peap termination issue when using fault tolerance
I setup FreeRadius as proxy as I want to extract MSCHAPv2 auth from EAP-PEAP/MSCHAPv2 ,and proxy only MSCHAPv2 request to another two radius servers for fault tolerance. I can successfully do it with each one of the IAS servers below individually, however if one of the serves goes down and request is forward to the second servers on the list I get an error : Error receiving packet: Connection reset by peer Any suggestions how to enable Fault tolerance when using two realms ?? clients.conf client 172.100.100.24/30 { secret = secretpass shortname = NETMOTION } proxy.conf realm mydomain.com { authhost = 192.168.1.10:1812 accthost = 192.168.1.10:1813 secret = 1111 nostrip } realm mydomain.com { authhost = 192.168.1.117:1812 accthost = 192.168.1.117:1813 secret = 1111 nostrip users.conf DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := mydomain.com Eap.conf default_eap_type = mschapv2 proxy_tunneled_request_as_eap = no use_tunneled_reply = no copy_request_to_tunnel = yes -- View this message in context: http://freeradius.1045715.n5.nabble.com/peap-termination-issue-when-using-fa... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Gil Mazor wrote:
I can successfully do it with each one of the IAS servers below individually, however if one of the serves goes down and request is forward to the second servers on the list I get an error :
Error receiving packet: Connection reset by peer
Please post the *full* debug output.
Any suggestions how to enable Fault tolerance when using two realms ??
You have *not* said that the error causes any problems. So... does it cause problems? Or are you just asking why there's an error? Alan DeKok.
alan. can u help me deploying radius which has fail over i only have 1 radius server.. and when its down. my clients cant connect.. help me thank you so much alan ________________________________ From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Sunday, March 27, 2011 7:47:07 PM Subject: Re: peap termination issue when using fault tolerance Gil Mazor wrote:
I can successfully do it with each one of the IAS servers below individually, however if one of the serves goes down and request is forward to the second servers on the list I get an error :
Error receiving packet: Connection reset by peer
Please post the *full* debug output.
Any suggestions how to enable Fault tolerance when using two realms ??
You have *not* said that the error causes any problems. So... does it cause problems? Or are you just asking why there's an error? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Again, Yes , the error do cause a problem, as once it occurs , I must restart Radiusd. I attach two logs, first one is with the failure and the second one is a success , when the second IAS is commented in proxy.conf Log of the problem: FreeRADIUS Version 2.1.10, for host i686-pc-cygwin, built on Mar 15 2011 at 16:08:33 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file ..\etc\raddb/radiusd.conf including configuration file ..\etc\raddb/proxy.conf including configuration file ..\etc\raddb/clients.conf including files in directory ..\etc\raddb/modules/ including configuration file ..\etc\raddb/modules/acct_unique including configuration file ..\etc\raddb/modules/always including configuration file ..\etc\raddb/modules/attr_filter including configuration file ..\etc\raddb/modules/attr_rewrite including configuration file ..\etc\raddb/modules/chap including configuration file ..\etc\raddb/modules/checkval including configuration file ..\etc\raddb/modules/counter including configuration file ..\etc\raddb/modules/cui including configuration file ..\etc\raddb/modules/detail including configuration file ..\etc\raddb/modules/detail.example.com including configuration file ..\etc\raddb/modules/detail.log including configuration file ..\etc\raddb/modules/digest including configuration file ..\etc\raddb/modules/dynamic_clients including configuration file ..\etc\raddb/modules/echo including configuration file ..\etc\raddb/modules/etc_group including configuration file ..\etc\raddb/modules/exec including configuration file ..\etc\raddb/modules/expiration including configuration file ..\etc\raddb/modules/expr including configuration file ..\etc\raddb/modules/files including configuration file ..\etc\raddb/modules/inner-eap including configuration file ..\etc\raddb/modules/ippool including configuration file ..\etc\raddb/modules/krb5 including configuration file ..\etc\raddb/modules/ldap including configuration file ..\etc\raddb/modules/linelog including configuration file ..\etc\raddb/modules/logintime including configuration file ..\etc\raddb/modules/mac2ip including configuration file ..\etc\raddb/modules/mac2vlan including configuration file ..\etc\raddb/modules/mschap including configuration file ..\etc\raddb/modules/ntlm_auth including configuration file ..\etc\raddb/modules/opendirectory including configuration file ..\etc\raddb/modules/otp including configuration file ..\etc\raddb/modules/pam including configuration file ..\etc\raddb/modules/pap including configuration file ..\etc\raddb/modules/passwd including configuration file ..\etc\raddb/modules/perl including configuration file ..\etc\raddb/modules/policy including configuration file ..\etc\raddb/modules/preprocess including configuration file ..\etc\raddb/modules/radutmp including configuration file ..\etc\raddb/modules/realm including configuration file ..\etc\raddb/modules/smbpasswd including configuration file ..\etc\raddb/modules/smsotp including configuration file ..\etc\raddb/modules/sqlcounter_expire_on_login including configuration file ..\etc\raddb/modules/sql_log including configuration file ..\etc\raddb/modules/sradutmp including configuration file ..\etc\raddb/modules/unix including configuration file ..\etc\raddb/modules/wimax including configuration file ..\etc\raddb/eap.conf including configuration file ..\etc\raddb/policy.conf including files in directory ..\etc\raddb/sites-enabled/ including configuration file ..\etc\raddb/sites-enabled/control-socket including configuration file ..\etc\raddb/sites-enabled/default main { allow_core_dumps = no } including dictionary file ..\etc\raddb/dictionary main { prefix = "C:\freeradius" localstatedir = "C:\freeradius/var" logdir = "C:\freeradius/var/log/radius" libdir = "C:\freeradius/lib" radacctdir = "C:\freeradius/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "C:\freeradius/var/run/radiusd/radiusd.pid" checkrad = "C:\freeradius/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes msg_badpass = "" msg_goodpass = "" } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm devtms2k8.com { nostrip ldflag = round_robin authhost = 192.168.1.10:1812 accthost = 192.168.1.10:1813 secret = 1111 } realm devtms2k8.com { ldflag = round_robin authhost = 192.168.1.117:1812 accthost = 192.168.1.117:1813 secret = 1111 } # realm devtms2k8.com radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.1.8/24 { require_message_authenticator = no secret = "1111" shortname = "netmotion" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file ..\etc\raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file ..\etc\raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file ..\etc\raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file ..\etc\raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file ..\etc\raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file ..\etc\raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file ..\etc\raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file ..\etc\raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file ..\etc\raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file ..\etc\raddb/modules/unix unix { radwtmp = "C:\freeradius/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file ..\etc\raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "C:\freeradius/etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.pem" certificate_file = "C:\freeradius/etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.crt" CA_file = "C:\freeradius/etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-CA.crt" private_key_password = "demo" dh_file = "C:\freeradius/etc/raddb/certs/FreeRADIUS.net/DemoCerts/dh" random_file = "C:\freeradius/etc/raddb/certs/FreeRADIUS.net/DemoCerts/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file ..\etc\raddb/modules/preprocess preprocess { huntgroups = "..\etc\raddb/huntgroups" hints = "..\etc\raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file ..\etc\raddb/modules/files files { usersfile = "..\etc\raddb/users" acctusersfile = "..\etc\raddb/acct_users" preproxy_usersfile = "..\etc\raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file ..\etc\raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file ..\etc\raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating module "ntdomain" from file ..\etc\raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file ..\etc\raddb/modules/detail detail { detailfile = "C:\freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file ..\etc\raddb/modules/radutmp radutmp { filename = "C:\freeradius/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file ..\etc\raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "..\etc\raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file ..\etc\raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "..\etc\raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "C:\freeradius/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file C:\freeradius/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=23, length=136 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55b9" EAP-Message = 0x0200002001444556544d53324b382e434f4d5c61646d696e6973747261746f72 Message-Authenticator = 0x5b7322e7ddf8041b7820547e8db809d0 Proxy-State = 0xc0a8010a00000017 # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 0 length 32 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 23 to 192.168.1.10 port 2905 EAP-Message = 0x0101001604105dba3a2591b68f96b2f1f20440e1ef7d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4daf19744dae1d314ad6ef2775c40139 Proxy-State = 0xc0a8010a00000017 Finished request 11. Going to the next request Waking up in 4.10 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=24, length=129 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55b9" EAP-Message = 0x0201000703190d Message-Authenticator = 0xff21f3c47d797fe4af54745f43649fb3 State = 0x4daf19744dae1d314ad6ef2775c40139 Proxy-State = 0xc0a8010a00000018 # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 1 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 24 to 192.168.1.10 port 2905 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4daf19744cad00314ad6ef2775c40139 Proxy-State = 0xc0a8010a00000018 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=25, length=338 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55b9" EAP-Message = 0x020200d8190016030100cd010000c903014d8f28c19adc1bc280ae5fbeb11c8e59fd70f32b316159e37de10cd2d7fd747300005cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 Message-Authenticator = 0xe80cbcbf8293113e007b986ad8fcf89a State = 0x4daf19744cad00314ad6ef2775c40139 Proxy-State = 0xc0a8010a00000019 # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 2 length 216 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00cd], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 09cd], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 25 to 192.168.1.10 port 2905 EAP-Message = 0x0103040019c000000a1116030100310200002d03014d8f28f3b81a48f0d123d3291182915d8e7d580fca4d14ec07c10dfac6472cfe000035000005ff0100010016030109cd0b0009c90009c60004f4308204f030820459a003020102020102300d06092a864886f70d01010405003081ad311a301806035504031311467265655241444955532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886 EAP-Message = 0xf70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e6574301e170d3036303431333031303830345a170d3136303431303031303030305a3081b1311e301c06035504031315467265655241444955532e6e65742d536572766572310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886f70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e657430819f300d06092a EAP-Message = 0x864886f70d010101050003818d0030818902818100c52fed9c525523e090e52f74c1aa17e728f81326d6dc25fec0026a3b38d521f2c1534da84a50a71bfa98a73e41f1478ae20098234719694067607438c1b7729d1f83ba66d2f74def53d7b651446b1ca59be01e1d734e31ad3ab1baf2fac4bd42b3870fcb8de045f8c22c40e549ce34d13facabff6dda49f3993d71b33951b3330203010001a382021830820214300c0603551d130101ff04023000301d0603551d0e04160414deb8cba35c689399984553c2bb09245ffd24102f3081da0603551d230481d23081cf801468e090479d6ed81e03d598e1d67ce31a0f96ad36a181b3a481b03081ad31 EAP-Message = 0x1a301806035504031311467265655241444955532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886f70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e6574820101300b0603551d0f0404030202e4306f0603551d250468306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06 EAP-Message = 0x01050507030506082b060105 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4daf19744fac00314ad6ef2775c40139 Proxy-State = 0xc0a8010a00000019 Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=26, length=128 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55b9" EAP-Message = 0x020300061900 Message-Authenticator = 0x99d7f3a38fa2c42cb3d80a06b9f131e9 State = 0x4daf19744fac00314ad6ef2775c40139 Proxy-State = 0xc0a8010a0000001a # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 26 to 192.168.1.10 port 2905 EAP-Message = 0x010403fc19400507030606082b0601050507030706082b06010505080202060a2b06010401823714020230250603551d11041e301c811a4a6566662e5265696c6c7940467265655241444955532e6e657430250603551d12041e301c811a4a6566662e5265696c6c7940467265655241444955532e6e6574301106096086480186f84201010404030202c4302906096086480186f842010d041c161a5669736974207777772e467265655241444955532e6e65742021300d06092a864886f70d0101040500038181007662b3b6b60fc4dd059c85c504e04f19d060660b72b0b2b0a70f99324f3f7499a81d0fc9bebe049e43e2838532195b27deba265f EAP-Message = 0x2a5b62da9d95a87c9e50ec264bd467e8db60f54ebeb9972228c0535953e51baeb35ce908fa9e335e68d77a440074263ef771dd949c5312f4d985f6bcc9d3e0b8e32d7f1f83ddcb70e1929afc0004cc308204c830820431a003020102020101300d06092a864886f70d01010405003081ad311a301806035504031311467265655241444955532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886 EAP-Message = 0xf70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e6574301e170d3036303431333031303531325a170d3136303431303031303531325a3081ad311a301806035504031311467265655241444955532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886f70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e657430819f300d06092a864886f7 EAP-Message = 0x0d010101050003818d0030818902818100d9a1e9eb8dfc66796b854d0dde4ce84379bc84f46fa7e2a8165d571d417f42bb482867554d44cccd69f9c0e463b97651d84d0470e58ffae406d9182f4b071e9ba48175ea28f5b09ccef89ed7d05875ef188b05276682a2ff93f2b036af66394802207c829c43b388e24f71f315ef158061ccba5b27e4327b4614e56f451ee2ad0203010001a38201f4308201f0300f0603551d130101ff040530030101ff301d0603551d0e0416041468e090479d6ed81e03d598e1d67ce31a0f96ad363081da0603551d230481d23081cf801468e090479d6ed81e03d598e1d67ce31a0f96ad36a181b3a481b03081ad311a EAP-Message = 0x3018060355040313 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4daf19744eab00314ad6ef2775c40139 Proxy-State = 0xc0a8010a0000001a Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=27, length=128 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55b9" EAP-Message = 0x020400061900 Message-Authenticator = 0x510c5285a2e6286ff4417a198cbb40c7 State = 0x4daf19744eab00314ad6ef2775c40139 Proxy-State = 0xc0a8010a0000001b # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 27 to 192.168.1.10 port 2905 EAP-Message = 0x0105022b190011467265655241444955532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886f70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e6574820101300b0603551d0f040403020106306f0603551d250468306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505 EAP-Message = 0x07030506082b0601050507030606082b0601050507030706082b06010505080202060a2b06010401823714020230250603551d11041e301c811a4a6566662e5265696c6c7940467265655241444955532e6e6574301106096086480186f84201010404030200c7302906096086480186f842010d041c161a5669736974207777772e467265655241444955532e6e65742021300d06092a864886f70d01010405000381810000674d1b82e8db81e5a6fdb44ba24f89738dc5954c777fa794282102a5a8b3376a39e2aadc4be4d3833545cd0ea6fda3208a2a9ed4619f3dd71302f1327d4d65035933c1fc05b542ff65d9f971306a4b97932f283257f64f EAP-Message = 0x66c8947edd4f93ee7ccf279d826338e05dee101e2524fdbe3000a60605c1070d081b97da24dadbf316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4daf197449aa00314ad6ef2775c40139 Proxy-State = 0xc0a8010a0000001b Finished request 15. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=28, length=326 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55b9" EAP-Message = 0x020500cc190016030100861000008200809526a45149ed3d69cd0e5f4e3445dcc75292231f9eb0baffa496a575bb84b37d49c8cd8287845a7e523c9c4a548721fb24342640f40e716fd838de6d5e30df224e711d82fb09636eba59202a26118ddd982fd4a38c967099adc5b3a6898190ca124f39bde597ca47b8d6205dd6931b22ea841c92071a3786ff8d76ea577f8a3a14030100010116030100308e54eab523e34987562b56588dfe1ffd3735293e77efdcb1c2936819c09ad5b5a03e4cc0c79264872def804a84e37fc0 Message-Authenticator = 0x97a534afba31a195db1e610dccebefdf State = 0x4daf197449aa00314ad6ef2775c40139 Proxy-State = 0xc0a8010a0000001c # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 5 length 204 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 28 to 192.168.1.10 port 2905 EAP-Message = 0x010600411900140301000101160301003034225ab9cafb1c96f110f21956d65b690b4f8691fac3771088fe257240a706690fc08d63d9f60f2740d1d0c3761e1f86 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4daf197448a900314ad6ef2775c40139 Proxy-State = 0xc0a8010a0000001c Finished request 16. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=29, length=128 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55b9" EAP-Message = 0x020600061900 Message-Authenticator = 0xfc8817855acd1ffa12d2f06f6480734f State = 0x4daf197448a900314ad6ef2775c40139 Proxy-State = 0xc0a8010a0000001d # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 29 to 192.168.1.10 port 2905 EAP-Message = 0x0107002b190017030100202bb275ee2b905673edb5147fa89d956e5e6d7260509bc9930f6714a6070e0a03 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4daf19744ba800314ad6ef2775c40139 Proxy-State = 0xc0a8010a0000001d Finished request 17. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=30, length=234 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55b9" EAP-Message = 0x0207007019001703010020dd58ef608153b104c9f35ece1f8f2ea4494c7c44054e56ae7914b2495405ec6317030100404b90d8691505c71a259e7f7ab96eaf34e4373aca8b1627f573c57a4f35abe530706b5fc19ac7b5164bf06ffd80b6a989d2747ffff116c95b83678996b1f2101c Message-Authenticator = 0x26ac2fa17a0096b2f77b434e25e3313a State = 0x4daf19744ba800314ad6ef2775c40139 Proxy-State = 0xc0a8010a0000001e # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 7 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - DEVTMS2K8.COM\administrator [peap] Got inner identity 'DEVTMS2K8.COM\administrator' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207002001444556544d53324b382e434f4d5c61646d696e6973747261746f72 server { PEAP: Setting User-Name to DEVTMS2K8.COM\administrator Sending tunneled request EAP-Message = 0x0207002001444556544d53324b382e434f4d5c61646d696e6973747261746f72 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DEVTMS2K8.COM\\administrator" NAS-Identifier = "NETMOTION" Calling-Station-Id = "0000005e55b9" NAS-IP-Address = 192.168.1.10 server { # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 7 length 32 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop } # server [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled PEAP: Cancelling proxy to realm devtms2k8.com until the tunneled EAP session has been established [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800351a01080030105a31dccfb71d37736d1ebc2002e1df90444556544d53324b382e434f4d5c61646d696e6973747261746f72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16f6bc8e16fea69a8f8674b7dc73bf4e [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 30 to 192.168.1.10 port 2905 EAP-Message = 0x0108005b19001703010050a455947493a57ef08f819a264fae3621a58db9534677231bd01359600a0600c80d47d0cc3009f266ed51ae85d6ef9d23ec56e7098bf8178b15ee5338d2f745a658d0a8734d097ebe42e5d1dd437eb2fa Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4daf19744aa700314ad6ef2775c40139 Proxy-State = 0xc0a8010a0000001e Finished request 18. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=31, length=282 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55b9" EAP-Message = 0x020800a019001703010020ba2503b02327c039d7b57c68eb0359edc079f05498f9fa83e9de7ae1c3383485170301007075eeceaf20cff4eb413d5404db9ec2147fad3d12819f5b28ce582eae6c7beea2095138c2a753b0fd7ed84a9fb1aa304686579cdc9afb41945d62d7108e94725385da8eea46f1197e13b02a14b115b2a9f9666ec5e40afbce595335ba212ea83e4aef6e9ddccf3373bf4d7e00613bc8fa Message-Authenticator = 0xc7a97a069d71444df7e641852d050ac8 State = 0x4daf19744aa700314ad6ef2775c40139 Proxy-State = 0xc0a8010a0000001f # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 8 length 160 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800561a0208005131d18d5c61c8305379edf20681a8c23450000000000000000095634a6e76db5375781a2422b07b7719fe4c28f299ae9a4f00444556544d53324b382e434f4d5c61646d696e6973747261746f72 server { PEAP: Setting User-Name to DEVTMS2K8.COM\administrator Sending tunneled request EAP-Message = 0x020800561a0208005131d18d5c61c8305379edf20681a8c23450000000000000000095634a6e76db5375781a2422b07b7719fe4c28f299ae9a4f00444556544d53324b382e434f4d5c61646d696e6973747261746f72 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DEVTMS2K8.COM\\administrator" State = 0x16f6bc8e16fea69a8f8674b7dc73bf4e NAS-Identifier = "NETMOTION" Calling-Station-Id = "0000005e55b9" NAS-IP-Address = 192.168.1.10 server { # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 8 length 86 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop } # server [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Not-EAP proxy set. Not composing EAP ++[eap] returns handled PEAP: Tunneled authentication will be proxied to devtms2k8.com PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. [eap] Tunneled session will be proxied. Not doing EAP. ++[eap] returns handled WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 172 to 192.168.1.117 port 1812 User-Name = "DEVTMS2K8.COM\\administrator" NAS-Identifier = "NETMOTION" Calling-Station-Id = "0000005e55b9" NAS-IP-Address = 192.168.1.10 MS-CHAP-Challenge = 0x5a31dccfb71d37736d1ebc2002e1df90 MS-CHAP2-Response = 0x0845d18d5c61c8305379edf20681a8c23450000000000000000095634a6e76db5375781a2422b07b7719fe4c28f299ae9a4f Proxy-State = 0x3331 Proxying request 19 to home server 192.168.1.117 port 1812 Sending Access-Request of id 172 to 192.168.1.117 port 1812 User-Name = "DEVTMS2K8.COM\\administrator" NAS-Identifier = "NETMOTION" Calling-Station-Id = "0000005e55b9" NAS-IP-Address = 192.168.1.10 MS-CHAP-Challenge = 0x5a31dccfb71d37736d1ebc2002e1df90 MS-CHAP2-Response = 0x0845d18d5c61c8305379edf20681a8c23450000000000000000095634a6e76db5375781a2422b07b7719fe4c28f299ae9a4f Proxy-State = 0x3331 Going to the next request Waking up in 0.10 seconds. Error receiving packet: Connection reset by peer Waking up in 0.9 seconds. Error receiving packet: Connection reset by peer Waking up in 0.9 seconds. Error receiving packet: Connection reset by peer Waking up in 0.9 seconds. Error receiving packet: Connection reset by peer log of a success authentication when second IAS is disabled in proxy.conf: FreeRADIUS Version 2.1.10, for host i686-pc-cygwin, built on Mar 15 2011 at 16:08:33 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file ..\etc\raddb/radiusd.conf including configuration file ..\etc\raddb/proxy.conf including configuration file ..\etc\raddb/clients.conf including files in directory ..\etc\raddb/modules/ including configuration file ..\etc\raddb/modules/acct_unique including configuration file ..\etc\raddb/modules/always including configuration file ..\etc\raddb/modules/attr_filter including configuration file ..\etc\raddb/modules/attr_rewrite including configuration file ..\etc\raddb/modules/chap including configuration file ..\etc\raddb/modules/checkval including configuration file ..\etc\raddb/modules/counter including configuration file ..\etc\raddb/modules/cui including configuration file ..\etc\raddb/modules/detail including configuration file ..\etc\raddb/modules/detail.example.com including configuration file ..\etc\raddb/modules/detail.log including configuration file ..\etc\raddb/modules/digest including configuration file ..\etc\raddb/modules/dynamic_clients including configuration file ..\etc\raddb/modules/echo including configuration file ..\etc\raddb/modules/etc_group including configuration file ..\etc\raddb/modules/exec including configuration file ..\etc\raddb/modules/expiration including configuration file ..\etc\raddb/modules/expr including configuration file ..\etc\raddb/modules/files including configuration file ..\etc\raddb/modules/inner-eap including configuration file ..\etc\raddb/modules/ippool including configuration file ..\etc\raddb/modules/krb5 including configuration file ..\etc\raddb/modules/ldap including configuration file ..\etc\raddb/modules/linelog including configuration file ..\etc\raddb/modules/logintime including configuration file ..\etc\raddb/modules/mac2ip including configuration file ..\etc\raddb/modules/mac2vlan including configuration file ..\etc\raddb/modules/mschap including configuration file ..\etc\raddb/modules/ntlm_auth including configuration file ..\etc\raddb/modules/opendirectory including configuration file ..\etc\raddb/modules/otp including configuration file ..\etc\raddb/modules/pam including configuration file ..\etc\raddb/modules/pap including configuration file ..\etc\raddb/modules/passwd including configuration file ..\etc\raddb/modules/perl including configuration file ..\etc\raddb/modules/policy including configuration file ..\etc\raddb/modules/preprocess including configuration file ..\etc\raddb/modules/radutmp including configuration file ..\etc\raddb/modules/realm including configuration file ..\etc\raddb/modules/smbpasswd including configuration file ..\etc\raddb/modules/smsotp including configuration file ..\etc\raddb/modules/sqlcounter_expire_on_login including configuration file ..\etc\raddb/modules/sql_log including configuration file ..\etc\raddb/modules/sradutmp including configuration file ..\etc\raddb/modules/unix including configuration file ..\etc\raddb/modules/wimax including configuration file ..\etc\raddb/eap.conf including configuration file ..\etc\raddb/policy.conf including files in directory ..\etc\raddb/sites-enabled/ including configuration file ..\etc\raddb/sites-enabled/control-socket including configuration file ..\etc\raddb/sites-enabled/default main { allow_core_dumps = no } including dictionary file ..\etc\raddb/dictionary main { prefix = "C:\freeradius" localstatedir = "C:\freeradius/var" logdir = "C:\freeradius/var/log/radius" libdir = "C:\freeradius/lib" radacctdir = "C:\freeradius/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "C:\freeradius/var/run/radiusd/radiusd.pid" checkrad = "C:\freeradius/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes msg_badpass = "" msg_goodpass = "" } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm devtms2k8.com { nostrip ldflag = round_robin authhost = 192.168.1.10:1812 accthost = 192.168.1.10:1813 secret = 1111 } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.1.8/24 { require_message_authenticator = no secret = "1111" shortname = "netmotion" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file ..\etc\raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file ..\etc\raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file ..\etc\raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file ..\etc\raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file ..\etc\raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file ..\etc\raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file ..\etc\raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file ..\etc\raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file ..\etc\raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file ..\etc\raddb/modules/unix unix { radwtmp = "C:\freeradius/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file ..\etc\raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "C:\freeradius/etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.pem" certificate_file = "C:\freeradius/etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-Server.crt" CA_file = "C:\freeradius/etc/raddb/certs/FreeRADIUS.net/DemoCerts/FreeRADIUS.net-CA.crt" private_key_password = "demo" dh_file = "C:\freeradius/etc/raddb/certs/FreeRADIUS.net/DemoCerts/dh" random_file = "C:\freeradius/etc/raddb/certs/FreeRADIUS.net/DemoCerts/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file ..\etc\raddb/modules/preprocess preprocess { huntgroups = "..\etc\raddb/huntgroups" hints = "..\etc\raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file ..\etc\raddb/modules/files files { usersfile = "..\etc\raddb/users" acctusersfile = "..\etc\raddb/acct_users" preproxy_usersfile = "..\etc\raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file ..\etc\raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file ..\etc\raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating module "ntdomain" from file ..\etc\raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file ..\etc\raddb/modules/detail detail { detailfile = "C:\freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file ..\etc\raddb/modules/radutmp radutmp { filename = "C:\freeradius/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file ..\etc\raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "..\etc\raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file ..\etc\raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "..\etc\raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "C:\freeradius/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file C:\freeradius/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=34, length=136 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55ba" EAP-Message = 0x0200002001444556544d53324b382e434f4d5c61646d696e6973747261746f72 Message-Authenticator = 0xe12d315e5decf1a07a1cfd633f1c7d3e Proxy-State = 0xc0a8010a00000022 # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 0 length 32 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 34 to 192.168.1.10 port 2905 EAP-Message = 0x0101001604100bc879a282fe46e5b3a6606ab408767a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1a1e6be01a1f6fb1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000022 Finished request 0. Going to the next request Waking up in 4.10 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=35, length=129 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55ba" EAP-Message = 0x0201000703190d Message-Authenticator = 0x36bddb38b612627df8c0c1ec8f92cb00 State = 0x1a1e6be01a1f6fb1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000023 # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 1 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 35 to 192.168.1.10 port 2905 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1a1e6be01b1c72b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000023 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=36, length=338 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55ba" EAP-Message = 0x020200d8190016030100cd010000c903014d8f29a7bbced4829a08b0eb799d367a66e0107b7da46d0adc82474a5b4fa3c000005cc014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 Message-Authenticator = 0xc9424039becc1cea361e0219ceec18c9 State = 0x1a1e6be01b1c72b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000024 # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 2 length 216 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00cd], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 09cd], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 36 to 192.168.1.10 port 2905 EAP-Message = 0x0103040019c000000a1116030100310200002d03014d8f29d901f66c790cb9472c9ba6153c3a3d75eb9be741e5d81b7db8780a251c000035000005ff0100010016030109cd0b0009c90009c60004f4308204f030820459a003020102020102300d06092a864886f70d01010405003081ad311a301806035504031311467265655241444955532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886 EAP-Message = 0xf70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e6574301e170d3036303431333031303830345a170d3136303431303031303030305a3081b1311e301c06035504031315467265655241444955532e6e65742d536572766572310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886f70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e657430819f300d06092a EAP-Message = 0x864886f70d010101050003818d0030818902818100c52fed9c525523e090e52f74c1aa17e728f81326d6dc25fec0026a3b38d521f2c1534da84a50a71bfa98a73e41f1478ae20098234719694067607438c1b7729d1f83ba66d2f74def53d7b651446b1ca59be01e1d734e31ad3ab1baf2fac4bd42b3870fcb8de045f8c22c40e549ce34d13facabff6dda49f3993d71b33951b3330203010001a382021830820214300c0603551d130101ff04023000301d0603551d0e04160414deb8cba35c689399984553c2bb09245ffd24102f3081da0603551d230481d23081cf801468e090479d6ed81e03d598e1d67ce31a0f96ad36a181b3a481b03081ad31 EAP-Message = 0x1a301806035504031311467265655241444955532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886f70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e6574820101300b0603551d0f0404030202e4306f0603551d250468306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06 EAP-Message = 0x01050507030506082b060105 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1a1e6be0181d72b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000024 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=37, length=128 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55ba" EAP-Message = 0x020300061900 Message-Authenticator = 0x49bb2e6c397f182bf23d05085f1e4cbb State = 0x1a1e6be0181d72b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000025 # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 37 to 192.168.1.10 port 2905 EAP-Message = 0x010403fc19400507030606082b0601050507030706082b06010505080202060a2b06010401823714020230250603551d11041e301c811a4a6566662e5265696c6c7940467265655241444955532e6e657430250603551d12041e301c811a4a6566662e5265696c6c7940467265655241444955532e6e6574301106096086480186f84201010404030202c4302906096086480186f842010d041c161a5669736974207777772e467265655241444955532e6e65742021300d06092a864886f70d0101040500038181007662b3b6b60fc4dd059c85c504e04f19d060660b72b0b2b0a70f99324f3f7499a81d0fc9bebe049e43e2838532195b27deba265f EAP-Message = 0x2a5b62da9d95a87c9e50ec264bd467e8db60f54ebeb9972228c0535953e51baeb35ce908fa9e335e68d77a440074263ef771dd949c5312f4d985f6bcc9d3e0b8e32d7f1f83ddcb70e1929afc0004cc308204c830820431a003020102020101300d06092a864886f70d01010405003081ad311a301806035504031311467265655241444955532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886 EAP-Message = 0xf70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e6574301e170d3036303431333031303531325a170d3136303431303031303531325a3081ad311a301806035504031311467265655241444955532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886f70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e657430819f300d06092a864886f7 EAP-Message = 0x0d010101050003818d0030818902818100d9a1e9eb8dfc66796b854d0dde4ce84379bc84f46fa7e2a8165d571d417f42bb482867554d44cccd69f9c0e463b97651d84d0470e58ffae406d9182f4b071e9ba48175ea28f5b09ccef89ed7d05875ef188b05276682a2ff93f2b036af66394802207c829c43b388e24f71f315ef158061ccba5b27e4327b4614e56f451ee2ad0203010001a38201f4308201f0300f0603551d130101ff040530030101ff301d0603551d0e0416041468e090479d6ed81e03d598e1d67ce31a0f96ad363081da0603551d230481d23081cf801468e090479d6ed81e03d598e1d67ce31a0f96ad36a181b3a481b03081ad311a EAP-Message = 0x3018060355040313 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1a1e6be0191a72b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000025 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=38, length=128 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55ba" EAP-Message = 0x020400061900 Message-Authenticator = 0x9014286922f5a2a5f54f8d4fb92a755b State = 0x1a1e6be0191a72b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000026 # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 38 to 192.168.1.10 port 2905 EAP-Message = 0x0105022b190011467265655241444955532e6e65742d4341310b3009060355040613025553310e300c06035504071305446f766572311630140603550408130d4e65772048616d70736869726531173015060355040a130e467265655241444955532e6e657431163014060355040b130d46726565205468696e6b6572733129302706092a864886f70d010901161a4a6566662e5265696c6c7940467265655241444955532e6e6574820101300b0603551d0f040403020106306f0603551d250468306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505 EAP-Message = 0x07030506082b0601050507030606082b0601050507030706082b06010505080202060a2b06010401823714020230250603551d11041e301c811a4a6566662e5265696c6c7940467265655241444955532e6e6574301106096086480186f84201010404030200c7302906096086480186f842010d041c161a5669736974207777772e467265655241444955532e6e65742021300d06092a864886f70d01010405000381810000674d1b82e8db81e5a6fdb44ba24f89738dc5954c777fa794282102a5a8b3376a39e2aadc4be4d3833545cd0ea6fda3208a2a9ed4619f3dd71302f1327d4d65035933c1fc05b542ff65d9f971306a4b97932f283257f64f EAP-Message = 0x66c8947edd4f93ee7ccf279d826338e05dee101e2524fdbe3000a60605c1070d081b97da24dadbf316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1a1e6be01e1b72b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000026 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=39, length=326 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55ba" EAP-Message = 0x020500cc19001603010086100000820080bf5e26b53a6de61622737b5a96f5237f28565d04ece5be94198544ea586326ee35f7cb4a318b6c329edc540b3da68a73d085b0fd021b4bd54b240649221b219c06640c6723006bb268afd68b56f49551aad6b548909f706398a532d12b1ab2fda2b157ab9cc97019a40331fae5d2f71ea6ad0125256a9f0f5e4e2f0bb2c6d30a1403010001011603010030cd8560b22dc7fd59cc0c2eb534725c0f6bec322dcb1df4ee21a6c943edbe540cbce43815804b3ab42f4e3efa9f2dde46 Message-Authenticator = 0x427d2c8994fb6abba05db82537fcce84 State = 0x1a1e6be01e1b72b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000027 # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 5 length 204 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 39 to 192.168.1.10 port 2905 EAP-Message = 0x01060041190014030100010116030100305c77576756136f45f56df90e49fa36adc11e748d1e00f326d391c9976e20d312fdb0fcc746a67447f79b7f56166bda23 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1a1e6be01f1872b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000027 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=40, length=128 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55ba" EAP-Message = 0x020600061900 Message-Authenticator = 0x8625b430816ee12b39c0dae7076dfdbc State = 0x1a1e6be01f1872b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000028 # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 40 to 192.168.1.10 port 2905 EAP-Message = 0x0107002b19001703010020f0d3b068d890ba45a504d71adda3077f6a62f01dd72a5a0e62e1b02273eba054 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1a1e6be01c1972b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000028 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=41, length=234 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55ba" EAP-Message = 0x020700701900170301002010f6c685e435e8b7e74ee9eb26a5a14e9298228e040e24ae6616a657cd380b8117030100403282e9ad2276d2c43b06f76c39f3a1313f219b5e2cd1a886cb5086304337447c6edb771549b43138d15761a156f43c221ab29a7603194e173c0ed52c6031001a Message-Authenticator = 0xdfc3a12524103f59af9c938ccad49b4f State = 0x1a1e6be01c1972b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000029 # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 7 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - DEVTMS2K8.COM\administrator [peap] Got inner identity 'DEVTMS2K8.COM\administrator' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207002001444556544d53324b382e434f4d5c61646d696e6973747261746f72 server { PEAP: Setting User-Name to DEVTMS2K8.COM\administrator Sending tunneled request EAP-Message = 0x0207002001444556544d53324b382e434f4d5c61646d696e6973747261746f72 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DEVTMS2K8.COM\\administrator" NAS-Identifier = "NETMOTION" Calling-Station-Id = "0000005e55ba" NAS-IP-Address = 192.168.1.10 server { # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 7 length 32 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop } # server [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled PEAP: Cancelling proxy to realm devtms2k8.com until the tunneled EAP session has been established [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010800351a0108003010e16411c9f88b9a64e3062408071d7706444556544d53324b382e434f4d5c61646d696e6973747261746f72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x68df673868d77d6df543d30b30a2a0b9 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 41 to 192.168.1.10 port 2905 EAP-Message = 0x0108005b1900170301005046e53797a31f727d615cfe8d3d36ac2b739277b308c66f6de7d2f109114ef4b929cdf81fc45017e019d467498b23c60ad7322babe6ed4a0be24db04639f29758f18bbfd480aa3b77b43c372750dfc237 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1a1e6be01d1672b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a00000029 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=42, length=282 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55ba" EAP-Message = 0x020800a01900170301002033b018164946779186fe5aecba9390d2c5d78295f26e166b8938d19c3f550f7a17030100708dd503e59ed1249e73a7c4fa803cb950793367df8c68ecbf384afb5c9bf4cb6d25bf1c17b96e8ace0922a314fd1d16b696ea99e6c611e10ee81a84a80d7499c1b7402809880e2b40ff4baa96afff8d8d967726adc94e8f6b7afcdd19fda2a60a2d480467c37a7ad282c0d01c807114c0 Message-Authenticator = 0x3ac3a8041a687b1e310622c445daa8af State = 0x1a1e6be01d1672b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a0000002a # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 8 length 160 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800561a0208005131b4a3dbb5beb781294abc39062dbbc29c0000000000000000ab02dcf402af9c1ce296943d1833c9c41c5a8f011eb85dd500444556544d53324b382e434f4d5c61646d696e6973747261746f72 server { PEAP: Setting User-Name to DEVTMS2K8.COM\administrator Sending tunneled request EAP-Message = 0x020800561a0208005131b4a3dbb5beb781294abc39062dbbc29c0000000000000000ab02dcf402af9c1ce296943d1833c9c41c5a8f011eb85dd500444556544d53324b382e434f4d5c61646d696e6973747261746f72 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DEVTMS2K8.COM\\administrator" State = 0x68df673868d77d6df543d30b30a2a0b9 NAS-Identifier = "NETMOTION" Calling-Station-Id = "0000005e55ba" NAS-IP-Address = 192.168.1.10 server { # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 8 length 86 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop } # server [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Not-EAP proxy set. Not composing EAP ++[eap] returns handled PEAP: Tunneled authentication will be proxied to devtms2k8.com PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. [eap] Tunneled session will be proxied. Not doing EAP. ++[eap] returns handled WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 57 to 192.168.1.10 port 1812 User-Name = "DEVTMS2K8.COM\\administrator" NAS-Identifier = "NETMOTION" Calling-Station-Id = "0000005e55ba" NAS-IP-Address = 192.168.1.10 MS-CHAP-Challenge = 0xe16411c9f88b9a64e3062408071d7706 MS-CHAP2-Response = 0x0845b4a3dbb5beb781294abc39062dbbc29c0000000000000000ab02dcf402af9c1ce296943d1833c9c41c5a8f011eb85dd5 Proxy-State = 0x3432 Proxying request 8 to home server 192.168.1.10 port 1812 Sending Access-Request of id 57 to 192.168.1.10 port 1812 User-Name = "DEVTMS2K8.COM\\administrator" NAS-Identifier = "NETMOTION" Calling-Station-Id = "0000005e55ba" NAS-IP-Address = 192.168.1.10 MS-CHAP-Challenge = 0xe16411c9f88b9a64e3062408071d7706 MS-CHAP2-Response = 0x0845b4a3dbb5beb781294abc39062dbbc29c0000000000000000ab02dcf402af9c1ce296943d1833c9c41c5a8f011eb85dd5 Proxy-State = 0x3432 Going to the next request Waking up in 0.10 seconds. rad_recv: Access-Accept packet from host 192.168.1.10 port 1812, id=57, length=159 Proxy-State = 0x3432 MS-MPPE-Send-Key = 0x30e37d74d97c2e11e3207a9d1fc7616e MS-MPPE-Recv-Key = 0x7639a91a614bf43a76e09a323f0ec5c0 MS-CHAP2-Success = 0x81533d45383736354231314444453738423341334146303743423435353233374437453843443731324234 # Executing section post-proxy from file ..\etc\raddb/sites-enabled/default +- entering group post-proxy {...} [eap] Doing post-proxy callback [eap] Passing reply from proxy back into the tunnel. server (null) { [eap] Passing reply back for EAP-MS-CHAP-V2 # Executing section post-proxy from file ..\etc\raddb/sites-enabled/default +- entering group post-proxy {...} [eap] Doing post-proxy callback rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x1018dd58 2. rlm_eap_mschapv2: Authentication succeeded. MSCHAP Success ++[eap] returns ok # Executing section post-auth from file ..\etc\raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop } # server (null) [eap] Final reply from tunneled session code 11 Proxy-State = 0x3432 EAP-Message = 0x010900331a0308002e533d45383736354231314444453738423341334146303743423435353233374437453843443731324234 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x68df673869d67d6df543d30b30a2a0b9 [eap] Got reply 11 [eap] Got tunneled reply RADIUS code 11 Proxy-State = 0x3432 EAP-Message = 0x010900331a0308002e533d45383736354231314444453738423341334146303743423435353233374437453843443731324234 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x68df673869d67d6df543d30b30a2a0b9 [eap] Got tunneled Access-Challenge [eap] Reply was handled ++[eap] returns ok Sending Access-Challenge of id 42 to 192.168.1.10 port 2905 EAP-Message = 0x0109005b1900170301005052d6f69436a7af0792fc83d6e520aa75f267dfeab12e331f33b51947fc3bfeee82ff0cf1de28e3995b95d920a176aacb3f2085161b799698d6342e68ea4a4f9d0105283e4c059a76327c1af7fb404f3e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1a1e6be0121772b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a0000002a Finished request 8. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=43, length=202 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55ba" EAP-Message = 0x0209005019001703010020735c954fef9c66ffa84bf341d70e33fd39030e9bfbac14c7ddc1cd70c842d924170301002078b85d9fea591166be28f76e5a46f217237fb9f16f5d88255be5a4634a46955a Message-Authenticator = 0xc137016920e5d32fbf31247fbfebf48d State = 0x1a1e6be0121772b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a0000002b # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 9 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { PEAP: Setting User-Name to DEVTMS2K8.COM\administrator Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DEVTMS2K8.COM\\administrator" State = 0x68df673869d67d6df543d30b30a2a0b9 NAS-Identifier = "NETMOTION" Calling-Station-Id = "0000005e55ba" NAS-IP-Address = 192.168.1.10 server { # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop } # server [peap] Got tunneled reply code 0 PEAP: Calling authenticate in order to initiate tunneled EAP session. # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Send-Key = 0x30e37d74d97c2e11e3207a9d1fc7616e MS-MPPE-Recv-Key = 0x7639a91a614bf43a76e09a323f0ec5c0 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "DEVTMS2K8.COM\\administrator" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 43 to 192.168.1.10 port 2905 EAP-Message = 0x010a002b19001703010020ece5f58c0cb18046399a0ac9fdbd2d6c036e37c9042868e49aaece185f81ec4e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1a1e6be0131472b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a0000002b Finished request 9. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.1.10 port 2905, id=44, length=202 NAS-Identifier = "NETMOTION" User-Name = "DEVTMS2K8.COM\\administrator" Calling-Station-Id = "0000005e55ba" EAP-Message = 0x020a0050190017030100204bcf5f06fb4f43c41bfdeac1e154569c3e1a4504e1d20fb7260a321fe9e70d581703010020db92ff0ccea165eaa47231ce07808e7bd85109a855978e1c10fae4eadd066ebe Message-Authenticator = 0xf356b16497a9cf56a4b768a4f0d0d4e5 State = 0x1a1e6be0131472b1a3c3640ccefd05a2 Proxy-State = 0xc0a8010a0000002c # Executing section authorize from file ..\etc\raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 10 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file ..\etc\raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok expand: -> Login OK: [DEVTMS2K8.COM\\administrator/] (from client netmotion port 0 cli 0000005e55ba) # Executing section post-auth from file ..\etc\raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 44 to 192.168.1.10 port 2905 MS-MPPE-Recv-Key = 0xd977b3456d1f16302f63255558756bc42693c5837eae669055fa8f181c69256f MS-MPPE-Send-Key = 0x3257e3ec667b986e65e1568a6757546aaf019c6a945d93d31e6a83e724ea8435 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "DEVTMS2K8.COM\\administrator" Proxy-State = 0xc0a8010a0000002c Finished request 10. Going to the next request Waking up in 4.6 seconds. Cleaning up request 0 ID 34 with timestamp +10 Cleaning up request 1 ID 35 with timestamp +10 Cleaning up request 2 ID 36 with timestamp +10 Cleaning up request 3 ID 37 with timestamp +10 Cleaning up request 4 ID 38 with timestamp +10 Cleaning up request 5 ID 39 with timestamp +10 Cleaning up request 6 ID 40 with timestamp +10 Cleaning up request 7 ID 41 with timestamp +10 Waking up in 0.2 seconds. Cleaning up request 8 ID 42 with timestamp +10 Cleaning up request 9 ID 43 with timestamp +10 Cleaning up request 10 ID 44 with timestamp +10 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/peap-termination-issue-when-using-fa... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Gil Mazor wrote:
Yes , the error do cause a problem, as once it occurs , I must restart Radiusd. I attach two logs, first one is with the failure and the second one is a success , when the second IAS is commented in proxy.conf
Log of the problem:
FreeRADIUS Version 2.1.10, for host i686-pc-cygwin, built on Mar 15 2011 at 16:08:33
On *cygwin*? That's why you're getting ECONNRESET on a UDP socket. Windows sucks. The UDP socket is *not* connected, and it should *not* be getting that message. The Windows network stack thinks that because *one* destination for the UDP socket says "I'm down", then that must mean that the UDP socket can't send to any *other* destination, either. That's stupid. Unfortunately, this will be awkward to fix. The code in FreeRADIUS assumes that the network stack works, and that unconnected UDP sockets aren't suddenly disconnected from the network. The fix is to change a number of internal APIs so that the correct error is propagated backward through the code. Then, to close and-reopen the proxy socket when it sees that error. I don't think that's possible in 2.1.10. The rest of the infrastructure code just isn't there. It may be possible in the next major release. In short, use an OS that works. Or, live with the fact that the server needs to be restarted whenever a home server dies. Alan DeKok.
Hi Again, Is it possible to use different proxy technique than realms ,for instance if I use home servers in combination with (DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := mydomain.com ) will it work for this topology? what are the necessary configurations to accomplish it? -- View this message in context: http://freeradius.1045715.n5.nabble.com/peap-termination-issue-when-using-fa... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
Alan DeKok -
Gil Mazor -
Rtz Poknat