rlm_passwd fails Stripped-User-Name check when in inner-tunnel mode (PEAP)
Hello friends, I am using Freeradius version 2.2.9. I doubt that module rlm_passwd have some problem handle Stripped-User-Name check when in inner-tunnel mode (PEAP). I tried to use a password file to store my user/pass data. And some config snippet is here: 1. modules/passwd passwd passwdf1 { filename = /home/radius/passwd1 format = "*User-Name:NT-Password:" 2. /home/radius/passwd1 john:************D463009BE761BB******: 3. both sites-enabled/default,inner-tunnel have passwdf1 in authorize { block 4. proxy.conf realm NULL { } realm eduroam.example.edu { auth_pool = my_auth_failover } realm DEFAULT { pool = upperlevel } Test results: 1. PAP with/without domain(realm) PASSED radtest john password radhost 1812 testing123 radtest john@eduroam.example.edu password radhost 1812 testing123 2. MSCHAP with/without domain(realm) PASSED radtest -t mschap john password radhost 1812 testing123 radtest -t mschap john@eduroam.example.edu password radhost 1812 testing123 3. EAP(PEAP) I use eapol_test to test identity="john" PASS identity="john@eduroam.example.edu" FAIL!! log from debug shows: [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: john@eduroam.example.edu [mschap] Client is using MS-CHAPv2 for jsc@eduroam.ntu.edu.tw, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect However, I did more tests: 1. if I put both john:************D463009BE761BB******: john@eduroam.example.edu:************D463009BE761BB******: in /home/radius/passwd1 PEAP with domain(realm) PASSED 2. if I change modules/passwd into passwd passwdf1 { filename = /home/radius/passwd1 format = "*Stripped-User-Name:NT-Password:" Then ALL authentication tests FAILED 3. if I put the user/pass info in users file john NT-Password := "************D463009BE761BB******" Then all the tests including PEAP with/without domain(realm) PASSED. I doubt if there is some problem in the rlm_passwd module? Either it didn't handle Stripped-User-Name well when been authenticated, or it didn't accept the "format = "*Stripped-User-Name:NT-Password:" syntax? Thanks in advance for your help. I have been used freeradius for more than 15 years since version 1.x. I do appreciate your effort to freeradius. Eric Chang
On Nov 11, 2015, at 8:02 PM, Tim Chen <gphoto6@gmail.com> wrote:
I am using Freeradius version 2.2.9. I doubt that module rlm_passwd have some problem handle Stripped-User-Name check when in inner-tunnel mode (PEAP).
Stripped-User-Name is just an attribute like any other.
3. EAP(PEAP) I use eapol_test to test identity="john" PASS identity="john@eduroam.example.edu" FAIL!!
log from debug shows:
What does ALL of the debug output show?
However, I did more tests: ... 2. if I change modules/passwd into passwd passwdf1 { filename = /home/radius/passwd1 format = "*Stripped-User-Name:NT-Password:" Then ALL authentication tests FAILED
What does the debug output show?
I doubt if there is some problem in the rlm_passwd module?
The rlm_passwd module deals with attributes. It doesn't care *what* the attribute is. So there's nothing magical about Stripped-User-Name. If it doesn't work... there's some *other* reason why it's failing. As always, read the *full* debug output to see what's happening. Alan DeKok.
On Thu, Nov 12, 2015 at 10:13 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 11, 2015, at 8:02 PM, Tim Chen <gphoto6@gmail.com> wrote:
3. EAP(PEAP) I use eapol_test to test identity="john" PASS identity="john@eduroam.example.edu" FAIL!!
log from debug shows:
What does ALL of the debug output show?
Dear Alan, Thanks for your reply. I do appreciate your effort and time. Eric Chang The full log is below: rad_recv: Access-Request packet from host XXX port 51040, id=0, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0x5bea519b34ddad4362551e19ca0eccfc # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] file_common ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to XXX port 51040 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x123f7dd8123e6499db674645796856c2 Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 51040, id=1, length=349 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100db1980000000d116030100cc010000c803010163200d2c7a6ef21da46a9647ef50895534b3e10bc1e464132424df97cc886d00005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000045000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011000f000101 State = 0x123f7dd8123e6499db674645796856c2 Message-Authenticator = 0xcb319b420119b4a7a9213e9ff6b1a53b # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 219 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 209 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00cc], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 1411], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to XXX port 51040 EAP-Message = 0x0102040019c00000166716030100310200002d0301564422da43306ee47ebe6f5601eb14c1bae0c47a24db005cc33f370dbb2bd701000039000005ff0100010016030114110b00140d00140a00056d3082056930820451a003020102021047df00000000068f47a297480cbfa807300d06092a864886f70d01010b0500306f310b300906035504061302545731123010060355040a130954414957414e2d4341311a3018060355040b13115365637572652053534c205375622d43413130302e0603550403132754574341205365637572652053534c2043657274696669636174696f6e20417574686f72697479301e170d3135303630383035333333 EAP-Message = 0x355a170d3136303630383135353935395a30818b310b3009060355040613025457310f300d06035504080c0654616977616e310f300d06035504070c0654616970656931233021060355040a0c1a4e6174696f6e616c2054616977616e20556e697665727369747931183016060355040b0c0f436f6d70757465722043656e746572311b301906035504030c12656475726f616d2e6e74752e6564752e747730820122300d06092a864886f70d01010105000382010f003082010a0282010100f1765133c1c57f8c043d22b71804729c7fc2631e0699374d43f8bc3b914c15722dc36020da16d028a4d1890c3a5271b7c1a72e7deea72d37946a1fc6e9 EAP-Message = 0x0b8bd477e6a71ab5353f8f81166fbf6cd4c2d531b677bf273d663603b5a60b265a968a261b0a1b8d5207daaf0bedccc670a7f4ad0e5a05fdd46bffed86abeed89857307cd50b55a4f0843523e57f9555427830d48eef368d037eb3dc685d511659a21ce557a53537c08dc552529ed64da0849833637f3507ebb58788272a526c7d19d8a51fa50f0558490737bb0e45b025c166783b3b1c279fa16c9de9576089c21869f103202b93c5a315b7c80d93b043fb946ab94576c6310f6cdedb721de25f8c6d0203010001a38201e2308201de301f0603551d23041830168014f807c26824ff8595cbdb1ee3339c2a4f9720567b30290603551d0e042204208d EAP-Message = 0x8ae0e0ca30409af8cef50a525ae9b18d6e669ad46cff8f48595468a084089f30560603551d1f044f304d304ba049a0478645687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f73736c7365727665722f53656375726573736c5f7265766f6b655f736861325f323031342e63726c301d0603551d11041630148212656475726f616d2e6e74752e6564752e747730818106082b0601050507010104753073304406082b060105050730028638687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f6361636572742f7365637572655f736861325f323031342e637274302b06082b06010505073001861f6874 EAP-Message = 0x74703a2f2f7477636173736c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x123f7dd8133d6499db674645796856c2 Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 51040, id=2, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0x123f7dd8133d6499db674645796856c2 Message-Authenticator = 0x4bdbef62f727621c97b76a8046e60e19 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to XXX port 51040 EAP-Message = 0x010303fc19406f6373702e747763612e636f6d2e74772f305b0603551d20045430523050060b2b0601040182bf250101193041301b06082b06010505070201160f7777772e747763612e636f6d2e7477302206082b0601050507020230161a145265737472696374696f6e203d332e322e302e3130090603551d1304023000300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b050003820101001de810ca6c43b1feecba2817c78c853072af9e8ae8e0a5b6f4fb32b8e84423621eca6282a322434081ee26572c9d99b63246da8083f09b4ae4b3d5 EAP-Message = 0x02c02e30cff30300a17483a98ef819f4eea6cb7711ad9bcfb9dcd8428b99069f6075894fb22ea7a2d2f2bc2111acd6cdf1c803abcc6e642951e5447f9ce3779620e7f39fff05efa5e5697037b57349868aa15cfaab3d2e184907f947d1753709450e663cad3439cf8875102f7d27ad8d5115c79a85075bb988a2c450664414f4a55bd5a16e8b8b4411b3566315c5674d6476a9c8a688f02bdd4984a5c42b086275a537f8dcc62efc4cde6f3590cbd336249300e6e16153de8209d19d77743b566928b95b330005b5308205b130820399a003020102021040013353e40000000000000cc36e888d300d06092a864886f70d01010b05003051310b300906 EAP-Message = 0x035504061302545731123010060355040a130954414957414e2d43413110300e060355040b1307526f6f74204341311c301a060355040313135457434120476c6f62616c20526f6f74204341301e170d3134313032383037323735365a170d3234313032383135353935395a306f310b300906035504061302545731123010060355040a130954414957414e2d4341311a3018060355040b13115365637572652053534c205375622d43413130302e0603550403132754574341205365637572652053534c2043657274696669636174696f6e20417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101 EAP-Message = 0x00dbe0fe5153a201a6cf6a8e5da951096a167e4a1412b3114a26281b2f23528bc10dab1855e3a65cf2ed1af5632efab16a22866166ced21cd78f844568bc1333b80e270e466a578c363f8f2f84e8d4dd95290c55009dbd2efa52246be2a78569d1a45331bdffc65888b2c967e1fa55680e7d025c2e03237946b8a2e87678e64153d9d79f462acda6dd9c0450d49069237e03fb86dc9b4edc0116bf147d440bb31b6077b4260b4b9f01956a908683352e9b82d2d6c40531509a2868184d32bc930bf609813d7a680fa7d3f174f8d11e2e3664e11e2fd395ce9bc94678b28769564aadb0ab0bf6d10f92abe906e1550e0e1eb9b19359ae27fd6fe551a7e7 EAP-Message = 0xbc05244502030100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x123f7dd8103c6499db674645796856c2 Finished request 15. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 51040, id=3, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0x123f7dd8103c6499db674645796856c2 Message-Authenticator = 0x82d693f9024081535fc32547099a4d5b # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 3 to XXX port 51040 EAP-Message = 0x010403fc194001a382016530820161301f0603551d2304183016801448dbcdde8ee949725a88e8b1d83d07b3b96b6650301d0603551d0e04160414f807c26824ff8595cbdb1ee3339c2a4f9720567b300e0603551d0f0101ff04040302010630380603551d200431302f302d0604551d20003025302306082b060105050702011617687474703a2f2f7777772e747763612e636f6d2e74772f30490603551d1f04423040303ea03ca03a8638687474703a2f2f526f6f7443412e747763612e636f6d2e74772f545743415243412f676c6f62616c5f7265766f6b655f343039362e63726c30120603551d130101ff040830060101ff020100307606082b EAP-Message = 0x06010505070101046a3068303c06082b060105050730028630687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f6361636572742f726f6f74343039362e637274302806082b06010505073001861c687474703a2f2f726f6f746f6373702e747763612e636f6d2e74772f300d06092a864886f70d01010b050003820201009e80281ad40477c7e497cb3b7f10c26c9562edcbdfa42c11da641a141a7876e92bfc4b7ebf9a98ee19a31368960c219bfbd5587161da48caf935cdffcd584258f1f218cec7a532d8918491510a8ac5bf4129746dc461e0be03eb6b194a19ddf01a657cc8534701095d95b76d1e72bf2fc32eb36e1d11 EAP-Message = 0x8f7eb3dbd2fdfb2fb9f076ef9630e52fbf5e4ac15fb656523e727ad11185960188b10e6d8d8cadb2302a148c4bf009cca59e7c2c838091f08978d5e03b1b51d9802dea638fd4760ceed62819731447e3a1e0e07aea73c3513ee0ac611328a368e1eac1b3f7704568a63e0d06c4be5fdc1f9ab22adcd9bf3eed2c4b0590a44d92670e7c240fefb7cc9bcfda4e9cf3ca33afc4d274d17303a3163b23eb5277fe97c72effbc9dd56505f89854a0f0d4e5229db2b684ef5757eeb3df55d8da4bb7ddc05fccb00dc38299afeb2ea953f10bbb9dbe5afb9afab0a31df35c1f556258c27725e467b5dcbda0a1acbedb511a15381dd31a7a07804c459dd3b401ff EAP-Message = 0x654d77dfeefc3e6b7d2266ac68994f021f144c117092d6c20a62a6886beb6642dcbc75cbd11d7caaec8763eea865b29ad5e659b147230e812b8fcb2d21df96f102bbc6909b3189e2c3be8d1ff832fb96899b1710c4c73213706480c9cc6b8f93b08af62d2927bc398e6d6fe684c30028705f010bccb6d2c18aeaa04ea46419fe18ee4487e2117f05bb0efbdc6700055d3082055930820441a003020102021040013353e40000000000000cca5d1b69300d06092a864886f70d01010b0500305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c EAP-Message = 0x215457434120526f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x123f7dd8113b6499db674645796856c2 Finished request 16. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 51040, id=4, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0x123f7dd8113b6499db674645796856c2 Message-Authenticator = 0x0303cea6372793b2de1f1bc329b4f56e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to XXX port 51040 EAP-Message = 0x010503fc19406f742043657274696669636174696f6e20417574686f72697479301e170d3134313032383037333833315a170d3330313032383135353935395a3051310b300906035504061302545731123010060355040a130954414957414e2d43413110300e060355040b1307526f6f74204341311c301a060355040313135457434120476c6f62616c20526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b005dbc8eb8cc46e8a21ef8e4d9c710a1f5270ed6d829c97c5d74c4e4549cb4042b512346c19c274a4315f850297ec43330a53d29c8c8eb7b879db2bd56af28e66c4ee2b010792d4b3 EAP-Message = 0xd002df50f655af660ecbe047602f2b323935523a2883f87b16c618b862d6472591cef019124dad63f5d33f755f29f0a1301c2aa098a615bdeefd1936f0e291438ffacad61027494cefddc1f185709bcaeaa85a43fc6d866f73e93745a9f036c7cc88751ebb6c06ff9b6b3e17ec61aa717cc61da2f749e915b53cd6a161f511f7056f1dfd11bed03007c229b0094e26dce3a2a8916a1fc29145885ce598b871a51519c97c7511cc70744f2d9b1d9144fd5628a0febb866ac8fa5c0b58dcc64b76c8ab22d9730fa5f45a02893f4f9e2282eea274532a3d5327691d6c8e322c6400266361364ea346b73f7db32dac6d90a295a2cecfda82e707341996e9b8 EAP-Message = 0x21aa297ea638be8e294a2166791fb3c3b50967ded6d40746f32adae6223760cb81b60fa00fe9c8957fbf5591057acf3d15c06fde09940183d7341bcc40a5f0b89b67d598913ba784789526a45a08f82b74b400043cdfb8148ee8dfa98d6c6792331dc0b7d2ec92c8be09bf2c29056f026b9eefbcbf2abc5bc0508f41707187b24db704a984a332afaeee6b178bb2b1fe6ce1908c88a89748cec84dcbf306cf5f6a0a42b11e1e772f8ea0e6920e06fc0522d226e131517d32dc0f0203010001a382011d30820119301f0603551d230418301680146a385b268dde8b5af24f7a54831918e30835a6ba301d0603551d0e0416041448dbcdde8ee949725a88 EAP-Message = 0xe8b1d83d07b3b96b6650300e0603551d0f0101ff04040302010630380603551d200431302f302d0604551d20003025302306082b060105050702011617687474703a2f2f7777772e747763612e636f6d2e74772f30420603551d1f043b30393037a035a0338631687474703a2f2f526f6f7443412e747763612e636f6d2e74772f545743415243412f7265766f6b655f323034382e63726c300f0603551d130101ff040530030101ff303806082b06010505070101042c302a302806082b06010505073001861c687474703a2f2f726f6f746f6373702e747763612e636f6d2e74772f300d06092a864886f70d01010b05000382010100290b6ec494dc EAP-Message = 0x6259937a5a4c5ddc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x123f7dd8163a6499db674645796856c2 Finished request 17. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 51040, id=5, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500061900 State = 0x123f7dd8163a6499db674645796856c2 Message-Authenticator = 0xe204b5d93312a25ce30bee127754b91b # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 5 to XXX port 51040 EAP-Message = 0x010603fc1940993e8ea8fbf9a08f1bd927706df82e5e48696117401089aa03b81ccbdfbc6c28541fc521f54b96bffc4c47ca0b77c3cc667b6fb9360869f9c191ed8fd69ea222e882b789c8aad020e74aac232b2f4ff64f146bf17a45a187c871e7a7a4b9806bc9cecd8a259ccdd309a532fa24d1517f3c319947ea1fa76f6e84cdaed8ae356ad6cbe0be13c1a231cbee1fe926dfb706c60d450ae7ab45571eb7019b31f5f205404586d8021bd04b21db2082e322e94fe35d2bc439121728c6b967b17de1b27c76e53684da745eac38b66bf8eea103c4b0c45c124c6f06da3a4465b636970c1879d04697331fab52a8cede57b4281338b7ac00037f3082 EAP-Message = 0x037b30820263a003020102020101300d06092a864886f70d0101050500305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c215457434120526f6f742043657274696669636174696f6e20417574686f72697479301e170d3038303832383037323433335a170d3330313233313135353935395a305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c215457434120526f6f742043657274696669636174696f6e20417574686f7269 EAP-Message = 0x747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b07e72b8a40394e6a7de0938914a114087a77c5964147bb51110ddfebfd5c0bb56e28525f435720ff853d041e14401c2b41cc33142164785332276b20a6f0fe525504f8586bebf982e10671ebe1105860590c459d07c7810b0805cb7e1c72b75cb7c9faeb5d19d233763a7dc42a22d92041b50c17bb83e1bc956048b2f529bada956e9c1ffada9588730b681f79745fc19573b2b6fe447f49945fe1df1f897a3881d371c5c8fe076259a50f8a054ff44907623d232c6c3ab06bffcfbbff3ad7d9262025b29d335a3939a4364605db2fa32ff3b04af4d406af9c7 EAP-Message = 0xe3ef23fd6bcbe50f8b380dee0afcfe0f989f3031dd6c5265f98b81be22e11c5803ba911b89070203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a385b268dde8b5af24f7a54831918e30835a6ba300d06092a864886f70d010105050003820101003cd5773ddadf89ba870c08546a205092beb0413db92664830a2fe840c097282782304ac993ff6ae7a6007f89429ad611e553ce2fccf2da05c4fee250c43a867dccda7e10093b92352a53b2feeb2b05d96c5de6d0efd36a669e1528857ae88200ac1ea709695642d3685118be549abf4441ba49be20ba695ceeb8 EAP-Message = 0x77cdce6c1fad8396 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x123f7dd817396499db674645796856c2 Finished request 18. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 51040, id=6, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600061900 State = 0x123f7dd817396499db674645796856c2 Message-Authenticator = 0xe7ed960994f58e17bc9fa05dce1d1925 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 6 to XXX port 51040 EAP-Message = 0x0107029f1900187d0eb5143984f128e92da39e7b1e7a725a83b3796fefb4fcd00aa5584f46dffb6d7959f2842252ae0fccfb7c3be76aca4761c37af8d392041fb82084e1365416c740de3b8a73dcdfc6094cdfecdaffd45342a1c9f2621d22833c97c5f9196227ac6522d7d33cc6e58eb253cc49cebc30fe7b0e3390fbedd214911f07af160301020d0c0002090080f330e182461ac1124f5b50a47f973caee6024b9aca5a451cc1b5e663f16bb9063f4a7b1393c2393e28a59080f9aa96bc7abb8119a7e4eb4692accd80ece3018dabf5f0b5e8124b3e2cb69bdf96f52b26ca06ae45cadc31676bb17115261819095027a73b5151fc761d574fe44ec3 EAP-Message = 0x14452195733585d8170a671a713ee4875e2b00010200804ca495047b0637730e8958821bcbf46f0f5941eb8682d80c45d1523a850dc2074922389764b4b1bac6643bd178a0059162b4dff07356ad8a0db0e0bfa2c3ddb31fec0267fb8e3138a232083a51b22c8fea960a2f29c343b529ddc1db1b3ebcf7c3dc39b09a44e8cf1d1921fcdc8525ac61b9aef53e64289edc19dcc4b8143eee0100647fa8dd614a960a2ee91e81841008c20d248a5970e01f4f3ba488f28d4e7c47f9b92d1a06677dadf6da9266bd56c339d24ba9296f303cab6f7a2751fd5d7d5138e7f98624f242f963d2d4f94f4fedc33930686b4220399a5d72e5ba0a223736ab23c5d7 EAP-Message = 0xca39c5fd57386925decc90043196bfa67f470ef746d859245b74d448ad1e3f0e61d0cbd136ea7f9ac068dfc21cf83e5025546a3c26442a1bc4d4d9899483dec72117e84223d75cfa7d4c3d8b99a9b10679b81969af1552210f67cc3fec9bb1371a829eaef3600a0e0f281038023a33e5dc74f30d79156c39c866e844e90ea6b4b10402a5b5d4ba6a1cda7a79058be2ceb8f0c375b5875a3b5eda676616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x123f7dd814386499db674645796856c2 Finished request 19. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 51040, id=7, length=338 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020700d01980000000c61603010086100000820080394f119e136d178e3a887856cd7bdd9cb38a8b8c36a5ffff1298f0b98d7a1b7f19c0a03ff3e8ab63e478ac8acd09964ff4962445e5bb13ae89576bd2a61cf277759d277da00002eb2e09749dbe07d9554e680dfa9c00bd0937e45edbe6cbe40994f379d17d71c270541692cc97e813240408531f5b86e87ce165c3d2ca044ea01403010001011603010030b640bc2f88f898b8cf69ec37297ea8108479b7450024adbcf480fde71d4205139f67dc0b9f6992f1b1c84dbf2846220e State = 0x123f7dd814386499db674645796856c2 Message-Authenticator = 0x58d1e79d405942610f0ac057325e0a5e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 208 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 7 to XXX port 51040 EAP-Message = 0x01080041190014030100010116030100307753b8869b19d89771c9ab745f4b05b21d2b383b12e7203ba813998d83b5baf366f28ffb445daea13b54fc90cec2f8ec Message-Authenticator = 0x00000000000000000000000000000000 State = 0x123f7dd815376499db674645796856c2 Finished request 20. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 51040, id=8, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020800061900 State = 0x123f7dd815376499db674645796856c2 Message-Authenticator = 0xb5e70d01b36b4bcf122ad9fa8128cd72 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 8 to XXX port 51040 EAP-Message = 0x0109002b190017030100208dea6279f628c68de5d6ae30fee73441c6b8152b94f652d41139dfa73e548a4f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x123f7dd81a366499db674645796856c2 Finished request 21. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 51040, id=9, length=226 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02090060190017030100204bc502c8d5f473259c6b535aed81e8e7510bf09e7d5d4b6318d05312c0e3411e17030100305e3edc75cbb2915808290461c1f860f1edbfcd3ccedd3ddd37bbd0483a03ea7349ee28b698c1907ccf8cc81bcd89ffab State = 0x123f7dd81a366499db674645796856c2 Message-Authenticator = 0xd3af56b3f49bfd8b6e9e17995286bad7 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 96 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - john@eduroam.example.edu [peap] Got inner identity 'john@eduroam.example.edu' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0209001b016a736340656475726f616d2e6e74752e6564752e7477 server { [peap] Setting User-Name to john@eduroam.example.edu Sending tunneled request EAP-Message = 0x0209001b016a736340656475726f616d2e6e74752e6564752e7477 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "john@eduroam.example.edu" server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "eduroam.ntu.edu.tw" for User-Name = " john@eduroam.example.edu" [suffix] Found realm "eduroam.ntu.edu.tw" [suffix] Adding Stripped-User-Name = "john" [suffix] Adding Realm = "eduroam.ntu.edu.tw" [suffix] Proxying request from user john to realm eduroam.ntu.edu.tw [suffix] Preparing to proxy authentication request to realm " eduroam.ntu.edu.tw" ++[suffix] = updated ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] file_common ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00301a010a002b1047559114346c20f8a84a3fefd7765c876a736340656475726f616d2e6e74752e6564752e7477 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x67cd962467c78ced7501359b4f279129 [peap] Got tunneled reply RADIUS code Access-Challenge EAP-Message = 0x010a00301a010a002b1047559114346c20f8a84a3fefd7765c876a736340656475726f616d2e6e74752e6564752e7477 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x67cd962467c78ced7501359b4f279129 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 9 to XXX port 51040 EAP-Message = 0x010a005b190017030100508c01aa75460100bb89de92c1823aa6673a02fc2ba20c6bb96d0264d0cc5abd7953d841c86dac72f5b18578e8df00da8ecd8bae3aa9878a5cf06838229159235c253bfbd61aea4599fd7a5ad205b6fb67 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x123f7dd81b356499db674645796856c2 Finished request 22. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 51040, id=10, length=290 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020a00a0190017030100202e56547a2cc961bed8bc6ef371a65ff5b2034788fa419fa76fda116e24b445a317030100709b304476ea3a228e109d7e7df1cd8a4bd1fa5779b205d200aec7d23c6641b15b734b64b56aace29f0623c5e914e2de7adf42b99d451617e655d5d3f58bed6b5c3a9869703129e8fcf56f6ac0f9ade0f2a4d5bea538ae2310897ce7da168c7bd2dbfd48d5706dbd148f412338c55bbaa3 State = 0x123f7dd81b356499db674645796856c2 Message-Authenticator = 0x5f2391cd4b87cb196fbf4beca8a1a7ae # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 160 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00511a020a004c315530e5eedb7545418c3519a5ebf9ec670000000000000000762feaaf2fdb62d38213f50c274d4194c7988bbd4b83e406006a736340656475726f616d2e6e74752e6564752e7477 server { [peap] Setting User-Name to john@eduroam.example.edu Sending tunneled request EAP-Message = 0x020a00511a020a004c315530e5eedb7545418c3519a5ebf9ec670000000000000000762feaaf2fdb62d38213f50c274d4194c7988bbd4b83e406006a736340656475726f616d2e6e74752e6564752e7477 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "john@eduroam.example.edu" State = 0x67cd962467c78ced7501359b4f279129 server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "eduroam.ntu.edu.tw" for User-Name = " john@eduroam.example.edu" [suffix] Found realm "eduroam.ntu.edu.tw" [suffix] Adding Stripped-User-Name = "john" [suffix] Adding Realm = "eduroam.ntu.edu.tw" [suffix] Proxying request from user john to realm eduroam.ntu.edu.tw [suffix] Preparing to proxy authentication request to realm " eduroam.ntu.edu.tw" ++[suffix] = updated ++update control { ++} # update control = noop [eap] EAP packet type response id 10 length 81 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] file_common ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: john@eduroam.example.edu [mschap] Client is using MS-CHAPv2 for john@eduroam.example.edu, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Login incorrect: [john@eduroam.example.edu/<via Auth-Type = EAP>] (from client network8 port 0 via TLS tunnel) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> john@eduroam.example.edu attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code Access-Reject MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 10 to XXX port 51040 EAP-Message = 0x010b002b19001703010020e2240cd59f5612ce5e667e34bb3cb34443523681822bb75ce1cd20358a048fcf Message-Authenticator = 0x00000000000000000000000000000000 State = 0x123f7dd818346499db674645796856c2 Finished request 23. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 51040, id=11, length=210 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020b005019001703010020cb75ba34cd48020825fd021fce778da64de08e3bf0fa81e4734ac990b516a87717030100204083e2262345cefa1f866b0718c521d50ab5dda17f7df067607c304d08d570e4 State = 0x123f7dd818346499db674645796856c2 Message-Authenticator = 0xadc935c13eeb9ee254dfcc65fcebd2cd # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 11 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client network8 port 0 cli 02-00-00-00-00-01) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [eap] Reply already contained an EAP-Message, not inserting EAP-Failure ++[eap] = noop [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 24 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 24 Sending Access-Reject of id 11 to XXX port 51040 EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 13 ID 0 with timestamp +27 Cleaning up request 14 ID 1 with timestamp +27 Cleaning up request 15 ID 2 with timestamp +27 Cleaning up request 16 ID 3 with timestamp +27 Cleaning up request 17 ID 4 with timestamp +27 Cleaning up request 18 ID 5 with timestamp +27 Cleaning up request 19 ID 6 with timestamp +27 Cleaning up request 20 ID 7 with timestamp +27 Cleaning up request 21 ID 8 with timestamp +27 Cleaning up request 22 ID 9 with timestamp +27 Cleaning up request 23 ID 10 with timestamp +27 Waking up in 0.9 seconds. Cleaning up request 24 ID 11 with timestamp +27 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, heres your issue: [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: john@eduroam.example.edu [mschap] Client is using MS-CHAPv2 for john@eduroam.example.edu, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Login incorrect: [john@eduroam.example.edu/<via Auth-Type = EAP>] (from client network8 port 0 via TLS tunnel) Using Post-Auth-Type Reject as you can see, its not using Stripped-User-Name.... its using the User-Name thats why 'john' works and this "john@eduroam.example.edu" doesnt I'm guessing you have 'john' in your users file.... though you probably want to have that auth somewhere else anyway - in LDAP or AD.... alan
On Thu, Nov 12, 2015 at 10:13 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 11, 2015, at 8:02 PM, Tim Chen <gphoto6@gmail.com> wrote:
However, I did more tests: ... 2. if I change modules/passwd into passwd passwdf1 { filename = /home/radius/passwd1 format = "*Stripped-User-Name:NT-Password:" Then ALL authentication tests FAILED
What does the debug output show?
When I tried to set modules/passwd into passwd passwdf1 { format = "*Stripped-User-Name:NT-Password:" And test by the following command: radtest john@eduroam.example.edu PASS 140.X.X.X 1812 testing123 (PAP) I got the following error: rad_recv: Access-Request packet from host XXX port 60992, id=162, length=92 User-Name = "john@eduroam.example.edu" User-Password = "PASS" NAS-IP-Address = XXX NAS-Port = 1812 Message-Authenticator = 0x35f44df400fa512aef4a447642eeff85 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "eduroam.example.edu" for User-Name = " john@eduroam.example.edu" [suffix] Found realm "eduroam.example.edu" [suffix] Adding Stripped-User-Name = "john" [suffix] Adding Realm = "eduroam.example.edu" [suffix] Proxying request from user john to realm eduroam.example.edu [suffix] Preparing to proxy authentication request to realm " eduroam.example.edu" ++[suffix] = updated [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] file_common ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 187 to 127.0.0.1 port 1812 User-Name = "john" User-Password = "PASS" NAS-IP-Address = XXX NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x313632 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 187 to 127.0.0.1 port 1812 User-Name = "john" User-Password = "PASS" NAS-IP-Address = XXX NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x313632 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=187, length=78 User-Name = "john" User-Password = "PASS" NAS-IP-Address = XXX NAS-Port = 1812 Message-Authenticator = 0x3755dea88f500f9d9ec1b923f614b849 Proxy-State = 0x313632 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "john" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] file_common ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [john/PASS] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [eap] Request didn't contain an EAP-Message, not inserting EAP-Failure ++[eap] = noop [attr_filter.access_reject] expand: %{User-Name} -> john attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 187 to 127.0.0.1 port 1814 Proxy-State = 0x313632 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=187, length=25 Proxy-State = 0x313632 # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/default +group post-proxy { [eap] No pre-existing handler found ++[eap] = noop +} # group post-proxy = noop Login incorrect (Home Server says so): [john@eduroam.example.edu/PASS] (from client network8 port 1812) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [eap] Request didn't contain an EAP-Message, not inserting EAP-Failure ++[eap] = noop [attr_filter.access_reject] expand: %{User-Name} -> john@eduroam.example.edu attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Sending Access-Reject of id 162 to XXX port 60992 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 187 with timestamp +31 Cleaning up request 0 ID 162 with timestamp +31 Ready to process requests.
On Thu, Nov 12, 2015 at 03:15:10PM +0800, Tim Chen wrote:
+group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ^^^
++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "eduroam.example.edu" for User-Name = " john@eduroam.example.edu" [suffix] Found realm "eduroam.example.edu" [suffix] Adding Stripped-User-Name = "john" ^^^
[suffix] Adding Realm = "eduroam.example.edu" [suffix] Proxying request from user john to realm eduroam.example.edu [suffix] Preparing to proxy authentication request to realm " eduroam.example.edu" ++[suffix] = updated
You're calling passwdf1 before Stripped-User-Name is defined by suffix. Move passwdf1 after the call to suffix in both inner & outer. Cheers Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Thu, Nov 12, 2015 at 4:47 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Thu, Nov 12, 2015 at 03:15:10PM +0800, Tim Chen wrote:
+group authorize { ++[preprocess] = ok ++[passwdf1] = notfound ^^^
++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "eduroam.example.edu" for User-Name = " john@eduroam.example.edu" [suffix] Found realm "eduroam.example.edu" [suffix] Adding Stripped-User-Name = "john" ^^^
[suffix] Adding Realm = "eduroam.example.edu" [suffix] Proxying request from user john to realm eduroam.example.edu [suffix] Preparing to proxy authentication request to realm " eduroam.example.edu" ++[suffix] = updated
You're calling passwdf1 before Stripped-User-Name is defined by suffix.
Move passwdf1 after the call to suffix in both inner & outer.
Cheers
Matthew
Dear Matthew, I've move passwdf1 after suffix in both inner & outer. (after the "files") But it seems the same situation: 1. PAP with/without domain(realm) PASSED 2. MSCHAP with/without domain(realm) PASSED 3. EAP(PEAP) I use eapol_test to test identity="john" PASS identity="john@eduroam.example.edu" FAIL!! Would you please give me some more hint? Thanks for your time. Eric Chang rad_recv: Access-Request packet from host XXX port 60597, id=0, length=126 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0xeeca830d9bace15bd26bba26b68a040d # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] file_common ++[files] = noop ++[passwdf1] = notfound ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to XXX port 60597 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e0b9dd7c53f14170d6c10b8a Finished request 18. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=1, length=349 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100db1980000000d116030100cc010000c80301342f621a43418e1f4a1f83fbd1d7f98e3eb86f95fc8f660bb6324aa0abc507bc00005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000045000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011000f000101 State = 0xe0b8c466e0b9dd7c53f14170d6c10b8a Message-Authenticator = 0x99ccdc81eedada43581f99d7d8eab825 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 219 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 209 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00cc], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 1411], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to XXX port 60597 EAP-Message = 0x0102040019c00000166716030100310200002d0301564472ede77c9b3d69871dd755169704e06c896cc1c230d9d673e975253012c4000039000005ff0100010016030114110b00140d00140a00056d3082056930820451a003020102021047df00000000068f47a297480cbfa807300d06092a864886f70d01010b0500306f310b300906035504061302545731123010060355040a130954414957414e2d4341311a3018060355040b13115365637572652053534c205375622d43413130302e0603550403132754574341205365637572652053534c2043657274696669636174696f6e20417574686f72697479301e170d3135303630383035333333 EAP-Message = 0x355a170d3136303630383135353935395a30818b310b3009060355040613025457310f300d06035504080c0654616977616e310f300d06035504070c0654616970656931233021060355040a0c1a4e6174696f6e616c2054616977616e20556e697665727369747931183016060355040b0c0f436f6d70757465722043656e746572311b301906035504030c12656475726f616d2e6e74752e6564752e747730820122300d06092a864886f70d01010105000382010f003082010a0282010100f1765133c1c57f8c043d22b71804729c7fc2631e0699374d43f8bc3b914c15722dc36020da16d028a4d1890c3a5271b7c1a72e7deea72d37946a1fc6e9 EAP-Message = 0x0b8bd477e6a71ab5353f8f81166fbf6cd4c2d531b677bf273d663603b5a60b265a968a261b0a1b8d5207daaf0bedccc670a7f4ad0e5a05fdd46bffed86abeed89857307cd50b55a4f0843523e57f9555427830d48eef368d037eb3dc685d511659a21ce557a53537c08dc552529ed64da0849833637f3507ebb58788272a526c7d19d8a51fa50f0558490737bb0e45b025c166783b3b1c279fa16c9de9576089c21869f103202b93c5a315b7c80d93b043fb946ab94576c6310f6cdedb721de25f8c6d0203010001a38201e2308201de301f0603551d23041830168014f807c26824ff8595cbdb1ee3339c2a4f9720567b30290603551d0e042204208d EAP-Message = 0x8ae0e0ca30409af8cef50a525ae9b18d6e669ad46cff8f48595468a084089f30560603551d1f044f304d304ba049a0478645687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f73736c7365727665722f53656375726573736c5f7265766f6b655f736861325f323031342e63726c301d0603551d11041630148212656475726f616d2e6e74752e6564752e747730818106082b0601050507010104753073304406082b060105050730028638687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f6361636572742f7365637572655f736861325f323031342e637274302b06082b06010505073001861f6874 EAP-Message = 0x74703a2f2f7477636173736c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e1badd7c53f14170d6c10b8a Finished request 19. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=2, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0xe0b8c466e1badd7c53f14170d6c10b8a Message-Authenticator = 0x36c0b2ca90211d3c2c9dca6de4022ca4 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to XXX port 60597 EAP-Message = 0x010303fc19406f6373702e747763612e636f6d2e74772f305b0603551d20045430523050060b2b0601040182bf250101193041301b06082b06010505070201160f7777772e747763612e636f6d2e7477302206082b0601050507020230161a145265737472696374696f6e203d332e322e302e3130090603551d1304023000300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b050003820101001de810ca6c43b1feecba2817c78c853072af9e8ae8e0a5b6f4fb32b8e84423621eca6282a322434081ee26572c9d99b63246da8083f09b4ae4b3d5 EAP-Message = 0x02c02e30cff30300a17483a98ef819f4eea6cb7711ad9bcfb9dcd8428b99069f6075894fb22ea7a2d2f2bc2111acd6cdf1c803abcc6e642951e5447f9ce3779620e7f39fff05efa5e5697037b57349868aa15cfaab3d2e184907f947d1753709450e663cad3439cf8875102f7d27ad8d5115c79a85075bb988a2c450664414f4a55bd5a16e8b8b4411b3566315c5674d6476a9c8a688f02bdd4984a5c42b086275a537f8dcc62efc4cde6f3590cbd336249300e6e16153de8209d19d77743b566928b95b330005b5308205b130820399a003020102021040013353e40000000000000cc36e888d300d06092a864886f70d01010b05003051310b300906 EAP-Message = 0x035504061302545731123010060355040a130954414957414e2d43413110300e060355040b1307526f6f74204341311c301a060355040313135457434120476c6f62616c20526f6f74204341301e170d3134313032383037323735365a170d3234313032383135353935395a306f310b300906035504061302545731123010060355040a130954414957414e2d4341311a3018060355040b13115365637572652053534c205375622d43413130302e0603550403132754574341205365637572652053534c2043657274696669636174696f6e20417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101 EAP-Message = 0x00dbe0fe5153a201a6cf6a8e5da951096a167e4a1412b3114a26281b2f23528bc10dab1855e3a65cf2ed1af5632efab16a22866166ced21cd78f844568bc1333b80e270e466a578c363f8f2f84e8d4dd95290c55009dbd2efa52246be2a78569d1a45331bdffc65888b2c967e1fa55680e7d025c2e03237946b8a2e87678e64153d9d79f462acda6dd9c0450d49069237e03fb86dc9b4edc0116bf147d440bb31b6077b4260b4b9f01956a908683352e9b82d2d6c40531509a2868184d32bc930bf609813d7a680fa7d3f174f8d11e2e3664e11e2fd395ce9bc94678b28769564aadb0ab0bf6d10f92abe906e1550e0e1eb9b19359ae27fd6fe551a7e7 EAP-Message = 0xbc05244502030100 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e2bbdd7c53f14170d6c10b8a Finished request 20. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=3, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0xe0b8c466e2bbdd7c53f14170d6c10b8a Message-Authenticator = 0x5f5a7d1a7b0015e5627e9666c2f0efb8 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 3 to XXX port 60597 EAP-Message = 0x010403fc194001a382016530820161301f0603551d2304183016801448dbcdde8ee949725a88e8b1d83d07b3b96b6650301d0603551d0e04160414f807c26824ff8595cbdb1ee3339c2a4f9720567b300e0603551d0f0101ff04040302010630380603551d200431302f302d0604551d20003025302306082b060105050702011617687474703a2f2f7777772e747763612e636f6d2e74772f30490603551d1f04423040303ea03ca03a8638687474703a2f2f526f6f7443412e747763612e636f6d2e74772f545743415243412f676c6f62616c5f7265766f6b655f343039362e63726c30120603551d130101ff040830060101ff020100307606082b EAP-Message = 0x06010505070101046a3068303c06082b060105050730028630687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f6361636572742f726f6f74343039362e637274302806082b06010505073001861c687474703a2f2f726f6f746f6373702e747763612e636f6d2e74772f300d06092a864886f70d01010b050003820201009e80281ad40477c7e497cb3b7f10c26c9562edcbdfa42c11da641a141a7876e92bfc4b7ebf9a98ee19a31368960c219bfbd5587161da48caf935cdffcd584258f1f218cec7a532d8918491510a8ac5bf4129746dc461e0be03eb6b194a19ddf01a657cc8534701095d95b76d1e72bf2fc32eb36e1d11 EAP-Message = 0x8f7eb3dbd2fdfb2fb9f076ef9630e52fbf5e4ac15fb656523e727ad11185960188b10e6d8d8cadb2302a148c4bf009cca59e7c2c838091f08978d5e03b1b51d9802dea638fd4760ceed62819731447e3a1e0e07aea73c3513ee0ac611328a368e1eac1b3f7704568a63e0d06c4be5fdc1f9ab22adcd9bf3eed2c4b0590a44d92670e7c240fefb7cc9bcfda4e9cf3ca33afc4d274d17303a3163b23eb5277fe97c72effbc9dd56505f89854a0f0d4e5229db2b684ef5757eeb3df55d8da4bb7ddc05fccb00dc38299afeb2ea953f10bbb9dbe5afb9afab0a31df35c1f556258c27725e467b5dcbda0a1acbedb511a15381dd31a7a07804c459dd3b401ff EAP-Message = 0x654d77dfeefc3e6b7d2266ac68994f021f144c117092d6c20a62a6886beb6642dcbc75cbd11d7caaec8763eea865b29ad5e659b147230e812b8fcb2d21df96f102bbc6909b3189e2c3be8d1ff832fb96899b1710c4c73213706480c9cc6b8f93b08af62d2927bc398e6d6fe684c30028705f010bccb6d2c18aeaa04ea46419fe18ee4487e2117f05bb0efbdc6700055d3082055930820441a003020102021040013353e40000000000000cca5d1b69300d06092a864886f70d01010b0500305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c EAP-Message = 0x215457434120526f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e3bcdd7c53f14170d6c10b8a Finished request 21. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=4, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0xe0b8c466e3bcdd7c53f14170d6c10b8a Message-Authenticator = 0xf9b17f3e26b5b05b17d438eb094b12d9 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to XXX port 60597 EAP-Message = 0x010503fc19406f742043657274696669636174696f6e20417574686f72697479301e170d3134313032383037333833315a170d3330313032383135353935395a3051310b300906035504061302545731123010060355040a130954414957414e2d43413110300e060355040b1307526f6f74204341311c301a060355040313135457434120476c6f62616c20526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b005dbc8eb8cc46e8a21ef8e4d9c710a1f5270ed6d829c97c5d74c4e4549cb4042b512346c19c274a4315f850297ec43330a53d29c8c8eb7b879db2bd56af28e66c4ee2b010792d4b3 EAP-Message = 0xd002df50f655af660ecbe047602f2b323935523a2883f87b16c618b862d6472591cef019124dad63f5d33f755f29f0a1301c2aa098a615bdeefd1936f0e291438ffacad61027494cefddc1f185709bcaeaa85a43fc6d866f73e93745a9f036c7cc88751ebb6c06ff9b6b3e17ec61aa717cc61da2f749e915b53cd6a161f511f7056f1dfd11bed03007c229b0094e26dce3a2a8916a1fc29145885ce598b871a51519c97c7511cc70744f2d9b1d9144fd5628a0febb866ac8fa5c0b58dcc64b76c8ab22d9730fa5f45a02893f4f9e2282eea274532a3d5327691d6c8e322c6400266361364ea346b73f7db32dac6d90a295a2cecfda82e707341996e9b8 EAP-Message = 0x21aa297ea638be8e294a2166791fb3c3b50967ded6d40746f32adae6223760cb81b60fa00fe9c8957fbf5591057acf3d15c06fde09940183d7341bcc40a5f0b89b67d598913ba784789526a45a08f82b74b400043cdfb8148ee8dfa98d6c6792331dc0b7d2ec92c8be09bf2c29056f026b9eefbcbf2abc5bc0508f41707187b24db704a984a332afaeee6b178bb2b1fe6ce1908c88a89748cec84dcbf306cf5f6a0a42b11e1e772f8ea0e6920e06fc0522d226e131517d32dc0f0203010001a382011d30820119301f0603551d230418301680146a385b268dde8b5af24f7a54831918e30835a6ba301d0603551d0e0416041448dbcdde8ee949725a88 EAP-Message = 0xe8b1d83d07b3b96b6650300e0603551d0f0101ff04040302010630380603551d200431302f302d0604551d20003025302306082b060105050702011617687474703a2f2f7777772e747763612e636f6d2e74772f30420603551d1f043b30393037a035a0338631687474703a2f2f526f6f7443412e747763612e636f6d2e74772f545743415243412f7265766f6b655f323034382e63726c300f0603551d130101ff040530030101ff303806082b06010505070101042c302a302806082b06010505073001861c687474703a2f2f726f6f746f6373702e747763612e636f6d2e74772f300d06092a864886f70d01010b05000382010100290b6ec494dc EAP-Message = 0x6259937a5a4c5ddc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e4bddd7c53f14170d6c10b8a Finished request 22. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=5, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500061900 State = 0xe0b8c466e4bddd7c53f14170d6c10b8a Message-Authenticator = 0x65f499ed0355542a4c7e35a66f8f0e5f # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 5 to XXX port 60597 EAP-Message = 0x010603fc1940993e8ea8fbf9a08f1bd927706df82e5e48696117401089aa03b81ccbdfbc6c28541fc521f54b96bffc4c47ca0b77c3cc667b6fb9360869f9c191ed8fd69ea222e882b789c8aad020e74aac232b2f4ff64f146bf17a45a187c871e7a7a4b9806bc9cecd8a259ccdd309a532fa24d1517f3c319947ea1fa76f6e84cdaed8ae356ad6cbe0be13c1a231cbee1fe926dfb706c60d450ae7ab45571eb7019b31f5f205404586d8021bd04b21db2082e322e94fe35d2bc439121728c6b967b17de1b27c76e53684da745eac38b66bf8eea103c4b0c45c124c6f06da3a4465b636970c1879d04697331fab52a8cede57b4281338b7ac00037f3082 EAP-Message = 0x037b30820263a003020102020101300d06092a864886f70d0101050500305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c215457434120526f6f742043657274696669636174696f6e20417574686f72697479301e170d3038303832383037323433335a170d3330313233313135353935395a305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c215457434120526f6f742043657274696669636174696f6e20417574686f7269 EAP-Message = 0x747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b07e72b8a40394e6a7de0938914a114087a77c5964147bb51110ddfebfd5c0bb56e28525f435720ff853d041e14401c2b41cc33142164785332276b20a6f0fe525504f8586bebf982e10671ebe1105860590c459d07c7810b0805cb7e1c72b75cb7c9faeb5d19d233763a7dc42a22d92041b50c17bb83e1bc956048b2f529bada956e9c1ffada9588730b681f79745fc19573b2b6fe447f49945fe1df1f897a3881d371c5c8fe076259a50f8a054ff44907623d232c6c3ab06bffcfbbff3ad7d9262025b29d335a3939a4364605db2fa32ff3b04af4d406af9c7 EAP-Message = 0xe3ef23fd6bcbe50f8b380dee0afcfe0f989f3031dd6c5265f98b81be22e11c5803ba911b89070203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a385b268dde8b5af24f7a54831918e30835a6ba300d06092a864886f70d010105050003820101003cd5773ddadf89ba870c08546a205092beb0413db92664830a2fe840c097282782304ac993ff6ae7a6007f89429ad611e553ce2fccf2da05c4fee250c43a867dccda7e10093b92352a53b2feeb2b05d96c5de6d0efd36a669e1528857ae88200ac1ea709695642d3685118be549abf4441ba49be20ba695ceeb8 EAP-Message = 0x77cdce6c1fad8396 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e5bedd7c53f14170d6c10b8a Finished request 23. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=6, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600061900 State = 0xe0b8c466e5bedd7c53f14170d6c10b8a Message-Authenticator = 0x972dd2cbfac6b409f039e2c7cc7b3f54 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 6 to XXX port 60597 EAP-Message = 0x0107029f1900187d0eb5143984f128e92da39e7b1e7a725a83b3796fefb4fcd00aa5584f46dffb6d7959f2842252ae0fccfb7c3be76aca4761c37af8d392041fb82084e1365416c740de3b8a73dcdfc6094cdfecdaffd45342a1c9f2621d22833c97c5f9196227ac6522d7d33cc6e58eb253cc49cebc30fe7b0e3390fbedd214911f07af160301020d0c0002090080f330e182461ac1124f5b50a47f973caee6024b9aca5a451cc1b5e663f16bb9063f4a7b1393c2393e28a59080f9aa96bc7abb8119a7e4eb4692accd80ece3018dabf5f0b5e8124b3e2cb69bdf96f52b26ca06ae45cadc31676bb17115261819095027a73b5151fc761d574fe44ec3 EAP-Message = 0x14452195733585d8170a671a713ee4875e2b0001020080aa33eb607ca6e2cd3431adcc0d49160ecbc0909755d7e59b757a31ffd85bc43c053c05461253a9c4fb3ab5819eb133be48e8b44a2f0dd9bb32ab1a5705840a39a83d6ff4a8d34d1ab5da87d6582b1784807dfa311a4a9ed8678a37797833f1c42c98574b6a674b48383b6bc15d513846262f7704e38678740c4673d9bcda83900100267489ded2f9e59849d4de7af7ecfe6ff178226722d490524e6b76dbcbe0a7630313475f957b2b94a69062a261693fa004ebf67b580f8e8dd36d3319b7c34c98a1b0b5377756188c3cd449d29ca91966d577a5b8c764c8abe4e5dcb737c2c1a4ac58c93b EAP-Message = 0x6dc0c8bd7ff20def0f8ed9cce4d29f3ed99f708d73ca7249e4b981dad6258c65e335d46918f81f52cc785aa3813037a674a42f6c30322c3b58b3efa3109fea962e9586b11404ae9cb2c025277a49a8102591047636949157619b3998a9fcf0e01ec62733396646ca2206b48296d08d2b29c1f2c5110a61b767b6220f862e4b344b9a709a2dcce25000f861eb039bf417587478effd60c9dc39d2ac9f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e6bfdd7c53f14170d6c10b8a Finished request 24. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=7, length=338 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020700d01980000000c6160301008610000082008037397ea3303c05783518b52aa03a549dbf5637e7fc3906c1ac0707900db32c27bbaf83b72577d47aaf906d58e96190767bab1d837158ee2a161ea38aff71af01162661d5b39a6728e9fb7669549ae95ee1fd32d374b3bab766c15e5f1f2a5589e440a64449eb328135f72645800d04c3fa7282c8786acb3a721ed8d727084d4f1403010001011603010030ccf5680511f68785678ac1c7280c613ad90ce602c19e3f36904f96f184b9a95c909f49e6fa2dc7ed0b326d4779e74c8b State = 0xe0b8c466e6bfdd7c53f14170d6c10b8a Message-Authenticator = 0x04e75b2199d6ae19b4d3f930ea273643 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 7 length 208 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 7 to XXX port 60597 EAP-Message = 0x0108004119001403010001011603010030b5f3deeb1e46572a001ab0cb62e8dc83560ab61f641703b38f764aa1f1234cff61201fb1c1ad1af68d4f05000eee1f74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e7b0dd7c53f14170d6c10b8a Finished request 25. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=8, length=136 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020800061900 State = 0xe0b8c466e7b0dd7c53f14170d6c10b8a Message-Authenticator = 0x97a7b696c186dfae46ddd95b9d548ee9 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 8 to XXX port 60597 EAP-Message = 0x0109002b19001703010020ff86faf97d4639be9426719ee0aba567e35a0230dc5cb6ef05bb66d87323a248 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e8b1dd7c53f14170d6c10b8a Finished request 26. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=9, length=226 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0209006019001703010020747c93ea7fa927528d70d44e59bc1b5716ebd3d8a7c08e22b87d86f366cde4f717030100309611d052aa27d02f06fbea6f19b6dcb81b30014c3df2d631a442a4a1fe31ce5d94316956f284761e2fe0adee9daeb47f State = 0xe0b8c466e8b1dd7c53f14170d6c10b8a Message-Authenticator = 0x079f64a6b49baec478c02318e85be3dc # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 9 length 96 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - john@eduroam.example.edu [peap] Got inner identity 'john@eduroam.example.edu' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0209001b016a736340656475726f616d2e6e74752e6564752e7477 server { [peap] Setting User-Name to john@eduroam.example.edu Sending tunneled request EAP-Message = 0x0209001b016a736340656475726f616d2e6e74752e6564752e7477 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "john@eduroam.example.edu" server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "eduroam.example.edu" for User-Name = " john@eduroam.example.edu" [suffix] Found realm "eduroam.example.edu" [suffix] Adding Stripped-User-Name = "john" [suffix] Adding Realm = "eduroam.example.edu" [suffix] Proxying request from user john to realm eduroam.example.edu [suffix] Preparing to proxy authentication request to realm " eduroam.example.edu" ++[suffix] = updated ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] file_common ++[files] = noop ++[passwdf1] = notfound ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00301a010a002b10e5300e4995aa18fb84d46e244cfe1b076a736340656475726f616d2e6e74752e6564752e7477 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03fe26c403f43cfffff39b292568cd04 [peap] Got tunneled reply RADIUS code Access-Challenge EAP-Message = 0x010a00301a010a002b10e5300e4995aa18fb84d46e244cfe1b076a736340656475726f616d2e6e74752e6564752e7477 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03fe26c403f43cfffff39b292568cd04 [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 9 to XXX port 60597 EAP-Message = 0x010a005b190017030100504829958debd5ce8970ef192d93cfa56ea96b69f702aaec9b78d64ea5729ff05ff8f7a5655a119c700a34d725767b26f3d8814521afa27c93ea849de8c1c9dafbc7f785ddee4fb16af059b6d9fdace362 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466e9b2dd7c53f14170d6c10b8a Finished request 27. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=10, length=290 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020a00a01900170301002062eb92c1a90dfdc1af592cc2e3f60d949193e5f5609e1f0270d3060aee06093f1703010070254b748e5c03ba5e3d602cbf39fb26a46ed697798a19afb33b812e7df239e1a7794ba430f03bfe66e4f546f8257649b0963081b115287955fc880599477bcf3a00323b8e1d877b0a39b3021295b05ccf55c59b8f9d21315407871433e5db1fcc42f9a1a0230d497bb08a0d0925ca7f99 State = 0xe0b8c466e9b2dd7c53f14170d6c10b8a Message-Authenticator = 0x313531a5259dd06d861209a42032e394 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 10 length 160 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00511a020a004c31e1b79f474a6404288c4f3039eec9e25b0000000000000000127c91d50c70cba486931070b47e7713c173843e796cd384006a736340656475726f616d2e6e74752e6564752e7477 server { [peap] Setting User-Name to john@eduroam.example.edu Sending tunneled request EAP-Message = 0x020a00511a020a004c31e1b79f474a6404288c4f3039eec9e25b0000000000000000127c91d50c70cba486931070b47e7713c173843e796cd384006a736340656475726f616d2e6e74752e6564752e7477 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "john@eduroam.example.edu" State = 0x03fe26c403f43cfffff39b292568cd04 server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "eduroam.example.edu" for User-Name = " john@eduroam.example.edu" [suffix] Found realm "eduroam.example.edu" [suffix] Adding Stripped-User-Name = "john" [suffix] Adding Realm = "eduroam.example.edu" [suffix] Proxying request from user john to realm eduroam.example.edu [suffix] Preparing to proxy authentication request to realm " eduroam.example.edu" ++[suffix] = updated ++update control { ++} # update control = noop [eap] EAP packet type response id 10 length 81 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] file_common ++[files] = noop ++[passwdf1] = notfound ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: john@eduroam.example.edu [mschap] Client is using MS-CHAPv2 for john@eduroam.example.edu, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Login incorrect: [john@eduroam.example.edu/<via Auth-Type = EAP>] (from client network8 port 0 via TLS tunnel) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> john@eduroam.example.edu attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code Access-Reject MS-CHAP-Error = "\nE=691 R=1" EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 10 to XXX port 60597 EAP-Message = 0x010b002b1900170301002074a804afb0f47eeca2c61b96396601cad3bf914e77f9e7dfb4315d446ac8ba75 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe0b8c466eab3dd7c53f14170d6c10b8a Finished request 28. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host XXX port 60597, id=11, length=210 User-Name = "anonymous" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020b0050190017030100209042a6b24b30cd3562204ee125fa1ccb3c71936efd32a2bc1e6be929ce92ae471703010020e1fd5cd4e4c25e517f2eb8465409559b4288fbbf05f5c6805306a23fab161c3f State = 0xe0b8c466eab3dd7c53f14170d6c10b8a Message-Authenticator = 0xff197e1157b28e7cef9eacdcbc22d695 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 11 length 80 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client network8 port 0 cli 02-00-00-00-00-01) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [eap] Reply already contained an EAP-Message, not inserting EAP-Failure ++[eap] = noop [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 29 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 29 Sending Access-Reject of id 11 to XXX port 60597 EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 18 ID 0 with timestamp +116 Cleaning up request 19 ID 1 with timestamp +116 Cleaning up request 20 ID 2 with timestamp +116 Cleaning up request 21 ID 3 with timestamp +116 Cleaning up request 22 ID 4 with timestamp +116 Cleaning up request 23 ID 5 with timestamp +116 Cleaning up request 24 ID 6 with timestamp +116 Cleaning up request 25 ID 7 with timestamp +116 Cleaning up request 26 ID 8 with timestamp +116 Cleaning up request 27 ID 9 with timestamp +116 Cleaning up request 28 ID 10 with timestamp +116 Waking up in 0.9 seconds. Cleaning up request 29 ID 11 with timestamp +116 Ready to process requests.
On Thu, Nov 12, 2015 at 7:46 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
hi,
how is "eduroam.example.edu" defined in proxy.conf?
alan
Hi Alan, proxy.conf: realm eduroam.example.ntu { auth_pool = my_auth_failover } and the my_auth_failover is the radius default config, pointing to localhost. Thanks for your help. Eric Chang
On Fri, Nov 13, 2015 at 10:05:32AM +0800, Tim Chen wrote:
On Thu, Nov 12, 2015 at 7:46 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
how is "eduroam.example.edu" defined in proxy.conf?
proxy.conf: realm eduroam.example.ntu { auth_pool = my_auth_failover }
and the my_auth_failover is the radius default config, pointing to localhost.
What are you trying to achieve with this configuration? Is 'eduroam.example.ntu' your own realm or..? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Thu, Nov 12, 2015 at 07:14:32PM +0800, Tim Chen wrote:
3. EAP(PEAP) I use eapol_test to test identity="john" PASS identity="john@eduroam.example.edu" FAIL!!
Have you still got this config? passwd passwdf1 { filename = /home/radius/passwd1 format = "*Stripped-User-Name:NT-Password:" as you need to look up Stripped-User-Name in the passwd file, not User-Name.
User-Name = "john@eduroam.example.edu" server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "eduroam.example.edu" for User-Name = " john@eduroam.example.edu" [suffix] Found realm "eduroam.example.edu" [suffix] Adding Stripped-User-Name = "john" [suffix] Adding Realm = "eduroam.example.edu" [suffix] Proxying request from user john to realm eduroam.example.edu
What Alan said - how is your proxying defined? Is eduroam.example.edu your local realm or remote? It is very unlikely you want to be proxying in the inner tunnel. In which case make sure you've still got update control { Proxy-To-Realm := LOCAL } there.
[suffix] Preparing to proxy authentication request to realm " eduroam.example.edu" ++[suffix] = updated ++update control { ++} # update control = noop [eap] EAP packet type response id 9 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] file_common ++[files] = noop ++[passwdf1] = notfound
See config above - if you are looking for User-Name then that will explain why this is notfound. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Matthew Newton -
Tim Chen