update reply = noop ++} # if (reply:EAP-Session-Id) = noop +} # group post-auth = noop Sending Access-Accept of id 196 to 172.18.198.32 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "125" Cisco-AVPair = "linksec-policy=must-secure" Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" MS-MPPE-Recv-Key = 0x38cb476a152fb9548a6e8a3dd8c81434daa51847991fee6057e2e50df8e35be5 MS-MPPE-Send-Key = 0xf67728f2b63ebde0609ad4454aaeb497fbc28fe626b36f3c012c40f5dc86f7e1 EAP-Message = 0x03120004 EAP-Key-Name = "" Finished request 17. Going to the next request Waking up in 4.8 seconds. Cleaning up request 9 ID 188 with timestamp +18 Cleaning up request 10 ID 189 with timestamp +18 Cleaning up request 11 ID 190 with timestamp +18 Cleaning up request 12 ID 191 with timestamp +18 Cleaning up request 13 ID 192 with timestamp +18 Cleaning up request 14 ID 193 with timestamp +18 Cleaning up request 15 ID 194 with timestamp +18 Cleaning up request 16 ID 195 with timestamp +18 Cleaning up request 17 ID 196 with timestamp +18 Ready to process requests. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=197, length=189 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0201001e01616e6f6e796d6f757340756e697374757474676172742e6465 Message-Authenticator = 0x6348de93c52371a9fc759d6806f31df9 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 30 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 197 to 172.18.198.32 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1ed8d3f6e25cc3ffac739f7417 Finished request 18. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=198, length=309 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x02020084190016030100790100007503017622f9a142432084cd76856e66189134748597535fbcdb94ed3231bdd7c43069000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013 Message-Authenticator = 0x9351c781d5324661757a70de6384969d NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1ed8d3f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 132 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0724], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 198 to 172.18.198.32 port 1645 EAP-Message = 0x0103040019c0000009c0160301003902000035030154f0e969eb79a220dfb3ee8b751449ac1315d25bffcade44a1b7f7d50e844fc500c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763 EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699 EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132 EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3 EAP-Message = 0x82026630820262304f060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1ed9d2f6e25cc3ffac739f7417 Finished request 19. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=199, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020300061900 Message-Authenticator = 0xce71e8303414b0a99057a2a4b575b414 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1ed9d2f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 199 to 172.18.198.32 port 1645 EAP-Message = 0x010403fc19401d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d0603551d1f EAP-Message = 0x048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d73747574 EAP-Message = 0x74676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584da860e15 EAP-Message = 0x39435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c0002470300174104d620da594729e91fb5dd14047bf01144bc82b2b6cce056d8ab88630b710a2a5359e42df193f81106bd76cfd2d46a0c30b4c7f2c85ca2306672fd6dc9abc42272020085bc64c68b9224bf7e1cf56db8542f6e94629af3897afceb313e4a9e5952219e1d657d7f83ef8bb392ab359ee9 EAP-Message = 0x8d39d9cc53c2045d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1edad5f6e25cc3ffac739f7417 Finished request 20. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=200, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020400061900 Message-Authenticator = 0x5cb3757710a9e1aa840f98a82e0cd4ac NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1edad5f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 200 to 172.18.198.32 port 1645 EAP-Message = 0x010501da19009bea571da19c1199373837e252180d6597e0a925ea6b6e65dbf6b44a1b55fb9f89cbd8b6905580c1b0d90404d29d1fb170e1b52a9a9d6f61667f99967745f2195115aaed93b622d1e8a4998789a8045935726cc9405d2da7757f940b5c7eecc445d4099a37978369e6ee69843e183ee779fc2099b002fa94b619b9f51f1e37db4f289aee4f990a2515b5b449df99ac7cdf2c52c9183cf05eaef42acec2109f34d3a7a1e2cd2a1ef9b0ac8f76e531bb2167611ae990f2902a768dd4747a4fe84c2cfbb79e689d64497b8065c87448635201943eeb04d39f8b1754209c78037e50cf5619806cce2f71f55e40e7af4e6c70306cea855a86da EAP-Message = 0x62b5a5f51d575c728e77200cc821911ca0a471cea55af9a7f1e82f6456e072c3372804fac2f37bdc819b3ba5d9577218f5f2d1261fb11473a47c3eb334bb06755b7089f353f55a331f52162546e53d43c472f7ef1e5c054053ab5808e9ab9a4ecc8b410219ee742af25c0ca87ef90a4e1bdbdfc8e2c009a0fd4a039cd1cc8fee81b24213c57d37e2496f55441fdcb40235ccc48af7ff6bbb3502c0a71e25762dd6d6aaf5e342a261abc0bb3451b7df7925f2bac8d52368d948046406b2ff6481607135ecb684ec3665e4c5bc3abb955dfc90090b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1edbd4f6e25cc3ffac739f7417 Finished request 21. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=201, length=317 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0205008c19001603010046100000424104c920e896bbdfb7b30714655ff17a0b5f26fca20f71c89b3847654bc60f16226f1c377af37c9941cc4b6bd52e1bec5605d7ef9fcf2f22a58e9c70e26cac5d90d714030100010116030100302d906f12f1aaa192ce35c8698ef5c1e533a66aea1911314665e7e68856e7b993b98701624db7317f7891d7ddd8215065 Message-Authenticator = 0x245c49b0c78d717defad473ea4995519 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1edbd4f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 140 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 201 to 172.18.198.32 port 1645 EAP-Message = 0x010600411900140301000101160301003009aa5d4cf397842d682fffb1858ce9ea3c66a41b1d97d004f6ccfae16f183cbfbcd52e43881fbe31c76f0b1713e1b148 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1edcd7f6e25cc3ffac739f7417 Finished request 22. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=202, length=183 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020600061900 Message-Authenticator = 0xdcc682b2f47b466deb0a7bbf385835e5 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1edcd7f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 202 to 172.18.198.32 port 1645 EAP-Message = 0x0107002b1900170301002021ad645902073d2033c2fa10a4b57dcd8a3c3920f23ccef4c5a28f494c7b3f3e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1eddd6f6e25cc3ffac739f7417 Finished request 23. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=203, length=273 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x02070060190017030100201556be55b047693bdf7ac1b410e42b9646e9b88d479c4f5b2544f5ce7d9e3cc11703010030e74b08c5ea2ebdebe3cb70ec39de0b36691903de2eca9725792d43d318f04ce76777955b0986b9c286e4a59762990074 Message-Authenticator = 0x9b6f8a5c745b216a6a50bfdbba7dc115 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1eddd6f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 96 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test@unistuttgart.de [peap] Got inner identity 'test@unistuttgart.de' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02070019017465737440756e697374757474676172742e6465 server { [peap] Setting User-Name to test@unistuttgart.de Sending tunneled request EAP-Message = 0x02070019017465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x0108002e1a01080029105e86fe5270171c649fe7f47a59cfea9f7465737440756e697374757474676172742e6465 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6abbdc356ab3c6f49b248f333ecdfdd5 [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x0108002e1a01080029105e86fe5270171c649fe7f47a59cfea9f7465737440756e697374757474676172742e6465 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6abbdc356ab3c6f49b248f333ecdfdd5 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 203 to 172.18.198.32 port 1645 EAP-Message = 0x0108004b19001703010040397ebeacf4e455642e30eabd8219feff7872e3b1a8bfd14648f54cefb93dfe0bd84cc1c4a1bb7b18a53a245e87535aec16f4ff5778a61d0424f581a45e824199 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1eded9f6e25cc3ffac739f7417 Finished request 24. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=204, length=321 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x02080090190017030100202f4572bb50e17a435043848d867990437567c3f6492396aceeed491eb2a9b8e417030100603e7cae95cdd47e2c3f743414227bf71d16222ecb5916e7259e9afe6e63abdd5689a10ccba4070f4cf89eefcbce73d30a9b55f2cbe473828ba57f8d049525e300fcb4ef8049e7dfb9d627c2c2e2ced9ad4356f77789e3231132a7a6c9b0d2bc80 Message-Authenticator = 0x91e6a98a90553c5c25810947357b2a55 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1eded9f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208004f1a0208004a317f04d58271cddee5b3b9ca7da908a1e4000000000000000092b8ad0318ad8053c26c7d83615c8d71b6b9c82db3a308ba007465737440756e697374757474676172742e6465 server { [peap] Setting User-Name to test@unistuttgart.de Sending tunneled request EAP-Message = 0x0208004f1a0208004a317f04d58271cddee5b3b9ca7da908a1e4000000000000000092b8ad0318ad8053c26c7d83615c8d71b6b9c82db3a308ba007465737440756e697374757474676172742e6465 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" State = 0x6abbdc356ab3c6f49b248f333ecdfdd5 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 79 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test@unistuttgart.de [mschap] Client is using MS-CHAPv2 for test@unistuttgart.de, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x010900331a0308002e533d32443234454533424334363741333242393939363246373841433442363541444135434244463342 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6abbdc356bb2c6f49b248f333ecdfdd5 [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x010900331a0308002e533d32443234454533424334363741333242393939363246373841433442363541444135434244463342 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6abbdc356bb2c6f49b248f333ecdfdd5 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 204 to 172.18.198.32 port 1645 EAP-Message = 0x0109005b19001703010050ae7e8a81d91b5f11d34ba15bd0bab19aba25d742f03341ad33f4f49820c729255b0f8d928130a067432cdce260da9fa2e08aeeabfa72bbbc710ede11cb0c0080d11cdc60e3ed5469a049675d7c6c8e21 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1edfd8f6e25cc3ffac739f7417 Finished request 25. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=205, length=257 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0209005019001703010020124448bbc9d32dc7684cfc084ad76fa4b0f28f4b8c90d5b1d4da59790bbc076a170301002037708ae0e37268260ebbc556d9a3808d960807a3cf7af6731a3ef88c13fa68bd Message-Authenticator = 0x8dc62f26b9cb8cf28f604e372ab31131 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1edfd8f6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { [peap] Setting User-Name to test@unistuttgart.de Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test@unistuttgart.de" State = 0x6abbdc356bb2c6f49b248f333ecdfdd5 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++update control { ++} # update control = noop ++[mschap] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "test@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 127 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test@unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [peap] Got tunneled reply RADIUS code 2 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 205 to 172.18.198.32 port 1645 EAP-Message = 0x010a002b190017030100206d5bcfbdd0061220771b5ff0707bd0b82144de71932c2bcabb08eda4cbb6b789 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8d1ef1ed0dbf6e25cc3ffac739f7417 Finished request 26. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=206, length=257 User-Name = "anonymous@unistuttgart.de" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020a0050190017030100203b456f64e3ca70184d51b4fea6b118d82507cd740db868aaefd3bb3d855beaf41703010020657e7167a49b2260b3b59ea624d86b20e08bb64ccad18849adb7b82c359fe290 Message-Authenticator = 0xb85f02b163b10e348a035b1ee458cc72 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xd8d1ef1ed0dbf6e25cc3ffac739f7417 NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous@unistuttgart.de" [suffix] Found realm "unistuttgart.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "unistuttgart.de" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "125" Cisco-AVPair := "linksec-policy=must-secure" User-Name = "test" [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [anonymous@unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop ++? if (reply:EAP-Session-Id) ? Evaluating (reply:EAP-Session-Id) -> TRUE ++? if (reply:EAP-Session-Id) -> TRUE ++if (reply:EAP-Session-Id) { +++update reply { expand: %{reply:EAP-Session-Id} -> +++} # update reply = noop ++} # if (reply:EAP-Session-Id) = noop +} # group post-auth = noop Sending Access-Accept of id 206 to 172.18.198.32 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "125" Cisco-AVPair = "linksec-policy=must-secure" User-Name = "test" MS-MPPE-Recv-Key = 0x3c0aab819095f1282469005cc7f2e24e5c37a32a95c8b9b2784f784a881e59a5 MS-MPPE-Send-Key = 0x79674abf7fb0ed91dbec1190e36e9b677236bbaaeef59c63820b22eb0f9b271c EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 EAP-Key-Name = "" Finished request 27. Going to the next request Waking up in 4.7 seconds. Cleaning up request 18 ID 197 with timestamp +35 Cleaning up request 19 ID 198 with timestamp +35 Cleaning up request 20 ID 199 with timestamp +35 Cleaning up request 21 ID 200 with timestamp +35 Cleaning up request 22 ID 201 with timestamp +35 Cleaning up request 23 ID 202 with timestamp +35 Cleaning up request 24 ID 203 with timestamp +35 Cleaning up request 25 ID 204 with timestamp +35 Cleaning up request 26 ID 205 with timestamp +35 Cleaning up request 27 ID 206 with timestamp +35 Ready to process requests. -(snip)- Thus, both TTLS-MSCHAPv2 and PEAP-MSCHAPv2 result in empty EAP-Key-Name. Best regards, Kilian
Hi Arran, I forgot to add the switch debug part. Here goes: -(snip)- Feb 27 22:13:26.738: %AUTHMGR-5-START: Starting 'dot1x' for client (0015.1751.6ec8) on Interface Gi1/0/1 AuditSessionID 0A000001000005811721DCDF Feb 27 22:13:26.906: %DOT1X-5-SUCCESS: Authentication successful for client (0015.1751.6ec8) on Interface Gi1/0/1 AuditSessionID 0A000001000005811721DCDF Feb 27 22:13:26.906: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0015.1751.6ec8) on Interface Gi1/0/1 AuditSessionID 0A000001000005811721DCDF Feb 27 22:13:26.914: %AUTHMGR-5-VLANASSIGN: VLAN 125 assigned to Interface Gi1/0/1 AuditSessionID 0A000001000005811721DCDF Feb 27 22:13:27.015: MKA-LLI: Start Request Feb 27 22:13:27.015: MKA-LLI: handle: 0x25000582, mac: 0015.1751.6ec8, group: 0180.c200.0003 Feb 27 22:13:27.015: MKA-LLI: Zero length EAP Session ID Feb 27 22:13:27.015: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0015.1751.6ec8) on Interface Gi1/0/1 AuditSessionID 0A000001000005811721DCDF Feb 27 22:13:27.115: %AUTHMGR-7-RESULT: Authentication result 'linksec fail' from 'dot1x' for client (0015.1751.6ec8) on Interface Gi1/0/1 AuditSessionID 0A000001000005811721DCDF -(snip)- Best, Kilian
Hi Arran, I think I've found the part where (at least part of) my problem results from: use_tunneled_reply=yes. Attached is a log with and without using tunneled_reply. Do you reckon that using tunneled reply (which we obviously need to support CUI on eduroam) shouldn't break MACSEC? If so, why are is activating it in the FR default config breaking MACSEC in my lab and what might be a possible fix for this? TIA! Best, Kilian
Hi,
Do you reckon that using tunneled reply (which we obviously need to support CUI on eduroam) shouldn't break MACSEC? If so, why are is activating it in the FR default config breaking MACSEC in my lab and what might be a possible fix for this?
this sort of thing is usually because you are leaking things from the inner to the outer which clash with the NAS's idea of whats going on - eg you are leaking the User-Name from the inner to the outer...thus negating the point of an anonymous outerID - which is what CUI is actually for ;-) to confirm/verify, either dont play with/expose the inner User-Name or set the client to have the same outerid as its innerid (eg classic Windows behaviour) alan
Hi Alan,
Do you reckon that using tunneled reply (which we obviously need to support CUI on eduroam) shouldn't break MACSEC? If so, why are is activating it in the FR default config breaking MACSEC in my lab and what might be a possible fix for this?
this sort of thing is usually because you are leaking things from the inner to the outer which clash with the NAS's idea of whats going on - eg you are leaking the User-Name from the inner to the outer...thus negating the point of an anonymous outerID - which is what CUI is actually for ;-)
Thanks for the hint. I've already implemented a reset of the outer User-Name reply in post-auth to the one received in the outer tunnel request. Somewhat that feels a bit counter intuitive but it was the logical consequence of the howto telling me I'd need use_tunneled_reply for CUI to work at all. I'd love to not use use_tunneled_reply, but so far my tests failed to update the outer reply with the value from the inner tunnel directly. So, how would I be leaking just this info about the "real" user-Name from the inner tunnel alone without use_tunneled_reply?
to confirm/verify, either dont play with/expose the inner User-Name or set the client to have the same outerid as its innerid (eg classic Windows behaviour)
We never exposed the inner User-Name for obvious reasons. So do you reckon it's either CUI or MACSEC working? Can use_tunneled_reply be updated dynamically based upon NAS-Port-Type? I'm also still trying to understand what breaks PEAP-MSCHAPv2 when pulling authentication from AD rather than using local accounts on the FR (the latter works just fine with MACSEC). Best, Kilian
Hi,
I've already implemented a reset of the outer User-Name reply in post-auth to the one received in the outer tunnel request. Somewhat that feels a bit counter intuitive but it was the logical consequence of the howto telling me I'd need use_tunneled_reply for CUI to work at all. I'd love to not use use_tunneled_reply, but so far my tests failed to update the outer reply with the value from the inner tunnel directly. So, how would I be leaking just this info about the "real" user-Name from the inner tunnel alone without use_tunneled_reply?
you can choose which items to copy from the inner to outer rather than just copying the whole lot (update the outer section in unlang)
So do you reckon it's either CUI or MACSEC working? Can use_tunneled_reply be updated dynamically based upon NAS-Port-Type?
you could proxy to a different virtual-server based on the NAS-Port-Type...which could then have different configs
I'm also still trying to understand what breaks PEAP-MSCHAPv2 when pulling authentication from AD rather than using local accounts on the FR (the latter works just fine with MACSEC).
because you are using LDAP to talk to AD and therefore you dont get the plain password as required? use ntlm_auth with the system bound to the AD alan
Hi Alan,
I've already implemented a reset of the outer User-Name reply in post- auth to the one received in the outer tunnel request. Somewhat that feels a bit counter intuitive but it was the logical consequence of the howto telling me I'd need use_tunneled_reply for CUI to work at all. I'd love to not use use_tunneled_reply, but so far my tests failed to update the outer reply with the value from the inner tunnel directly. So, how would I be leaking just this info about the "real" user-Name from the inner tunnel alone without use_tunneled_reply?
you can choose which items to copy from the inner to outer rather than just copying the whole lot (update the outer section in unlang)
I'm trying with the example in sites-available/inner-tunnel and using the update outer.reply. Yet I can see the update happening in the second last request correctly, yet the last requests hits the default (outer) tunnel only and lacks the updated Chargeable-User-Identity attribute again. Is there a good example of how to (successfully) update outer reply attributes from the inner tunnel you could point me to? We've followed https://community.ja.net/library/janet-services-documentation/chargeable-use... which sounded like a pretty straight forward walkthrough.
So do you reckon it's either CUI or MACSEC working? Can use_tunneled_reply be updated dynamically based upon NAS-Port-Type?
you could proxy to a different virtual-server based on the NAS-Port- Type...which could then have different configs
Of course. But duplicating the eap module only for something that should be much easier to achieve seems quite a bit of overkill.
I'm also still trying to understand what breaks PEAP-MSCHAPv2 when pulling authentication from AD rather than using local accounts on the FR (the latter works just fine with MACSEC).
because you are using LDAP to talk to AD and therefore you dont get the plain password as required? use ntlm_auth with the system bound to the AD
I'm only using LDAP to verify the msNPAllowDialin attribute. Not the password. So the authentication is already using ntlm_auth. Once I'll have the CUI working, I can put together a full debug log. Thanks. Best regards, Kilian
Hi Alan, after some more debugging I've found the reason of my PEAP failing with MACSEC: SoH! I've attached the log with and without SoH. Is this a buggy client behavior or is the FR misinterpreting the packet? With regard to getting rid of use_tunneled_reply I don't get the Chargeable-User-Identity to show up in the last (Access-Accept) request. If you see anything I may have missed to get the attribute handed out there, please do point me to it. Thanks! Best regards, Kilian
Hi Alan,
after some more debugging I've found the reason of my PEAP failing with MACSEC: SoH! I've attached the log with and without SoH. Is this a buggy client behavior or is the FR misinterpreting the packet?
With regard to getting rid of use_tunneled_reply I don't get the Chargeable-User-Identity to show up in the last (Access-Accept) request. If you see anything I may have missed to get the attribute handed out there, please do point me to it.
Not sure why the attached logs have vanished, so here goes: -(snip:PEAP with SoH)- freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/tls_log including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui_log including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/inner_log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/asa_log including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/nksusers including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/soh including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 5 cleanup_delay = 5 max_requests = 2048 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth+acct" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } realm LOCAL { } realm NULL { } realm unistuttgart.de { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client ar30a-y1t-s5 { ipaddr = 172.18.198.32 require_message_authenticator = no secret = "..." nastype = "other" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "..." nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file £Ýç? modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 4096 dh_key_length = 1024 verify_depth = 3 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key" certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt" private_key_password = "..." dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "HIGH:ALL:!ADH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = yes soh_virtual_server = "soh-server" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_challenge { attrsfile = "/etc/freeradius/attrs.access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_challenge Module: Linked to module rlm_always Module: Instantiating module "handled" from file /etc/freeradius/modules/always always handled { rcode = "handled" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Creating Auth-Type = LDAP Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" allow_retry = yes } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "server1" port = 389 password = "..." expect_password = yes identity = "CN=..." net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes cacertfile = "/usr/share/ca-certificates/uni-stuttgart.de/chain-with-dtag.crt" require_cert = "demand" } basedn = "DC=rus,DC=uni-stuttgart,DC=de" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectClass=inetOrgPerson)" auto_header = no access_attr = "msNPAllowDialin" access_attr_used_for_allow = yes chase_referrals = no rebind = no groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 20 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x822e40 Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server soh-server { # from file /etc/freeradius/sites-enabled/soh modules { Module: Checking authorize {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } ... adding new socket proxy address * port 35971 ... adding new socket proxy address * port 34413 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=115, length=147 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021500090174657374 Message-Authenticator = 0x928beab47c7c13d806d39e797867faeb NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 21 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 115 to 172.18.198.32 port 1645 EAP-Message = 0x011600061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbcd4bdd42446ffd395a7bb16f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=116, length=288 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0216008419001603010079010000750301e25a5a77e01eac5a9a77a6256c6668143107032bfcb2fb2ea76ca94ff3af5ee3000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013 Message-Authenticator = 0xda56d8cc7c7ebc0962c23ee6dd512d27 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbcd4bdd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 22 length 132 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0724], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 116 to 172.18.198.32 port 1645 EAP-Message = 0x0117040019c0000009c0160301003902000035030154f5947f695740f9b09e657ddcdb52cf4acd224da737df3533889577038dd75100c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763 EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699 EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132 EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3 EAP-Message = 0x82026630820262304f060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbcc4add42446ffd395a7bb16f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=117, length=162 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021700061900 Message-Authenticator = 0x0942be5e680f9361fd3b672fa8fd82f7 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbcc4add42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 23 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 117 to 172.18.198.32 port 1645 EAP-Message = 0x011803fc19401d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d0603551d1f EAP-Message = 0x048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d73747574 EAP-Message = 0x74676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584da860e15 EAP-Message = 0x39435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741045babac7b408546c2e87c22a233c0b8ccf597c77e4c04897add92855c96e87b2d2f9613b52782c533ae66347f774328b283005e87e73316825eff068b17d5352c02003aead46f3d5de78bf7e05b8a66d2a0d21db962db9e01871ff4445693c7da5a132eaaeea85f6229202222a134f9 EAP-Message = 0x4079ace979428146 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbcf45dd42446ffd395a7bb16f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=118, length=162 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021800061900 Message-Authenticator = 0xbaa29964fe01b08e0e85fcfe53dab543 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbcf45dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 24 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 118 to 172.18.198.32 port 1645 EAP-Message = 0x011901da1900ab8d7cbb29abc62ff4d9569ffe1410094442f2c651841eb495307c87e0609d2e8e2a63b9960a0cf88bfdedb9ce1478caccbc7abb86b5cd6901921759ffe44d6ce4747d64b7df9fd1c73782e055dbdb5baab0edfc6ef185da277554fe891cc039bacc2c5bff2633eef3d040c071872b26d71f10bbae8e38e98f6117815d9cf3e8026fcf53b571753b60993efea53e7fd58378202db4e825220ad183bba43002bc007bfc1e7e2d898f9f7466d85a1913320b3cdd5aed123d79c6c7f9311b69a5d7b9bd8ab79cb0297fa380229b06253026fb131e5d697f4feeb3958debbe8074a8fe75b21296386b5c3f666df0c11a40752c587f2dead659 EAP-Message = 0xb7aa544a240651e75ce75fa47205df2759c2bb78aa196b5b68dfd2d0867d03e6fead87cf9f7fa827047b1dc994e6f46634b3011806388d7bfe5f66efa2349ee22ecb9f97ede15f2369098445334b2906a23ef1b69daa63deb20ae01525a55871d9a3545decad567660a5267f403aad3a6c7f778d259208e75e92705873a975f2fc23879a4dc298fd2800ad0590d9d4707acef2308694088c08dd5327c7bb38a955b4c06f9d2b37b5488bd38b2bcb783bdb836121be70e03a33c37f606c6542b9ea73e26a210640a2d22c8b05a0109f3c5cdd60aa16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbce44dd42446ffd395a7bb16f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=119, length=296 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0219008c190016030100461000004241045f59e48b26f3964c81c8cd86d7fb237e290d979b2954dcc7b40aab5c8e1c303bc64ac5e66edbddee9a4a98714fe901bfaf176a30374f377945a50e2483e775171403010001011603010030f136f69cef068f1336096133e8805d50fbc0a4052ab4a586a057ae8841e5ec728601a980526018c0bb8c2d1267e3f8d3 Message-Authenticator = 0xe0a74f62073469b67b023d259b503e9b NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbce44dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 25 length 140 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 119 to 172.18.198.32 port 1645 EAP-Message = 0x011a0041190014030100010116030100308f22dae63d39cc06a7c858ba9bc95a5f9a6357d71bdece3de33d6b90ba81a871e1f1f328e87d136072c9879d961b58fe Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbc947dd42446ffd395a7bb16f Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=120, length=162 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021a00061900 Message-Authenticator = 0x4ff49831f3d3c18f8c3ae25c3c0e086f NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbc947dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 26 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 120 to 172.18.198.32 port 1645 EAP-Message = 0x011b002b190017030100203a1fa1fede068be34b77a627bf79ece4331c84c8e680fa56f038be9292048d28 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbc846dd42446ffd395a7bb16f Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=121, length=236 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021b005019001703010020712017e92240dd4eda7e155e52c8d754751f33898f7004241ca7286a97ec9a5517030100209dd1894242f272d607b5c1ac058964babbc2f4a37e9bf9a83680d4dce24b2af2 Message-Authenticator = 0x4f22c2d143aadbfcb3bdc1307fdece0a NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbc846dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 27 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test [peap] Got inner identity 'test' [peap] Requesting SoH from client ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 121 to 172.18.198.32 port 1645 EAP-Message = 0x011c003b19001703010030bac336433016e5b57fd6ad3f31c06a2047549f45033e9d4e05c8ebb1d622c1303d4d59f64e40e9fbf7a085acc4695f8b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbcb41dd42446ffd395a7bb16f Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=122, length=252 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021c006019001703010020c361d362beec75836d28cd66ff8c43a6f08455395b16ff14a33e92c1c177554e17030100309d1f880456359376450fc9bb764e62d54e9e93d25727a1f8ba4286857a40d1aaeadef04fa08e087ed2a643fef33ed5b7 Message-Authenticator = 0x242e5e529d9ac60f54f1e9caa298e4ba NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbcb41dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 28 length 96 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR SOH RESPONSE [peap] EAP type 254 [peap] SoH - extended eap vendor 00000000 is not Microsoft [peap] Setting User-Name to test [peap] Processing SoH request SoH-Supported = no FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 [peap] server soh-server { # Executing section authorize from file /etc/freeradius/sites-enabled/soh +group authorize { ++update config { ++} # update config = noop +} # group authorize = noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. [peap] } # server soh-server [peap] Got SoH reply [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x021c00090174657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x021c00090174657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 28 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x011d001e1a011d0019103bd5dadecf4690c3042c15623ed0e57774657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d0368273d1e72fe5df8dd5da55aea6a [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x011d001e1a011d0019103bd5dadecf4690c3042c15623ed0e57774657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d0368273d1e72fe5df8dd5da55aea6a [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 122 to 172.18.198.32 port 1645 EAP-Message = 0x011d003b190017030100309802783e3a59d9c56f0b6c3f9206057652857f95b6a456181d91239d2d99935d9b7c0edc627c554d32b9bf8e49c01f1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbca40dd42446ffd395a7bb16f Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=123, length=300 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021d009019001703010020783d86a0a76b549704671f8283e5276a7ae8048a06ec558f0973758fd84ed733170301006031b1499ee0f76154f8d8f7bcf698a701d90df6bc7c98cfc56bcb3123b94e47d3b153cafde228820aa13dc36eee6cb12512e47b2566b66ffe244c1de2da30ac0faf9248f3cc169fc720fee22a3a6b222afad1daf180e5086688116ce93320780d Message-Authenticator = 0x2ea4d7f854cda09df102cb62d047dd0c NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbca40dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 29 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type 254 [peap] Got tunneled request EAP-Message = 0x021d0046fe0000000000001a021d003a316e882ba02b15bc9aec09decfe03db1fb0000000000000000ad6990749d5255b204c8a2d90fe0e1496dc5ee88dc54bfc30074657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x021d0046fe0000000000001a021d003a316e882ba02b15bc9aec09decfe03db1fb0000000000000000ad6990749d5255b204c8a2d90fe0e1496dc5ee88dc54bfc30074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0x3d0368273d1e72fe5df8dd5da55aea6a Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 29 length 70 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Badly formatted EAP Message: Ignoring the packet [eap] Failed in handler ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel) Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 123 to 172.18.198.32 port 1645 EAP-Message = 0x011e002b1900170301002078c06ddf27b6fd9a59447de45007d1fbd3dc0230ce8f8ccb1c56dafa1c877fa9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd5dc4fbc543dd42446ffd395a7bb16f Finished request 8. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=124, length=236 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x021e005019001703010020a04bd006cc78e6e1decf8d7867bbc35f8c6b7b6c0c3e1682d002a4dcd781ae2317030100200b7b6d3119ae30f4929cec62ddad8bf67110d9269dd26db2e377f6b663a1b3bd Message-Authenticator = 0x936c2d859e8b42e3502b038b1bb3aee4 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xcd5dc4fbc543dd42446ffd395a7bb16f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 30 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8) Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 124 to 172.18.198.32 port 1645 EAP-Message = 0x041e0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. -(snip)- -(snip:PEAP without SoH)- freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/tls_log including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui_log including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/inner_log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/asa_log including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/nksusers including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/soh including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 5 cleanup_delay = 5 max_requests = 2048 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth+acct" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } realm LOCAL { } realm NULL { } realm unistuttgart.de { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client ar30a-y1t-s5 { ipaddr = 172.18.198.32 require_message_authenticator = no secret = "..." nastype = "other" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "..." nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file £Ýç? modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 4096 dh_key_length = 1024 verify_depth = 3 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key" certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt" private_key_password = "..." dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "HIGH:ALL:!ADH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_challenge { attrsfile = "/etc/freeradius/attrs.access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_challenge Module: Linked to module rlm_always Module: Instantiating module "handled" from file /etc/freeradius/modules/always always handled { rcode = "handled" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Creating Auth-Type = LDAP Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" allow_retry = yes } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "server1" port = 389 password = "..." expect_password = yes identity = "CN=..." net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes cacertfile = "/usr/share/ca-certificates/uni-stuttgart.de/chain-with-dtag.crt" require_cert = "demand" } basedn = "DC=rus,DC=uni-stuttgart,DC=de" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectClass=inetOrgPerson)" auto_header = no access_attr = "msNPAllowDialin" access_attr_used_for_allow = yes chase_referrals = no rebind = no groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 20 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x822f60 Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server soh-server { # from file /etc/freeradius/sites-enabled/soh modules { Module: Checking authorize {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } ... adding new socket proxy address * port 60025 ... adding new socket proxy address * port 33159 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=94, length=147 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020100090174657374 Message-Authenticator = 0xcf8f61e19fda9dd8e3084485b0228b9c NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 94 to 172.18.198.32 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9b4d4a279b4f533796287c14f130a087 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=95, length=147 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020100090174657374 Message-Authenticator = 0xafb0dd93be1f0cffaaaf221de4045dd7 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 95 to 172.18.198.32 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0bb28acbdb91ce7a2572b723f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=96, length=288 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x02020084190016030100790100007503017401bf61c33a106003371a11bf11ef4d828d67f3f3aa766f637112fc8d05c637000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013 Message-Authenticator = 0xccfb81d4264d77ec23e7aaa52d55f66e NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0bb28acbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 132 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0724], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 96 to 172.18.198.32 port 1645 EAP-Message = 0x0103040019c0000009c0160301003902000035030154f593aaca21a8214b1ea7b2d9bc7f421f1f749c48797ed4c804ed7831e1133b00c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763 EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699 EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132 EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3 EAP-Message = 0x82026630820262304f060355 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0ba29acbdb91ce7a2572b723f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=97, length=162 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020300061900 Message-Authenticator = 0x2e9d9c56d3626bc077576f071ca511f9 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0ba29acbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 97 to 172.18.198.32 port 1645 EAP-Message = 0x010403fc19401d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d0603551d1f EAP-Message = 0x048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d73747574 EAP-Message = 0x74676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584da860e15 EAP-Message = 0x39435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741049239ef7b5dad25bdccc15f8ffc96e172a71e1b1bfac95d4104dd9d1690ac4284a3896c05f48e7149dd6a70637be6b4cf7d86d3d6367b5bae36c5ddc3afd10de302003499e8e993f66f7c60f0ade1eac13f3cf752f8863c0be1c2610f9bfa4dbf2742e813abeec3b133ef0911179abd EAP-Message = 0x399aab8286647ada Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0b92eacbdb91ce7a2572b723f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=98, length=162 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020400061900 Message-Authenticator = 0x9f50561dcab7188f23d46bab5248d97a NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0b92eacbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 98 to 172.18.198.32 port 1645 EAP-Message = 0x010501da1900ab7ac0c1eacb373203d5dd89f7fd4dff3e96c660155171c53db5c062e59b18fad7755d7c74c59af81a54c0df081e8e92a7512523da3a9257432bd93d336fbb74c0b1605d733abd24417f40da6d5da702576b793061b5fe0059f5bd5c21bb302b3301255eec8c68b3c011557f4b47926fcdf83a3b81d31c90af7f04ac19bb683ada446d4388c824ef671ccc17ece411ad95203bdf8eaf9685a899cc914b869ccbd909874c65c323d01fcbe894b6e029d971d8021195143bd6648c358baf06a9144e12985289ae3fe2788ed22fc25890c43fb50727c593a512dde2226fc9dd720a85b13681acd7213f0bfa03e47ba5fb2df2a3af6862ba44 EAP-Message = 0xeedcdf04878099c6fef854ed9514a571f92599447d319dc68ffab977649eab30c785a1cf8ba584c035930da6a2d4cbd7f10a2e322b505dafd201ab975c6a1203e698af1685fb8f330fdfab1f5f2f3248d63fb2c7468af2f59dac1fc505c290b90ae948f0a862a29d9418c04e6bcc059246ebbe50fea5a8a1ed1975f788cf06044dad87e52436b4d35d04621b921caf486494623d8b4b5e1d5b02b8279b3703e60b5efcbaa489894bf2d3b6ef874749697b987bf15d31bf1fa246d0bc72d80555e956edf8d2ff7c4ac33691cbd2eebe60dccd7e3716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0b82facbdb91ce7a2572b723f Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=99, length=296 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0205008c190016030100461000004241046a740362e0d616de772c72d41ee5ea386a53be3e206d45b0651521e238a8b7226cf8af3f85aed5878d8a72960291b2199aa1805bce5da3f035ead6f067de8f1b1403010001011603010030b21c85083a266af718d1e69d85719af3a916c5c840e3f17ffdfce8c1fa9c3e85644dd6a1886850ba2196ef6eb28c64c2 Message-Authenticator = 0x2d33ae480ec38fdf618635dba1779b40 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0b82facbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 140 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 99 to 172.18.198.32 port 1645 EAP-Message = 0x010600411900140301000101160301003090b81f39df590362caf2d99dfe9fe368235406a26c5c6eb4818d890c785e40361beb223f2639a968c9b7dd6d2ac51101 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0bf2cacbdb91ce7a2572b723f Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=100, length=162 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020600061900 Message-Authenticator = 0x16572769069b79c9ba629f078a6d1e6a NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0bf2cacbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 100 to 172.18.198.32 port 1645 EAP-Message = 0x0107002b19001703010020b31358b537b7134e57360dcd37eae6c2d38196d58b611edec302fa3fec68d2df Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0be2dacbdb91ce7a2572b723f Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=101, length=236 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020700501900170301002018a664b19a325ea049be4c621e8049cfd4426244ca5c959a65a73588b34abb4b1703010020c37fbc749595c99a78ce484d6f1db9650b66645dcf7fb2f5840f5b61cb3748aa Message-Authenticator = 0xc8b6fc92af307b8e8ca068d23965cb51 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0be2dacbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test [peap] Got inner identity 'test' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020700090174657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020700090174657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0108001e1a010800191084ba62722c03c483a91352c175f1529a74657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0efe69570ef6732709c3b87ea131e257 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001e1a010800191084ba62722c03c483a91352c175f1529a74657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0efe69570ef6732709c3b87ea131e257 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 101 to 172.18.198.32 port 1645 EAP-Message = 0x0108003b190017030100306026b403c13a55239766d3fadfc4a98dbabf1fc11a639a64c85d2cf3560ec75a3531c2f5de861846995088eafdac1abf Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0bd22acbdb91ce7a2572b723f Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=102, length=284 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0208008019001703010020b92988ae427d6241a55df5ecc6399406855790402a55c456b90c855c20f97fc71703010050ca8b6f23a8e3550b072d3ba37051e12f40abfc7dbce03d6457aadad81c4800de2b7bcca9efd6d3bd85f593263532176a1fc3b26084752dd271021a523cddd79456560c499314b05c79168d3d75aa47ef Message-Authenticator = 0x8affbffffe30400d59c4008936563b33 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0bd22acbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 128 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208003f1a0208003a31a48840d1a1de4d77d87cb99559c6573e000000000000000047cb2e79d82abd625e4009b419a149727c649c1481dc49130074657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x0208003f1a0208003a31a48840d1a1de4d77d87cb99559c6573e000000000000000047cb2e79d82abd625e4009b419a149727c649c1481dc49130074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0x0efe69570ef6732709c3b87ea131e257 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test [mschap] Client is using MS-CHAPv2 for test, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d45374337383938423944303331353531304534323842383635324336373830433431384230373645 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0efe69570ff7732709c3b87ea131e257 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d45374337383938423944303331353531304534323842383635324336373830433431384230373645 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0efe69570ff7732709c3b87ea131e257 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 102 to 172.18.198.32 port 1645 EAP-Message = 0x0109005b190017030100505d1a5a1287bc8a2e9d94aaa3eb4e89db49e3afead1d6bfee2303378554aae9bc65c7678f104be1be2cb9831ff282efba9eaf6440be14992bcca1be885b15a0011675bb686dff0e79e1de15ab3f34db28 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0bc23acbdb91ce7a2572b723f Finished request 8. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=103, length=236 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x0209005019001703010020fdfdcbe62f4be282f11da86e1a120de98815b0fc7ba7dcedeba9ebffe2e228a01703010020abbbb9d0d4c938049351af3bfa3950a2c86dece773cb047c260cc7a469fc9b91 Message-Authenticator = 0x5571d4907711c404122993abfe28206b NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0bc23acbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0x0efe69570ff7732709c3b87ea131e257 Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" NAS-IP-Address = 172.18.198.32 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 103 to 172.18.198.32 port 1645 EAP-Message = 0x010a002b1900170301002065bf7fda742db5bef2bc180d98a0cad8ae421ae976ff065e10e5a055b7036415 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb2ab5d0b320acbdb91ce7a2572b723f Finished request 9. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=104, length=236 User-Name = "test" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "3C-08-F6-48-9D-01" Calling-Station-Id = "00-15-17-51-6E-C8" EAP-Message = 0x020a005019001703010020fca0a033a16be8e163cf06002f5c82354dcf37a8585a45feb83579bfa09db8bf170301002069f53585cc685ef8d9f83e833001f3e53d5d655d46787c4d53d87c9cad1ab42c Message-Authenticator = 0x0d4dc553d712677f0b5cbc388facbff3 NAS-Port-Type = Ethernet NAS-Port = 50101 NAS-Port-Id = "GigabitEthernet1/0/1" State = 0xbb2ab5d0b320acbdb91ce7a2572b723f NAS-IP-Address = 172.18.198.32 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) ? Evaluating (NAS-Port-Type == "Ethernet" ) -> TRUE ? Evaluating (reply:EAP-Session-Id) -> TRUE ++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) -> TRUE ++if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) { +++update reply { expand: %{reply:EAP-Session-Id} -> 0x197401bf61c33a106003371a11bf11ef4d828d67f3f3aa766f637112fc8d05c63754f593aaca21a8214b1ea7b2d9bc7f421f1f749c48797ed4c804ed7831e1133b +++} # update reply = noop ++} # if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) = noop +} # group post-auth = noop Sending Access-Accept of id 104 to 172.18.198.32 port 1645 MS-MPPE-Recv-Key = 0xacf9fb54eef637d542208e760604e0c0bd8d3d86ab97d6285a841fed54adbd60 MS-MPPE-Send-Key = 0x186ffb2f33e99465cd5f3fb12e063993f2870c0ecea47fb36c822608ea2791fd EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" EAP-Key-Name = 0x197401bf61c33a106003371a11bf11ef4d828d67f3f3aa766f637112fc8d05c63754f593aaca21a8214b1ea7b2d9bc7f421f1f749c48797ed4c804ed7831e1133b Finished request 10. Going to the next request Waking up in 4.7 seconds. -(snip)- -(snip:CUI with use_tunneled)- freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/tls_log including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui_log including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/inner_log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/asa_log including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/nksusers including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/soh including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 5 cleanup_delay = 5 max_requests = 2048 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth+acct" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } realm LOCAL { } realm NULL { } realm unistuttgart.de { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "..." nastype = "other" } client test { ipaddr = 127.0.0.2 require_message_authenticator = no secret = "..." nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file £Ýç? modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 4096 dh_key_length = 1024 verify_depth = 3 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key" certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt" private_key_password = "..." dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "HIGH:ALL:!ADH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = yes soh_virtual_server = "soh-server" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_challenge { attrsfile = "/etc/freeradius/attrs.access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_challenge Module: Linked to module rlm_always Module: Instantiating module "handled" from file /etc/freeradius/modules/always always handled { rcode = "handled" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Loading virtual module cui_authorize Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Loading virtual module cui_pre_proxy Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Creating Auth-Type = LDAP Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" allow_retry = yes } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "server1" port = 389 password = "..." expect_password = yes identity = "CN=..." net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes cacertfile = "/usr/share/ca-certificates/uni-stuttgart.de/chain-with-dtag.crt" require_cert = "demand" } basedn = "DC=rus,DC=uni-stuttgart,DC=de" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectClass=inetOrgPerson)" auto_header = no access_attr = "msNPAllowDialin" access_attr_used_for_allow = yes chase_referrals = no rebind = no groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 20 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x822350 Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Loading virtual module cui_postauth } # modules } # server server soh-server { # from file /etc/freeradius/sites-enabled/soh modules { Module: Checking authorize {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } ... adding new socket proxy address * port 49737 ... adding new socket proxy address * port 59974 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=0, length=116 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0x595808a6df0d257c137a38998ee79867 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 127.0.0.2 port 48345 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb9327e829e357b5a5436a16c14 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=1, length=343 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020100df1980000000d516030100d0010000cc0301ca8a04aa540107592620c2160bb3f42a71ca744eae937a7f978658051d66c46400005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101 State = 0x327f9bb9327e829e357b5a5436a16c14 Message-Authenticator = 0x75898035e58e5ebf1cf694cd4a1589c9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 223 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 213 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00d0], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 003e], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0724], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to 127.0.0.2 port 48345 EAP-Message = 0x0102040019c0000009c5160301003e0200003a030154f5a9f1fbadff28d111817a7356bb5e640f5877637303569e4a40c74eae7bdb00c014000012ff01000100000b000403000102000f00010116030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d01 EAP-Message = 0x0901161763612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a EAP-Message = 0x677f7fb69954c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8 EAP-Message = 0xde531e313244d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d4756502 EAP-Message = 0x03010001a382026630820262 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb9337d829e357b5a5436a16c14 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=2, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020200061900 State = 0x327f9bb9337d829e357b5a5436a16c14 Message-Authenticator = 0x6888dcbbe8be13f63b3df1c04b6dfd6d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to 127.0.0.2 port 48345 EAP-Message = 0x010303fc1940304f0603551d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d EAP-Message = 0x0603551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e69 EAP-Message = 0x2d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de543255 EAP-Message = 0x84da860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741043350173df39886cda2ba626e72d0bb364421fba1ac14e9dc8415ce6fa0cb59cf6b70e8ad3fa5802c4383429ad5b0b766b4fe9518b419d2343cf6f8920b7a77110200076ed54647aa04e0eb8d4e7803d6f2f222476b9674e6568465e7ba8c0e34a6c4cef8499d99e98d23 EAP-Message = 0x3203586c9cf439fa Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb9307c829e357b5a5436a16c14 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=3, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020300061900 State = 0x327f9bb9307c829e357b5a5436a16c14 Message-Authenticator = 0x1561f30102839d5ed3a896c12567b963 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 3 to 127.0.0.2 port 48345 EAP-Message = 0x010401df1900fa7891981190bf2f119fb40b3416fd090e14f909d165e083ae92734b047cba30c2f8510867efa7124f9a4326f167a31c5e1ab60873d347d5de5c408af0c4cfa4f2c2c362903afe81d259396a1f9e975c2e708d9b5189d9d770b713154cfe3f560c0af05470be922b258b13478e0384c5ff9a5f7f5b6f879db9e6f3971c872ec5cddfe5de8a84f46db338bad448b149eb6c99b66d65f7fababb729531edbe3755d0336e27b29ffa8c4dc29bfca80ff52231948da48fd7b9d6dff3e362d474c5083210964b888339fc806721ca6be613b165a672eb6454b824127b69259f5179fc0b2155bea71ce4d8dcc367f8e40371aedf3ae5bf010c9f EAP-Message = 0x77b4a27e51ecbeeae358d881edac32a3ca3350aa6e00c8b3d085f68984e05a772e08567bffda2463aab7d6962f0333bcbddbf3730ac7855b3ef3363595e45375b294a3af25b05f71694aa716a0b9df5ccd64feede13eedbed6f32a34aeeb06536391bedb7ae65540ea7d90a9016f97b681e067462daa43cce69c9e9fbd9ff3c6f208f424f15b33278a2efedcb42724752bf2bf3e3429d9943a57c217ab6370aa22bac7b0b8a7b21f9a2582987adab826631552fe6d54fb8b5d0737c83a98292a154e82d4768c55698be87264db35b9dbd87410c67c96476c9616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb9317b829e357b5a5436a16c14 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=4, length=264 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020400901980000000861603010046100000424104589f028d91f777f472a23572e0aba0709612be1b08b00c37382d019982a382afef0bc2bffbd08baacbfd4ee670c436f119fa9b0d7854205a5e6c14f221152d241403010001011603010030ff55a8bd146331235a47ee466bd285fa6b5a2cb812cbd6226938423e1394a38987a51e9a970d0d0b7e0e2080b1a32a3f State = 0x327f9bb9317b829e357b5a5436a16c14 Message-Authenticator = 0xb6826a8549005cbb13d2a5d93e9ef5bf # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to 127.0.0.2 port 48345 EAP-Message = 0x010500411900140301000101160301003020c85b82b0cdd61ffd9d232b616ef15501eecdcdc9a2e638f53272c3b4c35fdd3706f7e2ff607d3f62c4ae312320e0f6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb9367a829e357b5a5436a16c14 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=5, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020500061900 State = 0x327f9bb9367a829e357b5a5436a16c14 Message-Authenticator = 0x2a17af58815712ca7799486235a92194 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 5 to 127.0.0.2 port 48345 EAP-Message = 0x0106002b19001703010020796f17cf42b173edbcd5c862efda9644b27249be5bd78eaa15d51a0d81b142b8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb93779829e357b5a5436a16c14 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=6, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0206005019001703010020aaced0418f9e6417d8b95954962ddb186629d82d0d8e48beeb27c1e9e56a4a9b17030100201d39a2a010f2500aea7914b27e981cdc89444fe1c0119fa44c3478f9cfa16036 State = 0x327f9bb93779829e357b5a5436a16c14 Message-Authenticator = 0xdff535226abc38dcd6fbf58b691496b0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test [peap] Got inner identity 'test' [peap] Requesting SoH from client ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 6 to 127.0.0.2 port 48345 EAP-Message = 0x0107003b19001703010030385a62c266b4e84f5d7314abe491ed7337b994237ac4924d1b7a3711a67fe2cb2968fefa0a866d2fed02ec5419a88053 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb93478829e357b5a5436a16c14 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=7, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x02070050190017030100202b9d5178effeb43bf275a261b88440e9c8f7339b32c61ec34258e6e8d8d180bf1703010020c031353e552be39b85f17d864810468242c50424853dc6f49e5f80708ff9d5b8 State = 0x327f9bb93478829e357b5a5436a16c14 Message-Authenticator = 0x3aa4730e7f8cf83347b70b810447761d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR SOH RESPONSE [peap] EAP type nak [peap] SoH - client NAKed [peap] Setting User-Name to test [peap] Processing SoH request SoH-Supported = no FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" [peap] server soh-server { # Executing section authorize from file /etc/freeradius/sites-enabled/soh +group authorize { ++update config { ++} # update config = noop +} # group authorize = noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [test] (from client test port 0 cli 70-6F-6C-69-73-68 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. [peap] } # server soh-server [peap] Got SoH reply [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020700090174657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020700090174657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0108001e1a0108001910447ffc937bb419ef8d909103306fa47474657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf5f48388f5fc994d57120af492298399 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001e1a0108001910447ffc937bb419ef8d909103306fa47474657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf5f48388f5fc994d57120af492298399 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 7 to 127.0.0.2 port 48345 EAP-Message = 0x0108003b19001703010030cbd22509077e7f0738f486fe3b48f54b28395fdfcf38bfb08d7297a73ae86d66f6bcda9f0371005bd03911234fdd79c9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb93577829e357b5a5436a16c14 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=8, length=248 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0208008019001703010020d17355b4f52a17aab27bcd9516dbf9aaa53c31ae42a062c31d548933b5f5d5d7170301005068f143add5db659dc0eef2e44bdaa9431a341c1ef520812a57513effdab568fb7c2a4ce9094161b3ac8ef8e0f756b7f12c5c91feebf5d7bf03d81e2ac0996d1185420363e0be1530f79c0200d443f08a State = 0x327f9bb93577829e357b5a5436a16c14 Message-Authenticator = 0x097a2b9db2824b1513e6c0d123798106 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 128 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208003f1a0208003a31fd9a39d29b1c1c3b1824248ba4b4376d0000000000000000ec5c20d426f710215334d3f7055202c3562c4c8bcd8b385c0074657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x0208003f1a0208003a31fd9a39d29b1c1c3b1824248ba4b4376d0000000000000000ec5c20d426f710215334d3f7055202c3562c4c8bcd8b385c0074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0xf5f48388f5fc994d57120af492298399 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test [mschap] Client is using MS-CHAPv2 for test, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d31363833413530383845423132443942413842433430374539383245433845383541414344324631 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf5f48388f4fd994d57120af492298399 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d31363833413530383845423132443942413842433430374539383245433845383541414344324631 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf5f48388f4fd994d57120af492298399 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 8 to 127.0.0.2 port 48345 EAP-Message = 0x0109005b19001703010050d2b789718fcffbb9b674b1b69efe450b340e44e565663a223cbe31748804495e229923ad790f976fcc3cf03ff97135ee6111f49775c0ab5e3e97e9a344194b5573465a1fd499760bfc84e31e06c28207 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb93a76829e357b5a5436a16c14 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=9, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0209005019001703010020143d851aff8ba8edda8f418f7cab68b6d96eaa43b450a21b5d72972d32ca01e0170301002041fbab48b6aefd1744b4b3b9b02f14fb3819ddd9ee38f967206781fb058864e7 State = 0x327f9bb93a76829e357b5a5436a16c14 Message-Authenticator = 0x8aba2461edf6d7465a8b18632ef4cdf9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0xf5f48388f4fd994d57120af492298399 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test] (from client test port 0 cli 70-6F-6C-69-73-68 via TLS tunnel) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel +group post-auth { ++policy cui_postauth { +++? if (FreeRadius-Proxied-To == 127.0.0.1) ? Evaluating (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE +++? if (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE +++if (FreeRadius-Proxied-To == 127.0.0.1) { ++++? if (outer.request:Chargeable-User-Identity) ? Evaluating (outer.request:Chargeable-User-Identity) -> TRUE ++++? if (outer.request:Chargeable-User-Identity) -> TRUE ++++if (outer.request:Chargeable-User-Identity) { +++++update reply { expand: test%{User-Name} -> testtest expand: %{md5:test%{User-Name}} -> 05a671c66aefea124cc08b76ea6d30bb +++++} # update reply = noop ++++} # if (outer.request:Chargeable-User-Identity) = noop +++} # if (FreeRadius-Proxied-To == 127.0.0.1) = noop +++ ... skipping else for request 9: Preceding "if" was taken ++} # policy cui_postauth = noop ++update outer.reply { expand: %{reply:Chargeable-User-Identity} -> 05a671c66aefea124cc08b76ea6d30bb ++} # update outer.reply = noop +} # group post-auth = noop } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 9 to 127.0.0.2 port 48345 Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" EAP-Message = 0x010a002b190017030100205c705bc6233aadd22c12d903313e62e73d03df9b06bd6014b4f0035496d6503b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x327f9bb93b75829e357b5a5436a16c14 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=10, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020a005019001703010020fefd838dfd4ce0af03b1937450f77bc5b42b6a51a2eb2b13d4c2b86ad4a9cd341703010020d9380f0721001bc78a4e0db195a850084989147c97ed73847723ca8c01dd6b8d State = 0x327f9bb93b75829e357b5a5436a16c14 Message-Authenticator = 0xb2384825a42489e30bbe8e57aecbdc2d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept User-Name = "test" Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [anonymous] (from client test port 0 cli 70-6F-6C-69-73-68) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) ? Evaluating (NAS-Port-Type == "Ethernet" ) -> FALSE ? Skipping (reply:EAP-Session-Id) ++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) -> FALSE +} # group post-auth = noop Sending Access-Accept of id 10 to 127.0.0.2 port 48345 User-Name = "test" Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" MS-MPPE-Recv-Key = 0x2e4a9f0cd8626d474e58aad77fceec68cf3b758b43fd8822c565a5ac0634dc28 MS-MPPE-Send-Key = 0x9d2033bd45afc4a0ab7c6b34877c6738236104e245e9006fb464d44ade3ac38c EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 10. Going to the next request Waking up in 4.9 seconds. -(snip)- -(snip:CUI without use_tunneled)- freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/tls_log including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui_log including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/inner_log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/asa_log including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/nksusers including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/soh including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 5 cleanup_delay = 5 max_requests = 2048 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth+acct" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } realm LOCAL { } realm NULL { } realm unistuttgart.de { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "..." nastype = "other" } client test { ipaddr = 127.0.0.2 require_message_authenticator = no secret = "..." nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file £Ýç? modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 4096 dh_key_length = 1024 verify_depth = 3 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key" certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt" private_key_password = "..." dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "HIGH:ALL:!ADH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = yes soh_virtual_server = "soh-server" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_challenge { attrsfile = "/etc/freeradius/attrs.access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_challenge Module: Linked to module rlm_always Module: Instantiating module "handled" from file /etc/freeradius/modules/always always handled { rcode = "handled" simulcount = 0 mpp = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Loading virtual module cui_authorize Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Loading virtual module cui_pre_proxy Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Creating Auth-Type = LDAP Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" allow_retry = yes } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "server1" port = 389 password = "..." expect_password = yes identity = "CN=..." net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes cacertfile = "/usr/share/ca-certificates/uni-stuttgart.de/chain-with-dtag.crt" require_cert = "demand" } basedn = "DC=rus,DC=uni-stuttgart,DC=de" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectClass=inetOrgPerson)" auto_header = no access_attr = "msNPAllowDialin" access_attr_used_for_allow = yes chase_referrals = no rebind = no groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 20 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x822350 Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Loading virtual module cui_postauth } # modules } # server server soh-server { # from file /etc/freeradius/sites-enabled/soh modules { Module: Checking authorize {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } ... adding new socket proxy address * port 53498 ... adding new socket proxy address * port 35227 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=0, length=116 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0xc1d8c1f9918fe9f74d3e7f0652520b47 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 127.0.0.2 port 46747 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29847a6bb36a3141a09bb27535f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=1, length=343 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020100df1980000000d516030100d0010000cc03014e5372569e41097f511647c09e8f8a82ae426474b808ce1b7353ae5af2e385b600005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101 State = 0x47a7a29847a6bb36a3141a09bb27535f Message-Authenticator = 0xcd9e4c715d9cab478d82437f863bf8b2 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 223 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 213 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00d0], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 003e], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0724], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to 127.0.0.2 port 46747 EAP-Message = 0x0102040019c0000009c5160301003e0200003a030154f5a9cfded1c635e5d68dd42f9b1299be58d8c967cef9e796ddbcd1eb5f80ea00c014000012ff01000100000b000403000102000f00010116030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d01 EAP-Message = 0x0901161763612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a EAP-Message = 0x677f7fb69954c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8 EAP-Message = 0xde531e313244d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d4756502 EAP-Message = 0x03010001a382026630820262 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29846a5bb36a3141a09bb27535f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=2, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020200061900 State = 0x47a7a29846a5bb36a3141a09bb27535f Message-Authenticator = 0xff7ec8eca5b28ca4c328ab0c59f3d41d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to 127.0.0.2 port 46747 EAP-Message = 0x010303fc1940304f0603551d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d EAP-Message = 0x0603551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e69 EAP-Message = 0x2d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de543255 EAP-Message = 0x84da860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741040d5ab8d92cc943c20461b24109474096cb9cb046603bded117a3fbaa550064d179ac857278a13d3c99a6e910a07cff4bdba05f0b0a2dba4ef1bae09a45ec01450200a757ff1882ea9f267e2687abe6bd0b7a1678e9395314285c173ccee3c57bc2044a0be32b213c9430 EAP-Message = 0xb86c9bfedba48fc3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29845a4bb36a3141a09bb27535f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=3, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020300061900 State = 0x47a7a29845a4bb36a3141a09bb27535f Message-Authenticator = 0xf178932508d31a8e7ee7dfa71734d78c # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 3 to 127.0.0.2 port 46747 EAP-Message = 0x010401df19003eacb85bdc7ad59cf2ab0898347620842bc010ca4e35da72a99bd91ddbf23ad77cac9a28d0f35aa9c2937c132c79f0b368bd46a80aa0e3229a85169f889322553b18d046303558def383d661ce9cc5b52588b6bc80019adcf9ec5b4458f52357349dade5c2c7b07a1b7f545553c8b9aa819e3ab50bb00ce839ce6f8e5714558cbd6796c7026a9b52ee7d3fa17cf22753eee4ffc652055df0fc073d4590cd3f52c29ff731f13af5271e6a976bf58ab92bdb699fbb9cebc3b7f2856c8612c8b4fae51b526e091e747d8d2b13fdf62bc09dd52a73cf48c25f6cd3f07972824b82010981c62c7961288b59e89c6270ee6967ac46c63931cdf6 EAP-Message = 0xd39cf8db89498fe9e450008d7c2878cb4af1b11760a30edaa8afeb4f361e8240a1a2f69a7d1faddd0ce9e5773774f6c4a08869fbb53c2dbca08fcad63ef5cfbe64dfb76705409a0db515962a719381e1e0a9526b9b6e30d95fd18674b3ea03c16cef14165c839e20a32d16a191916691c51510d120bfaccad741435a37c892f1724b1d4f63ce75b54485568540670567a8aa5a78675b23fd334d0095f64c02187c7653c797ed42ff581efc6f3144204fe74c8acc2c1a629a04851282285dc6acb0888ba747fa7a957f7a5d1277fd3c45229e15c10d5d5a3d5d16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29844a3bb36a3141a09bb27535f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=4, length=264 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020400901980000000861603010046100000424104a53cd65b9d4c9b62ba16fed564a7073a1d0940bc94df4f19bbc71f12dc25e4ab97dce539002a220a5b162f9ea6d731e9352c295fc6cc1dae070fee40e8716dbb140301000101160301003049714ea65b278e5ab8e12a1efc49b51c54a8bf71c73181f5d9ff7d4462eda3e94feecc34d12036061efd9523aea20cc2 State = 0x47a7a29844a3bb36a3141a09bb27535f Message-Authenticator = 0x5d2cedfdfc76d9ddc3edefc72f5697db # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to 127.0.0.2 port 46747 EAP-Message = 0x0105004119001403010001011603010030ced84c9f8f7661ff4ba1aa6d2a12e97e81dd732a62986264024bcc2b3a59de6183284c44093187250018a1d60d2f668b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29843a2bb36a3141a09bb27535f Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=5, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020500061900 State = 0x47a7a29843a2bb36a3141a09bb27535f Message-Authenticator = 0x9390873444c6efd79f22cc756e0aca74 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 5 to 127.0.0.2 port 46747 EAP-Message = 0x0106002b190017030100201ffd3457ccf3c8c3f7391b3b213ca493cb4f1d0fd56d65e1ae675eebc0bcd5e9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29842a1bb36a3141a09bb27535f Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=6, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0206005019001703010020628e42e32a5eecb574db53436501efe8f62bfbf269019acf64874644c064a9131703010020993efe26ff0ae8e9b30d8aad412b28fb868621a64d7b73ac1678bce52eee6487 State = 0x47a7a29842a1bb36a3141a09bb27535f Message-Authenticator = 0xee04c891296aec22b84cd3f09ddf0023 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - test [peap] Got inner identity 'test' [peap] Requesting SoH from client ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 6 to 127.0.0.2 port 46747 EAP-Message = 0x0107003b1900170301003018479e6c86733c71a3964c56a1a4b70d68f87f73fe1eb759a4b5908edc0cc98a201d7064cb6c525efc5c9a8e1bc78fa0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29841a0bb36a3141a09bb27535f Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=7, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x02070050190017030100209edbe10bbc7ebad0ac19675bdef35a9a57e54ab1cb9bb7c7075b9882b03c76db1703010020b1a41c440b3f247fb43bd456df9bf28b806df68a3e2ed76df2d514090c4b42e1 State = 0x47a7a29841a0bb36a3141a09bb27535f Message-Authenticator = 0x734a84af43cdba5fcd136e6482be380f # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR SOH RESPONSE [peap] EAP type nak [peap] SoH - client NAKed [peap] Setting User-Name to test [peap] Processing SoH request SoH-Supported = no FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" [peap] server soh-server { # Executing section authorize from file /etc/freeradius/sites-enabled/soh +group authorize { ++update config { ++} # update config = noop +} # group authorize = noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [test] (from client test port 0 cli 70-6F-6C-69-73-68 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. [peap] } # server soh-server [peap] Got SoH reply [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020700090174657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020700090174657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0108001e1a010800191004d013b4340898feb940894e75e41bca74657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd7e55c2dd7ed46da256bf8042f7c4267 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001e1a010800191004d013b4340898feb940894e75e41bca74657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd7e55c2dd7ed46da256bf8042f7c4267 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 7 to 127.0.0.2 port 46747 EAP-Message = 0x0108003b190017030100308f813e433eda61a76b72a06a528cafe050a4dcf3846527db9c4ab9819ed216854cd7ed0d98c22c36ac54ef43939d5f62 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a29840afbb36a3141a09bb27535f Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=8, length=248 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x0208008019001703010020737188bad62e44d0d634a0741a3fbf2be5898be0c8d1282629e4e8f22d86221017030100504200e28c7bf4ae7994e38a2b2aa3c35bd802d5e05f9d5b665813bd20c49061371e980503f5ff25d059b51e111b751f45bda3d5fdafe87d20b1eb564a43d7b347a8f1627f7c6dcc3b48b1767e7f5aad85 State = 0x47a7a29840afbb36a3141a09bb27535f Message-Authenticator = 0x4f0d7bce4c38e0e809eb09894f8bee27 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 128 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208003f1a0208003a31bf797748352ee9eba1ff4c7c721fd8820000000000000000a0bda344c23a528656263dc511689f77cc2809f6acdde5180074657374 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x0208003f1a0208003a31bf797748352ee9eba1ff4c7c721fd8820000000000000000a0bda344c23a528656263dc511689f77cc2809f6acdde5180074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0xd7e55c2dd7ed46da256bf8042f7c4267 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: test [mschap] Client is using MS-CHAPv2 for test, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d33323339443539333646393837454134384642353136344332344537373746303641434437454235 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd7e55c2dd6ec46da256bf8042f7c4267 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d33323339443539333646393837454134384642353136344332344537373746303641434437454235 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd7e55c2dd6ec46da256bf8042f7c4267 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 8 to 127.0.0.2 port 46747 EAP-Message = 0x0109005b190017030100500353f8f7c812c78b8f0248ce22e1f9a232aa0d6d84a42b9491dc5999d119aa40d5ab5d4d4962193e84a824f754dfb25f6438a10795fb78b3b28982f271dfaf88d5bf982f2b74c3ed9db322fb2e113a02 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a2984faebb36a3141a09bb27535f Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=9, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x02090050190017030100202427cc3deb8133ce9e988163efd7fdfd95c7ca1abf8b5fc6cca6e6c6b7ada3e917030100201d6cf9ee3566285549d9fefcc44f4f96eaaf85451313e2db1871a7ad8379dced State = 0x47a7a2984faebb36a3141a09bb27535f Message-Authenticator = 0xb8d7d9b1340fba44b99222a17476f5b5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { [peap] Setting User-Name to test Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "test" State = 0xd7e55c2dd6ec46da256bf8042f7c4267 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" Chargeable-User-Identity = "" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++update control { ++} # update control = noop ++[mschap] = noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry test at line 61 ++[files] = ok +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [test] (from client test port 0 cli 70-6F-6C-69-73-68 via TLS tunnel) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel +group post-auth { ++policy cui_postauth { +++? if (FreeRadius-Proxied-To == 127.0.0.1) ? Evaluating (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE +++? if (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE +++if (FreeRadius-Proxied-To == 127.0.0.1) { ++++? if (outer.request:Chargeable-User-Identity) ? Evaluating (outer.request:Chargeable-User-Identity) -> TRUE ++++? if (outer.request:Chargeable-User-Identity) -> TRUE ++++if (outer.request:Chargeable-User-Identity) { +++++update reply { expand: test%{User-Name} -> testtest expand: %{md5:test%{User-Name}} -> 05a671c66aefea124cc08b76ea6d30bb +++++} # update reply = noop ++++} # if (outer.request:Chargeable-User-Identity) = noop +++} # if (FreeRadius-Proxied-To == 127.0.0.1) = noop +++ ... skipping else for request 9: Preceding "if" was taken ++} # policy cui_postauth = noop ++update outer.reply { expand: %{reply:Chargeable-User-Identity} -> 05a671c66aefea124cc08b76ea6d30bb ++} # update outer.reply = noop +} # group post-auth = noop } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 9 to 127.0.0.2 port 46747 Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb" EAP-Message = 0x010a002b1900170301002062204f03a60637a99d252a241d7f3905e63d3285a853906eb95155fe9486e1ed Message-Authenticator = 0x00000000000000000000000000000000 State = 0x47a7a2984eadbb36a3141a09bb27535f Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=10, length=200 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "check_radius" EAP-Message = 0x020a00501900170301002039fb116920fb3139a8cd97a0d24307ea4083e23dd0a74ed263ce72400080bbaf1703010020826cf4e6bd5e35794a7e151ed2810a457026d563b61c692ad5d4c2c5e891aceb State = 0x47a7a2984eadbb36a3141a09bb27535f Message-Authenticator = 0x5ea7b26d7593d52f3b153b0683089900 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++policy cui_authorize { +++update request { +++} # update request = noop ++} # policy cui_authorize = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [anonymous] (from client test port 0 cli 70-6F-6C-69-73-68) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) ? Evaluating (NAS-Port-Type == "Ethernet" ) -> FALSE ? Skipping (reply:EAP-Session-Id) ++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) -> FALSE +} # group post-auth = noop Sending Access-Accept of id 10 to 127.0.0.2 port 46747 MS-MPPE-Recv-Key = 0x7c11a8f4ae35bf92ddb6df2e6606ea67079d67b55aa241a7dd0bc485077b884f MS-MPPE-Send-Key = 0x7713dc5356bb73cd722eeefa6dd73ff7e81d8db357d53d8b6ec84e1df4b574c9 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" Finished request 10. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +1 Cleaning up request 1 ID 1 with timestamp +1 Cleaning up request 2 ID 2 with timestamp +1 Cleaning up request 3 ID 3 with timestamp +1 Cleaning up request 4 ID 4 with timestamp +1 Cleaning up request 5 ID 5 with timestamp +1 Cleaning up request 6 ID 6 with timestamp +1 Cleaning up request 7 ID 7 with timestamp +1 Cleaning up request 8 ID 8 with timestamp +1 Cleaning up request 9 ID 9 with timestamp +1 Cleaning up request 10 ID 10 with timestamp +1 Ready to process requests. -(snip)- Best, Kilian
On 03/03/15 13:19, Krause, Kilian wrote:
[peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR SOH RESPONSE [peap] EAP type 254 [peap] SoH - extended eap vendor 00000000 is not Microsoft
As far as I can tell, this is illegal PEAP tunnel content, per the MS-PEAP spec (which I followed when I implemented the SoH stuff) If you think this is causing the problem - and I'm by no means convinced - then your client isn't following the only documented, up-to-date PEAP spec, and you'll need to disable SoH.
Hi Phil,
On 03/03/15 13:19, Krause, Kilian wrote:
[peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR SOH RESPONSE [peap] EAP type 254 [peap] SoH - extended eap vendor 00000000 is not Microsoft
As far as I can tell, this is illegal PEAP tunnel content, per the MS-PEAP spec (which I followed when I implemented the SoH stuff)
Thanks for the quick answer. That's what I sort of expected already.
If you think this is causing the problem - and I'm by no means convinced - then your client isn't following the only documented, up-to-date PEAP spec, and you'll need to disable SoH.
I'll go and ask Cisco what they think. In the meantime I've got a workaround (disabled SoH) for now that I can live with. ;-) Cheers, Kilian
Hi,
[peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR SOH RESPONSE [peap] EAP type 254 [peap] SoH - extended eap vendor 00000000 is not Microsoft
o, SoH sends SoH to the client... but the client doesnt like it - EAP type 254 - expanded NAK - looks like the SoH takes this response as an actual answer ? alan
On 03/03/15 14:21, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
[peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR SOH RESPONSE [peap] EAP type 254 [peap] SoH - extended eap vendor 00000000 is not Microsoft
o, SoH sends SoH to the client... but the client doesnt like it - EAP type 254 - expanded NAK - looks like the SoH takes this response as an actual answer ?
Well, it expects a response or a plain NAK there because that's what MS-PEAP says are the only valid replies, once you pick apart the state machine. It's probably a good idea to be looser and accept the expanded NAK too, on the FR side; no real harm to it. I didn't code that bit up very defensively :o(
On Mar 3, 2015, at 10:33 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Well, it expects a response or a plain NAK there because that's what MS-PEAP says are the only valid replies, once you pick apart the state machine.
It's probably a good idea to be looser and accept the expanded NAK too, on the FR side; no real harm to it.
It’s not an expanded NAK. It’s a gigantic piece of garbage. The supplicant should be thrown in the garbage. It goes like this: FreeRADIUS does PEAP. Once the inner tunnel is set up, FR sends an EAP-MSCHAPv2 challenge packet. The supplicant responds with an extended type: 0x021d 0046 fe extended type 000000 IETF Private enterprise code 0000001a EAP-MSCHAPv2 021d 003a 31 ???? Another EAP packet with EAP-Type 49, EAP-IKEv2 ??? And then this: 6e882ba02b15bc9aec09decfe03db1fb0000000000000000ad6990749d5255b204c8a2d90fe0e1496dc5ee88dc54bfc30074657374 The supplicant is a piece of garbage. There is NO REASON to send an extended type packet. On top of that, the contents of the extended type are the actual EAP type data. NOT another EAP packet with EAP header, length, etc. All of this nonsense could have been avoided if the OP posted the debug log as suggested in the FAQ, README, “man” pages, web pages, and daily on this list. But no…making it hard for people to help you is a *great* idea. Alan DeKok.
Hi Alan,
On Mar 3, 2015, at 10:33 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Well, it expects a response or a plain NAK there because that's what MS- PEAP says are the only valid replies, once you pick apart the state machine.
It's probably a good idea to be looser and accept the expanded NAK too, on the FR side; no real harm to it.
It’s not an expanded NAK. It’s a gigantic piece of garbage. The supplicant should be thrown in the garbage. It goes like this:
FreeRADIUS does PEAP. Once the inner tunnel is set up, FR sends an EAP- MSCHAPv2 challenge packet.
The supplicant responds with an extended type:
0x021d 0046 fe extended type 000000 IETF Private enterprise code 0000001a EAP-MSCHAPv2 021d 003a 31 ???? Another EAP packet with EAP-Type 49, EAP-IKEv2 ???
And then this:
6e882ba02b15bc9aec09decfe03db1fb0000000000000000ad6990749d5255b204c8a2d90f e0e1496dc5ee88dc54bfc30074657374
The supplicant is a piece of garbage. There is NO REASON to send an extended type packet. On top of that, the contents of the extended type are the actual EAP type data. NOT another EAP packet with EAP header, length, etc.
Thanks! That input is greatly appreciated! I hope Cisco will agree with this PoV though. ;-)
All of this nonsense could have been avoided if the OP posted the debug log as suggested in the FAQ, README, “man” pages, web pages, and daily on this list. But no…making it hard for people to help you is a *great* idea.
Well, I'm trying and learning. And retrofitting new services onto existing configs is never easy. That's why I tried first to attach the logs as individual files to make reading/comparing them easier and not as tedious as having them inline. For some reason the mailing list didn't let them through though. Any hints on why the use_tunneled_reply is needed to get the CUI passed to the Access-Accept? For some reason the default config talks about CUI but doesn't seem to implement it to work without use_tunneled_reply - at least that's what my tests say so far. Do you reckon? Best, Kilian
Any hints on why the use_tunneled_reply is needed to get the CUI passed to the Access-Accept? For some reason the default config talks about CUI but doesn't seem to implement it to work without use_tunneled_reply - at least that's what my tests say so far. Do you reckon?
Kilian, you can update the cui policy manually by editing the policy.d/cui file. Change all 'update reply {' entries to 'update outer.reply {' if you're not using use_tunneled_reply. It *should* update the outer tunnel reply. If it doesn't, run radiusd -X (or freeradius -X on Debian/Ubuntu) and post the *full* conversation of an authentication that does not send a CUI back in the Access-Accept. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
It used to be the case (still is? ) that cisco MACSEC involved EAP-FASTv2 which then involves cisco ISE. Which is why it's not widely deployed yet ;) alan
participants (9)
-
"RESTOUX, Loïc" -
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Chaigneau, Nicolas -
Krause, Kilian -
Phil Mayers -
Stefan Paetow