Hello, I have a new radius instance running. Unfortunatelly users with MacOS cannot be authenticated. It seems like the password does not come through. Do you have any idea? /etc/freeradius.testing# freeradius -X -d /etc/freeradius.testing freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 24 2014 at 02:05:28 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius.testing/radiusd.conf including configuration file /etc/freeradius.testing/proxy.conf including configuration file /etc/freeradius.testing/clients.conf including configuration file /etc/freeradius.testing/wlan_clients.conf including files in directory /etc/freeradius.testing/modules/ including configuration file /etc/freeradius.testing/modules/sql_log including configuration file /etc/freeradius.testing/modules/perl including configuration file /etc/freeradius.testing/modules/attr_filter including configuration file /etc/freeradius.testing/modules/echo including configuration file /etc/freeradius.testing/modules/rediswho including configuration file /etc/freeradius.testing/modules/digest including configuration file /etc/freeradius.testing/modules/pap including configuration file /etc/freeradius.testing/modules/etc_group including configuration file /etc/freeradius.testing/modules/policy including configuration file /etc/freeradius.testing/modules/mac2ip including configuration file /etc/freeradius.testing/modules/logintime including configuration file /etc/freeradius.testing/modules/cui including configuration file /etc/freeradius.testing/modules/dhcp_sqlippool including configuration file /etc/freeradius.testing/modules/replicate including configuration file /etc/freeradius.testing/modules/radrelay including configuration file /etc/freeradius.testing/modules/ldap including configuration file /etc/freeradius.testing/modules/expr including configuration file /etc/freeradius.testing/modules/counter including configuration file /etc/freeradius.testing/modules/ippool including configuration file /etc/freeradius.testing/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius.testing/modules/cache including configuration file /etc/freeradius.testing/modules/inner-eap including configuration file /etc/freeradius.testing/modules/soh including configuration file /etc/freeradius.testing/modules/checkval including configuration file /etc/freeradius.testing/modules/radutmp including configuration file /etc/freeradius.testing/modules/dynamic_clients including configuration file /etc/freeradius.testing/modules/files including configuration file /etc/freeradius.testing/modules/realm including configuration file /etc/freeradius.testing/modules/unix including configuration file /etc/freeradius.testing/modules/detail.log including configuration file /etc/freeradius.testing/modules/sradutmp including configuration file /etc/freeradius.testing/modules/mac2vlan including configuration file /etc/freeradius.testing/modules/passwd including configuration file /etc/freeradius.testing/modules/acct_unique including configuration file /etc/freeradius.testing/modules/detail.example.com including configuration file /etc/freeradius.testing/modules/linelog including configuration file /etc/freeradius.testing/modules/mschap including configuration file /etc/freeradius.testing/modules/expiration including configuration file /etc/freeradius.testing/modules/chap including configuration file /etc/freeradius.testing/modules/opendirectory including configuration file /etc/freeradius.testing/modules/exec including configuration file /etc/freeradius.testing/modules/pam including configuration file /etc/freeradius.testing/modules/smsotp including configuration file /etc/freeradius.testing/modules/detail including configuration file /etc/freeradius.testing/modules/krb5 including configuration file /etc/freeradius.testing/modules/attr_rewrite including configuration file /etc/freeradius.testing/modules/always including configuration file /etc/freeradius.testing/modules/redis including configuration file /etc/freeradius.testing/modules/preprocess including configuration file /etc/freeradius.testing/eap.conf including configuration file /etc/freeradius.testing/policy.conf including files in directory /etc/freeradius.testing/sites-enabled/ including configuration file /etc/freeradius.testing/sites-enabled/eduroam-inner-tunnel including configuration file /etc/freeradius.testing/sites-enabled/eduroam main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius.testing/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius-eduroam" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius-eduroam/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client local { ipaddr = 192.168.11.50 require_message_authenticator = no nastype = "other" } client 192.168.11.246 { require_message_authenticator = no nastype = "other" virtual_server = "eduroam" } client 172.16.1.18 { require_message_authenticator = no nastype = "other" virtual_server = "eduroam" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no nastype = "other" virtual_server = "eduroam" } client 172.16.1.30 { require_message_authenticator = no virtual_server = "eduroam" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius.testing/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius.testing/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius.testing/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius.testing/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file ? modules { } # modules } # server server eduroam-inner-tunnel { # from file /etc/freeradius.testing/sites-enabled/eduroam-inner-tunnel modules { Module: Creating Auth-Type = Perl Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius.testing/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius.testing/modules/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius.testing/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 3 CA_path = "/etc/freeradius.testing/certs" pem_file_type = yes private_key_file = "/etc/freeradius.testing/certs/server.key" certificate_file = "/etc/freeradius.testing/certs/server.pem" CA_file = "/etc/freeradius.testing/certs/ca.pem" dh_file = "/etc/freeradius.testing/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no ecdh_curve = "prime256v1" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "eduroam-inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Linked to module rlm_perl Module: Instantiating module "perl" from file /etc/freeradius.testing/modules/perl perl { module = "/etc/freeradius.testing/auth.pl" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" func_recv_coa = "recv_coa" func_send_coa = "send_coa" } "my" variable $index_path masks earlier declaration in same scope at /etc/freeradius.testing/auth.pl line 254. Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius.testing/modules/preprocess preprocess { huntgroups = "/etc/freeradius.testing/huntgroups" hints = "/etc/freeradius.testing/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius.testing/huntgroups reading pairlist file /etc/freeradius.testing/hints Module: Linked to module rlm_detail Module: Instantiating module "auth_log" from file /etc/freeradius.testing/modules/detail.log detail auth_log { detailfile = "/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius.testing/modules/files files { usersfile = "/etc/freeradius.testing/users" acctusersfile = "/etc/freeradius.testing/acct_users" preproxy_usersfile = "/etc/freeradius.testing/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius.testing/users reading pairlist file /etc/freeradius.testing/acct_users reading pairlist file /etc/freeradius.testing/preproxy_users Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/freeradius.testing/modules/detail detail { detailfile = "/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "reply_log" from file /etc/freeradius.testing/modules/detail.log detail reply_log { detailfile = "/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } } # modules } # server server eduroam { # from file /etc/freeradius.testing/sites-enabled/eduroam modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius.testing/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius.testing/modules/attr_filter attr_filter attr_filter.pre-proxy { attrsfile = "/etc/freeradius.testing/attrs.pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/freeradius.testing/attrs.pre-proxy Module: Instantiating module "pre_proxy_log" from file /etc/freeradius.testing/modules/detail.log detail pre_proxy_log { detailfile = "/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "post_proxy_log" from file /etc/freeradius.testing/modules/detail.log detail post_proxy_log { detailfile = "/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.post-proxy" from file /etc/freeradius.testing/modules/attr_filter attr_filter attr_filter.post-proxy { attrsfile = "/etc/freeradius.testing/attrs" key = "%{Realm}" relaxed = no } reading pairlist file /etc/freeradius.testing/attrs } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1820 } listen { type = "acct" ipaddr = * port = 1821 } ... adding new socket proxy address * port 40565 Listening on authentication address * port 1820 Listening on accounting address * port 1821 Listening on proxy address * port 1822 Ready to process requests. With kind regards, Marlen Caemmerer -- ************************************************ Alice Salomon Hochschule Computerzentrum Marlen Caemmerer Alice-Salomon-Platz 5 12627 Berlin Email: caemmerer@ash-berlin.eu ************************************************
On Thu, Oct 13, 2016 at 01:03:34PM +0200, Marlen Caemmerer wrote:
It seems like the password does not come through.
Do you have any idea?
/etc/freeradius.testing# freeradius -X -d /etc/freeradius.testing freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on
Please upgrade to a recent version of 3.0. Version 2 is no longer supported. ...
Listening on authentication address * port 1820 Listening on accounting address * port 1821 Listening on proxy address * port 1822 Ready to process requests.
If this is the entirety of the debug output, then check that your NAS is actually sending packets to your RADIUS server, and there are no firewalls etc in the way. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
hi, debug didnt have an auth attenot in it. how is the Mac configured for EAP auth - using a profile? - your config has default type for TTLS being md5 - maybe want to look at that alan
Hello, Am 2016-10-13 15:20, schrieb A.L.M.Buxey@lboro.ac.uk:
debug didnt have an auth attenot in it. how is the Mac configured for EAP auth - using a profile? - your config has default type for TTLS being md5 - maybe want to look at that
Sorry for the late answer. I had to get a test client. I use a network profile for it which is generated via a portal called cat.eduroam.org. This is the debug output of a client that connected. ... adding new socket proxy address * port 39108 Listening on authentication address * port 1820 Listening on accounting address * port 1821 Listening on proxy address * port 1822 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 59385, id=132, length=203 User-Name = "anonymous@ash-berlin.eu" Calling-Station-Id = "5C-96-9D-10-D1-4B" Called-Station-Id = "00-23-EA-7D-93-A0:eduroam" NAS-Port = 29 NAS-IP-Address = 172.16.1.30 NAS-Identifier = "WLC1" Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" EAP-Message = 0x0201001c01616e6f6e796d6f7573406173682d6265726c696e2e6575 Message-Authenticator = 0x92b06b7b20a6d6066fc225283c27a312 server eduroam { # Executing section authorize from file /etc/freeradius.testing/sites-enabled/eduroam +group authorize { [auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [auth_log] expand: /var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] /var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016 ++[auth_log] = ok [suffix] Looking up realm "ash-berlin.eu" for User-Name = "anonymous@ash-berlin.eu" [suffix] No such realm "ash-berlin.eu" ++[suffix] = noop ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) expand: %{control:Proxy-To-Realm} -> ?? Evaluating ("%{control:Proxy-To-Realm}" == "DEFAULT") -> FALSE ?? Skipping (User-Name =~ /.*@ash-berlin.eu$/) ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) -> FALSE ++[preprocess] = ok [files] users: Matched entry DEFAULT at line 1 ++[files] = ok rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair NAS-IP-Address = 172.16.1.30 rlm_perl: Added pair NAS-Port = 29 rlm_perl: Added pair User-Name = anonymous@ash-berlin.eu rlm_perl: Added pair Framed-MTU = 1300 rlm_perl: Added pair Airespace-Wlan-Id = 7 rlm_perl: Added pair EAP-Message = 0x0201001c01616e6f6e796d6f7573406173682d6265726c696e2e6575 rlm_perl: Added pair Calling-Station-Id = 5C-96-9D-10-D1-4B rlm_perl: Added pair Tunnel-Private-Group-Id = 14 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair Message-Authenticator = 0x92b06b7b20a6d6066fc225283c27a312 rlm_perl: Added pair NAS-Identifier = WLC1 rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Called-Station-Id = 00-23-EA-7D-93-A0:eduroam rlm_perl: Added pair Auth-Type = Perl ++[perl] = ok [eap] EAP packet type response id 1 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop ++[mschap] = noop +} # group authorize = updated Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'anonymous@ash-berlin.eu' # Executing group from file /etc/freeradius.testing/sites-enabled/eduroam +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled } # server eduroam Sending Access-Challenge of id 132 to 127.0.0.1 port 59385 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfcd9611ffcdb74ad4996af7f0a8b0ca0 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 59385, id=133, length=324 User-Name = "anonymous@ash-berlin.eu" Calling-Station-Id = "5C-96-9D-10-D1-4B" Called-Station-Id = "00-23-EA-7D-93-A0:eduroam" NAS-Port = 29 NAS-IP-Address = 172.16.1.30 NAS-Identifier = "WLC1" Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" EAP-Message = 0x0202008315800000007916030100740100007003015804cc9ceea63bd085306a87f9e341866b350550ad000bceb6dd70db3bd9cb8a00002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000 State = 0xfcd9611ffcdb74ad4996af7f0a8b0ca0 Message-Authenticator = 0x8adafa3b33eae84e3fab037306fdef47 server eduroam { # Executing section authorize from file /etc/freeradius.testing/sites-enabled/eduroam +group authorize { [auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [auth_log] expand: /var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] /var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016 ++[auth_log] = ok [suffix] Looking up realm "ash-berlin.eu" for User-Name = "anonymous@ash-berlin.eu" [suffix] No such realm "ash-berlin.eu" ++[suffix] = noop ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) expand: %{control:Proxy-To-Realm} -> ?? Evaluating ("%{control:Proxy-To-Realm}" == "DEFAULT") -> FALSE ?? Skipping (User-Name =~ /.*@ash-berlin.eu$/) ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) -> FALSE ++[preprocess] = ok [files] users: Matched entry DEFAULT at line 1 ++[files] = ok rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair User-Name = anonymous@ash-berlin.eu rlm_perl: Added pair Airespace-Wlan-Id = 7 rlm_perl: Added pair Tunnel-Private-Group-Id = 14 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Message-Authenticator = 0x8adafa3b33eae84e3fab037306fdef47 rlm_perl: Added pair Called-Station-Id = 00-23-EA-7D-93-A0:eduroam rlm_perl: Added pair State = 0xfcd9611ffcdb74ad4996af7f0a8b0ca0 rlm_perl: Added pair NAS-Port = 29 rlm_perl: Added pair NAS-IP-Address = 172.16.1.30 rlm_perl: Added pair Framed-MTU = 1300 rlm_perl: Added pair Calling-Station-Id = 5C-96-9D-10-D1-4B rlm_perl: Added pair EAP-Message = 0x0202008315800000007916030100740100007003015804cc9ceea63bd085306a87f9e341866b350550ad000bceb6dd70db3bd9cb8a00002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000 rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair NAS-Identifier = WLC1 rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Auth-Type = Perl ++[perl] = ok [eap] EAP packet type response id 2 length 131 [eap] Continuing tunnel setup. ++[eap] = ok ++[pap] = noop ++[mschap] = noop +} # group authorize = ok Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'anonymous@ash-berlin.eu' # Executing group from file /etc/freeradius.testing/sites-enabled/eduroam +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 121 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0074], ClientHello [ttls] TLS_accept: unknown state [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello [ttls] TLS_accept: unknown state [ttls] >>> TLS 1.0 Handshake [length 144b], Certificate [ttls] TLS_accept: unknown state [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [ttls] TLS_accept: unknown state [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: unknown state [ttls] TLS_accept: unknown state [ttls] TLS_accept: Need to read more data: unknown state In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled } # server eduroam Sending Access-Challenge of id 133 to 127.0.0.1 port 59385 EAP-Message = 0x0103040015c0000015e71603010039020000350301d978e2494eee2b85dec288b4b5315cd57326fb299b9d907362622fc1890a8e7800c01400000dff01000100000b000403000102160301144b0b00144700144400061e3082061a30820502a00302010202071bdf866ad82312300d06092a864886f70d01010b05003081a7310b3009060355040613024445310f300d06035504080c064265726c696e310f300d06035504070c064265726c696e31283026060355040a0c1f416c6963652d53616c6f6d6f6e2d486f6368736368756c65204265726c696e310d300b060355040b0c04436f6d5a311c301a06035504030c13415348204245524c494e20 EAP-Message = 0x4341202d20473031311f301d06092a864886f70d01090116106361406173682d6265726c696e2e6575301e170d3136303832363039313631315a170d3139303633303030303030305a308183310b3009060355040613024445310f300d06035504080c064265726c696e310f300d06035504070c064265726c696e31283026060355040a0c1f416c6963652d53616c6f6d6f6e2d486f6368736368756c65204265726c696e310d300b060355040b0c04436f6d5a3119301706035504030c10782e617366682d6265726c696e2e646530820122300d06092a864886f70d01010105000382010f003082010a02820101009894a1c24dac379420d92bc582 EAP-Message = 0xec58d6cf4732207271a70916ce2da6b9f3e62e4fe855728c3320650e2c2eb074db7116d6b43c2f2964eddeff5760b4fba6acb964cc0a88efc09cc55bd9fdeaabfbf3988b891f2ef8b5980874b462f50145b9e995e4b9e45b42c7e23a17d768dd0cacab16cc58ec51186d5887562d2ba9092d3629b141cb24ccd468b311dc0c417cbf1decc2000b4cfa12dd94a2e5802d8bd1bd5f43f1f4a59a664776dc4c8b94c96d90109c6e9ac05cdaf558784a7bb0a1d679de214d74f64a358fb9c480ab39b9983d7728ccafc2c2dee10f4d27188c6da5dc3d620c40c200d25acbe8de5b880d5e9432b917bac57a51e0857744ba6e741e250203010001a382026b30 EAP-Message = 0x82026730090603551d1304023000300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e0416041462ebde92e74bf94d09a00189889d9abb67a961b1301f0603551d23041830168014d344b9a15fdd7c3165e86f2913aa4d1a6bcdc6fc30300603551d11042930278210782e617366682d6265726c696e2e64658213786c616e2e617366682d6265726c696e2e64653081850603551d1f047e307c303ca03aa0388636687474703a2f2f636470312e7063612e64666e2e64652f6173682d6265726c696e2d63612f7075622f63726c2f636163726c2e63726c303ca03a EAP-Message = 0xa0388636687474703a2f2f63 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfcd9611ffdda74ad4996af7f0a8b0ca0 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 59385, id=134, length=199 User-Name = "anonymous@ash-berlin.eu" Calling-Station-Id = "5C-96-9D-10-D1-4B" Called-Station-Id = "00-23-EA-7D-93-A0:eduroam" NAS-Port = 29 NAS-IP-Address = 172.16.1.30 NAS-Identifier = "WLC1" Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" EAP-Message = 0x020300061500 State = 0xfcd9611ffdda74ad4996af7f0a8b0ca0 Message-Authenticator = 0x492084960259d2d8cac9828a6941b637 server eduroam { # Executing section authorize from file /etc/freeradius.testing/sites-enabled/eduroam +group authorize { [auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [auth_log] expand: /var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] /var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016 ++[auth_log] = ok [suffix] Looking up realm "ash-berlin.eu" for User-Name = "anonymous@ash-berlin.eu" [suffix] No such realm "ash-berlin.eu" ++[suffix] = noop ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) expand: %{control:Proxy-To-Realm} -> ?? Evaluating ("%{control:Proxy-To-Realm}" == "DEFAULT") -> FALSE ?? Skipping (User-Name =~ /.*@ash-berlin.eu$/) ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) -> FALSE ++[preprocess] = ok [files] users: Matched entry DEFAULT at line 1 ++[files] = ok rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair User-Name = anonymous@ash-berlin.eu rlm_perl: Added pair Airespace-Wlan-Id = 7 rlm_perl: Added pair Tunnel-Private-Group-Id = 14 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Message-Authenticator = 0x492084960259d2d8cac9828a6941b637 rlm_perl: Added pair Called-Station-Id = 00-23-EA-7D-93-A0:eduroam rlm_perl: Added pair State = 0xfcd9611ffdda74ad4996af7f0a8b0ca0 rlm_perl: Added pair NAS-Port = 29 rlm_perl: Added pair NAS-IP-Address = 172.16.1.30 rlm_perl: Added pair Framed-MTU = 1300 rlm_perl: Added pair Calling-Station-Id = 5C-96-9D-10-D1-4B rlm_perl: Added pair EAP-Message = 0x020300061500 rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair NAS-Identifier = WLC1 rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Auth-Type = Perl ++[perl] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[pap] = noop ++[mschap] = noop +} # group authorize = ok Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'anonymous@ash-berlin.eu' # Executing group from file /etc/freeradius.testing/sites-enabled/eduroam +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled } # server eduroam Sending Access-Challenge of id 134 to 127.0.0.1 port 59385 EAP-Message = 0x0104040015c0000015e76470322e7063612e64666e2e64652f6173682d6265726c696e2d63612f7075622f63726c2f636163726c2e63726c3081d506082b060105050701010481c83081c5303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304606082b06010505073002863a687474703a2f2f636470312e7063612e64666e2e64652f6173682d6265726c696e2d63612f7075622f6361636572742f6361636572742e637274304606082b06010505073002863a687474703a2f2f636470322e7063612e64666e2e64652f6173682d6265726c696e2d63612f7075 EAP-Message = 0x622f6361636572742f6361636572742e63727430590603551d2004523050300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e3008060667810c0102023011060f2b0601040181ad21822c01010403053011060f2b0601040181ad21822c0201040301300d06092a864886f70d01010b050003820101008f1a8ce6b00a64971970cd4ab32bfd1c4a01725f8c7a05c61fa2e5284a8759634cb39b9e97766b6bd1b7db3435d365850762a8a4d4c406a06799f4765ebb6fb0db7a7cddc5b6da15ea222570d2c420daead262215b8ef7734b5937217aad7ca01bbce2c0c641e600e5a95849e0b35a27428efb33d218d1959cda58 EAP-Message = 0x569e9664254c202c1f942841e29c2210a483397403c4a5877ff0e36180dcc3e1f0853729724dc5ced97113f607879be07a876643a68687a597e605ad725d319b0a8f2832299c90e63e43ef04d131d424f769821e76f0b2d5891bb6a3ee8509f1214d884ab3b41927bee6227f911d537af8d7231c0aab10f64a73e6c55f380610cec314644d00059e3082059a30820482a00302010202071930bad4f92758300d06092a864886f70d01010b0500305a310b300906035504061302444531133011060355040a130a44464e2d56657265696e3110300e060355040b130744464e2d504b49312430220603550403131b44464e2d56657265696e2050434120 EAP-Message = 0x476c6f62616c202d20473031301e170d3135303332343130333233365a170d3139303633303030303030305a3081a7310b3009060355040613024445310f300d06035504080c064265726c696e310f300d06035504070c064265726c696e31283026060355040a0c1f416c6963652d53616c6f6d6f6e2d486f6368736368756c65204265726c696e310d300b060355040b0c04436f6d5a311c301a06035504030c13415348204245524c494e204341202d20473031311f301d06092a864886f70d01090116106361406173682d6265726c696e2e657530820122300d06092a864886f70d01010105000382010f003082010a0282010100ad53771db4be EAP-Message = 0x88e9d154d793618b2b021a5f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfcd9611ffedd74ad4996af7f0a8b0ca0 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 59385, id=135, length=199 User-Name = "anonymous@ash-berlin.eu" Calling-Station-Id = "5C-96-9D-10-D1-4B" Called-Station-Id = "00-23-EA-7D-93-A0:eduroam" NAS-Port = 29 NAS-IP-Address = 172.16.1.30 NAS-Identifier = "WLC1" Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" EAP-Message = 0x020400061500 State = 0xfcd9611ffedd74ad4996af7f0a8b0ca0 Message-Authenticator = 0x348b2d21fe2556a93c0d4a930f2d9693 server eduroam { # Executing section authorize from file /etc/freeradius.testing/sites-enabled/eduroam +group authorize { [auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [auth_log] expand: /var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] /var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016 ++[auth_log] = ok [suffix] Looking up realm "ash-berlin.eu" for User-Name = "anonymous@ash-berlin.eu" [suffix] No such realm "ash-berlin.eu" ++[suffix] = noop ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) expand: %{control:Proxy-To-Realm} -> ?? Evaluating ("%{control:Proxy-To-Realm}" == "DEFAULT") -> FALSE ?? Skipping (User-Name =~ /.*@ash-berlin.eu$/) ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) -> FALSE ++[preprocess] = ok [files] users: Matched entry DEFAULT at line 1 ++[files] = ok rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair User-Name = anonymous@ash-berlin.eu rlm_perl: Added pair Airespace-Wlan-Id = 7 rlm_perl: Added pair Tunnel-Private-Group-Id = 14 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Message-Authenticator = 0x348b2d21fe2556a93c0d4a930f2d9693 rlm_perl: Added pair Called-Station-Id = 00-23-EA-7D-93-A0:eduroam rlm_perl: Added pair State = 0xfcd9611ffedd74ad4996af7f0a8b0ca0 rlm_perl: Added pair NAS-Port = 29 rlm_perl: Added pair NAS-IP-Address = 172.16.1.30 rlm_perl: Added pair Framed-MTU = 1300 rlm_perl: Added pair Calling-Station-Id = 5C-96-9D-10-D1-4B rlm_perl: Added pair EAP-Message = 0x020400061500 rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair NAS-Identifier = WLC1 rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Auth-Type = Perl ++[perl] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[pap] = noop ++[mschap] = noop +} # group authorize = ok Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'anonymous@ash-berlin.eu' # Executing group from file /etc/freeradius.testing/sites-enabled/eduroam +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled } # server eduroam Sending Access-Challenge of id 135 to 127.0.0.1 port 59385 EAP-Message = 0x0105040015c0000015e75566e84910b2e07600cf25e19c417a2d3bb78d31093aa77586abfc36eed19e340e25e5fe11540199fea6df7e13e4c540ebcad9cf036083879f91c9e012deb8434b6884a4d6787d806459102350860125af09e5d6e8947c34456db03e86442ac48aec8a67cab27cf3367b4833d24de24735d998d06cbcb1adf75dd403e2a6224f2aa0e73e99c560e964aa55ab17c5c8dd922d14ea9457265e04c4b3491e86395b254ada657e78479ce1cb43ae190c75f61f36e4ff206bc7c2a1e88306e8679be7ec59f4c10b5895244239435eb172a52de91cbb64e23cbe184663fd430974ddf1f2e859fda41dddf64204221078d50203010001 EAP-Message = 0xa38202153082021130120603551d130101ff040830060101ff020101300e0603551d0f0101ff04040302010630290603551d2004223020300d060b2b0601040181ad21822c1e300f060d2b0601040181ad21822c010104301d0603551d0e04160414d344b9a15fdd7c3165e86f2913aa4d1a6bcdc6fc301f0603551d2304183016801449b7c6cfe83d1f7fea447b1329f7f10a703ede64301b0603551d110414301281106361406173682d6265726c696e2e65753081880603551d1f048180307e303da03ba0398637687474703a2f2f636470312e7063612e64666e2e64652f676c6f62616c2d726f6f742d63612f7075622f63726c2f636163726c2e EAP-Message = 0x63726c303da03ba0398637687474703a2f2f636470322e7063612e64666e2e64652f676c6f62616c2d726f6f742d63612f7075622f63726c2f636163726c2e63726c3081d706082b060105050701010481ca3081c7303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304706082b06010505073002863b687474703a2f2f636470312e7063612e64666e2e64652f676c6f62616c2d726f6f742d63612f7075622f6361636572742f6361636572742e637274304706082b06010505073002863b687474703a2f2f636470322e7063612e64666e2e64652f676c6f6261 EAP-Message = 0x6c2d726f6f742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101001fb9bd5d8a03df03e79c02a84642dff15b0582a0c34aa3d6d72b9570fa95bc3c9d3d3574683d2e944e3a8b3f41d140ed0dc15deb69db81c390489743d4f9d85356cbddfa64f26f368dc2c40ab079d9adac3cb8d4b2d9cfe860c605f692b84d105d23fbe57a55df9f44507c0f449116968c1031787f382733204d6ec4f1382edb126aee240b8ec64dab8808b8fbc4a5ad8498f974ee1fedb0b4ec2ddb8940d2ce9182eefec98a3424e55224115096df91c024701ff1cef1b595de2f897b89866822f6b7c2ac53aca824b1 EAP-Message = 0x031ec6e57be92b407c2ff241 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfcd9611fffdc74ad4996af7f0a8b0ca0 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 59385, id=136, length=199 User-Name = "anonymous@ash-berlin.eu" Calling-Station-Id = "5C-96-9D-10-D1-4B" Called-Station-Id = "00-23-EA-7D-93-A0:eduroam" NAS-Port = 29 NAS-IP-Address = 172.16.1.30 NAS-Identifier = "WLC1" Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" EAP-Message = 0x020500061500 State = 0xfcd9611fffdc74ad4996af7f0a8b0ca0 Message-Authenticator = 0x24cb994250a8f14c3115376f34924f5d server eduroam { # Executing section authorize from file /etc/freeradius.testing/sites-enabled/eduroam +group authorize { [auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [auth_log] expand: /var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] /var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016 ++[auth_log] = ok [suffix] Looking up realm "ash-berlin.eu" for User-Name = "anonymous@ash-berlin.eu" [suffix] No such realm "ash-berlin.eu" ++[suffix] = noop ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) expand: %{control:Proxy-To-Realm} -> ?? Evaluating ("%{control:Proxy-To-Realm}" == "DEFAULT") -> FALSE ?? Skipping (User-Name =~ /.*@ash-berlin.eu$/) ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) -> FALSE ++[preprocess] = ok [files] users: Matched entry DEFAULT at line 1 ++[files] = ok rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair User-Name = anonymous@ash-berlin.eu rlm_perl: Added pair Airespace-Wlan-Id = 7 rlm_perl: Added pair Tunnel-Private-Group-Id = 14 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Message-Authenticator = 0x24cb994250a8f14c3115376f34924f5d rlm_perl: Added pair Called-Station-Id = 00-23-EA-7D-93-A0:eduroam rlm_perl: Added pair State = 0xfcd9611fffdc74ad4996af7f0a8b0ca0 rlm_perl: Added pair NAS-Port = 29 rlm_perl: Added pair NAS-IP-Address = 172.16.1.30 rlm_perl: Added pair Framed-MTU = 1300 rlm_perl: Added pair Calling-Station-Id = 5C-96-9D-10-D1-4B rlm_perl: Added pair EAP-Message = 0x020500061500 rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair NAS-Identifier = WLC1 rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Auth-Type = Perl ++[perl] = ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[pap] = noop ++[mschap] = noop +} # group authorize = ok Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'anonymous@ash-berlin.eu' # Executing group from file /etc/freeradius.testing/sites-enabled/eduroam +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled } # server eduroam Sending Access-Challenge of id 136 to 127.0.0.1 port 59385 EAP-Message = 0x0106040015c0000015e77c4e5fd6dfccd8c33e03fe115f8cc8502fbb3d90ccd567f3b32aacbfa7cee813d00bc3dbd3fc6399c3380004d9308204d5308203bda0030201020208504ec6f53d11b464300d06092a864886f70d01010b05003071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f742043412032301e170d3134303732323132303832365a170d3139303730393233353930305a305a310b300906035504061302 EAP-Message = 0x444531133011060355040a130a44464e2d56657265696e3110300e060355040b130744464e2d504b49312430220603550403131b44464e2d56657265696e2050434120476c6f62616c202d2047303130820122300d06092a864886f70d01010105000382010f003082010a0282010100e99bc36785f90daef58d54c39650353d62e96e4ced94d7005b952274d420eb348fd6ecc031040b9981e2a614d252a02823848b7489045e5be0e278c178cb16cb2835397b2d9045d0eda0007a7cbf4a0e1b00c386e95c2b31117b0cf38224438c1c388b6a68009aeedc4f78abd2c6139b76adeede26e8ef01af740fc109a2f66bcebdd3cd14304ff5e5e3a4c862 EAP-Message = 0x9b821a0327300d0265604dedd109232a96355827d376c671b6901dc4edff35867d6f33b3db0fc511c28a83a1945d416bd8d210f54cfdca51acd9bdef9283bbdaeb8b16565643cfe1d5133da61f2730cd4954dbc913349a7175c56ceaa70b98f9219d27af3ea33939486a8cadc999fbc312f2bd0203010001a382018630820182300e0603551d0f0101ff040403020106301d0603551d0e0416041449b7c6cfe83d1f7fea447b1329f7f10a703ede64301f0603551d2304183016801431c3791bbaf553d717e0897a2d176c0ab32b9d3330120603551d130101ff040830060101ff02010230620603551d20045b30593011060f2b0601040181ad21822c EAP-Message = 0x01010402023011060f2b0601040181ad21822c01010403003011060f2b0601040181ad21822c0101040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e303e0603551d1f043730353033a031a02f862d687474703a2f2f706b69303333362e74656c657365632e64652f726c2f44545f524f4f545f43415f322e63726c307806082b06010505070101046c306a302c06082b060105050730018620687474703a2f2f6f637370303333362e74656c657365632e64652f6f63737072303a06082b06010505073002862e687474703a2f2f706b69303333362e74656c657365632e64652f6372742f44545f524f4f545f EAP-Message = 0x43415f322e636572300d0609 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfcd9611ff8df74ad4996af7f0a8b0ca0 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 59385, id=137, length=199 User-Name = "anonymous@ash-berlin.eu" Calling-Station-Id = "5C-96-9D-10-D1-4B" Called-Station-Id = "00-23-EA-7D-93-A0:eduroam" NAS-Port = 29 NAS-IP-Address = 172.16.1.30 NAS-Identifier = "WLC1" Airespace-Wlan-Id = 7 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "14" EAP-Message = 0x020600061500 State = 0xfcd9611ff8df74ad4996af7f0a8b0ca0 Message-Authenticator = 0xb16a35692f1e06ef4aaf6a6c472883b7 server eduroam { # Executing section authorize from file /etc/freeradius.testing/sites-enabled/eduroam +group authorize { [auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [auth_log] expand: /var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] /var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016 With kind regards, Marlen Caemmerer
On Oct 17, 2016, at 9:35 AM, Marlen Caemmerer <caemmerer@ash-berlin.eu> wrote:
This is the debug output of a client that connected.
There's no final Access-Accept in the debug output. And if you're debugging issues with clients not connecting, you need to show the debug output for a client which doesn't connect. Alan DeKok.
Am 2016-10-17 15:57, schrieb Alan DeKok:
On Oct 17, 2016, at 9:35 AM, Marlen Caemmerer <caemmerer@ash-berlin.eu> wrote:
This is the debug output of a client that connected.
There's no final Access-Accept in the debug output.
And if you're debugging issues with clients not connecting, you need to show the debug output for a client which doesn't connect.
Sorry for not being precise. I wanted to write you have the output of the regarding Mac client that cannot connect. Windows 8/10 are working fine, though. Mit freundlichen Grüßen Marlen Caemmerer -- ************************************************ Alice Salomon Hochschule Computerzentrum Marlen Caemmerer Alice-Salomon-Platz 5 12627 Berlin Email: caemmerer@ash-berlin.eu ************************************************
Hi,
/var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016 ++[auth_log] = ok [suffix] Looking up realm "ash-berlin.eu" for User-Name = "anonymous@ash-berlin.eu" [suffix] No such realm "ash-berlin.eu"
so, a realm you are trying to auth isnt defined in the proxy.conf as one of your own eg realm ash-berlin.eu { }
[files] users: Matched entry DEFAULT at line 1
what is on line 1 of your users file?(I shudder to think....)
Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user
yes....see that warning. you are forcing rhe server to do something - eg Auth-Type is being manually set. you shouldnt need to do that...
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) -> FALSE
as you can see, this policy you have isnt matching. if you have the relam defined, you can just check for %{Realm} being populated...nice and easy. now, the debug never shows an access-accept or reject.....the server never ends up in an inner-tunnel. what is the PERL script for? does it need to be called for an EAP auth in the outer phase? you need to streamline the policy so only calls to relevant modules are called in the outer phase and only the bits you need (once EAP tunnel has been configured, client happy with cert from server etc) are called.... alan
Hello, thanks for your answers. I upgraded to 3.0.12 and got debug output as attached. It seems strange that Windows 8 and 10 are able to connect while MacOS and Linux aren't. As far as I understand MacOS tries to use MS-CHAPv2 and this does not seem to work. It seems my perl auth script does not get a password through while using mschapv2. Am 2016-10-17 17:29, schrieb A.L.M.Buxey@lboro.ac.uk:
/var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016 ++[auth_log] = ok [suffix] Looking up realm "ash-berlin.eu" for User-Name = "anonymous@ash-berlin.eu" [suffix] No such realm "ash-berlin.eu"
so, a realm you are trying to auth isnt defined in the proxy.conf as one of your own eg
realm ash-berlin.eu { }
Did that :)
[files] users: Matched entry DEFAULT at line 1 what is on line 1 of your users file?(I shudder to think....)
Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user yes....see that warning. you are forcing rhe server to do something - eg Auth-Type is being manually set. you shouldnt need to do that...
I read this in the readme of rlm_perl which I use - http://wiki.freeradius.org/modules/Rlm_perl [1] So I set DEFAULT Auth-Type := Perl Fall-Through = yes in the users (ok now it is mods-config/files/authorize) file. The rest is commented out. If I take this entry out login via Windows fails, too.
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) -> FALSE as you can see, this policy you have isnt matching. if you have the relam defined, you can just check for %{Realm} being populated...nice and easy.
Which would be the appropriate file to do this?
now, the debug never shows an access-accept or reject.....the server never ends up in an inner-tunnel.
what is the PERL script for? does it need to be called for an EAP auth in the outer phase? you need to streamline the policy so only calls to relevant modules are called in the outer phase and only the bits you need (once EAP tunnel has been configured, client happy with cert from server etc) are called....
The perl script is for a custom type of authentication only. I have difficulties understanding what inner and outer identity are. Do you have a good hint on what to read to fully understand this? With kind regards, Marlen Caemmerer -- ************************************************ Alice Salomon Hochschule Computerzentrum Marlen Caemmerer Alice-Salomon-Platz 5 12627 Berlin Email: caemmerer@ash-berlin.eu ************************************************ Links: ------ [1] http://wiki.freeradius.org/modules/Rlm_perl
On Oct 27, 2016, at 6:49 AM, Marlen Caemmerer <caemmerer@ash-berlin.eu> wrote:
I upgraded to 3.0.12 and got debug output as attached.
It seems strange that Windows 8 and 10 are able to connect while MacOS and Linux aren't.
As far as I understand MacOS tries to use MS-CHAPv2 and this does not seem to work.
It seems my perl auth script does not get a password through while using mschapv2.
Because MS-CHAPv2 doesn't supply a password. The simple answer is that you should give the password to FreeRADIUS, and let FreeRADIUS authenticate the user. You shouldn't write a Perl script to do the authentication.
The perl script is for a custom type of authentication only.
It will only work for PAP authentication.
I have difficulties understanding what inner and outer identity are. Do you have a good hint on what to read to fully understand this?
In short, EAP-TTLS and PEAP set up a TLS connection between the PC and the RADIUS server. Authentication normally requires a name, so that is the "outer' one. When the TLS session is set up, the *real* name and password are sent inside of the TLS connection. That is the "inner" identity. Alan DeKok.
Hello, Am 2016-10-27 14:14, schrieb Alan DeKok:
Because MS-CHAPv2 doesn't supply a password.
The simple answer is that you should give the password to FreeRADIUS, and let FreeRADIUS authenticate the user. You shouldn't write a Perl script to do the authentication.
What would you recommend to let FreeRadius authenticate the user? LDAP or users file or something else?
The perl script is for a custom type of authentication only.
It will only work for PAP authentication.
Actually I plan to poke around with EAP-TTLS and PAP first, then and see how this goes.
In short, EAP-TTLS and PEAP set up a TLS connection between the PC and the RADIUS server. Authentication normally requires a name, so that is the "outer' one. When the TLS session is set up, the *real* name and password are sent inside of the TLS connection. That is the "inner" identity.
Thanks :). So this means I configure the default virtual server to do TTLS and the inner virtual server to do PAP? Then if I do this with rlm_perl I would write Auth-Type PAP { perl } in the inner-tunnel config. In the default config I guess I'd have to put eap in the authenticate section. Is this correct? With kind regards Marlen Caemmerer -- ************************************************ Alice Salomon Hochschule Computerzentrum Marlen Caemmerer Alice-Salomon-Platz 5 12627 Berlin Email: caemmerer@ash-berlin.eu ************************************************
On Oct 28, 2016, at 6:58 AM, Marlen Caemmerer <caemmerer@ash-berlin.eu> wrote:
What would you recommend to let FreeRadius authenticate the user? LDAP or users file or something else?
Yes. That's what databases are for.
Thanks :). So this means I configure the default virtual server to do TTLS and the inner virtual server to do PAP?
That works in the default configuration. You don't need to do anything.
Then if I do this with rlm_perl I would write
Auth-Type PAP { perl }
in the inner-tunnel config.
That works.
In the default config I guess I'd have to put eap in the authenticate section.
Is this correct?
You don't need to do anything. The default configuration works. Alan DeKok.
On Fri, Oct 28, 2016 at 12:58:38PM +0200, Marlen Caemmerer wrote:
Am 2016-10-27 14:14, schrieb Alan DeKok:
Because MS-CHAPv2 doesn't supply a password.
The simple answer is that you should give the password to FreeRADIUS, and let FreeRADIUS authenticate the user. You shouldn't write a Perl script to do the authentication.
What would you recommend to let FreeRadius authenticate the user? LDAP or users file or something else?
That totally depends on where your usernames/passwords are actually stored. i.e. where is your perl script looking?
In short, EAP-TTLS and PEAP set up a TLS connection between the PC and the RADIUS server. Authentication normally requires a name, so that is the "outer' one. When the TLS session is set up, the *real* name and password are sent inside of the TLS connection. That is the "inner" identity.
Thanks :). So this means I configure the default virtual server to do TTLS and the inner virtual server to do PAP?
Yes.
In the default config I guess I'd have to put eap in the authenticate section.
Is this correct?
Yes. But watch out - by default the users file is read by both the inner and outer virtual servers. So you'll end up setting Auth-Type:=perl for both. Really, as written all over the place, don't set Auth-Type yourself unless you really know what you're doing. And don't use perl to do the authentication - use FreeRADIUS to fetch the credentials and do the auth. It will generally work out what the correct Auth-Type is for you. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hello, Am 2016-10-28 13:06, schrieb Matthew Newton:
On Fri, Oct 28, 2016 at 12:58:38PM +0200, Marlen Caemmerer wrote: Am 2016-10-27 14:14, schrieb Alan DeKok:
Because MS-CHAPv2 doesn't supply a password.
The simple answer is that you should give the password to FreeRADIUS, and let FreeRADIUS authenticate the user. You shouldn't write a Perl script to do the authentication. What would you recommend to let FreeRadius authenticate the user? LDAP or users file or something else?
That totally depends on where your usernames/passwords are actually stored. i.e. where is your perl script looking? Basically the perl script is querying a service that just returns if the user/password is correct or not. It queries LDAP but I dont need to specify and additional rights on the LDAP server to make Radius able to connect to the LDAP. I guess this would require read permissions for the user/password fields. It this page here is still current http://deployingradius.com/documents/protocols/compatibility.html [1] I'd have to go for TTLS-PAP only anyway even if the LDAP was connected directly. With kind regards Marlen Caemmerer -- ************************************************ Alice Salomon Hochschule Computerzentrum Marlen Caemmerer Alice-Salomon-Platz 5 12627 Berlin Email: caemmerer@ash-berlin.eu ************************************************ Links: ------ [1] http://deployingradius.com/documents/protocols/compatibility.html
Worth 3.x pretty much anything that use are using PERL for can be done natively in freeradius with unlang. If using PERL to do ldap checks then that's certainly true. The PERL script will have some access rights, use those.... and learn about e.g. if (%{ldap:\\\.......}) constructs.... alan
Hi,
As far as I understand MacOS tries to use MS-CHAPv2 and this does not seem to work.
IIRC, Apple changed the TTLS default inner method away from PAP to EAP-MSCHAPv2 (not just MSCHAPv2) a few releases back. If you want an inner of (non-EAP)PAP then you have to tell the Mac and iOS devices with a .mobileconfig configuration file. Or you re-configure your FreeRADIUS to support MSCHAPv2 instead, if you have NT-Hashes or cleartext of the passwords of your users. If you want to generate .mobileconfig files and also config files for lots of other platforms all in one go, try https://802.1x-config.org Greetings, Stefan Winter
It seems my perl auth script does not get a password through while using mschapv2.
Am 2016-10-17 17:29, schrieb A.L.M.Buxey@lboro.ac.uk:
/var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017 [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016 ++[auth_log] = ok [suffix] Looking up realm "ash-berlin.eu" for User-Name = "anonymous@ash-berlin.eu" [suffix] No such realm "ash-berlin.eu"
so, a realm you are trying to auth isnt defined in the proxy.conf as one of your own eg
realm ash-berlin.eu { }
Did that :)
[files] users: Matched entry DEFAULT at line 1 what is on line 1 of your users file?(I shudder to think....)
Found Auth-Type = Perl Found Auth-Type = EAP Warning: Found 2 auth-types on request for user yes....see that warning. you are forcing rhe server to do something - eg Auth-Type is being manually set. you shouldnt need to do that...
I read this in the readme of rlm_perl which I use - http://wiki.freeradius.org/modules/Rlm_perl [1] So I set
DEFAULT Auth-Type := Perl Fall-Through = yes
in the users (ok now it is mods-config/files/authorize) file. The rest is commented out.
If I take this entry out login via Windows fails, too.
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~ /.*@ash-berlin.eu$/)) -> FALSE as you can see, this policy you have isnt matching. if you have the relam defined, you can just check for %{Realm} being populated...nice and easy.
Which would be the appropriate file to do this?
now, the debug never shows an access-accept or reject.....the server never ends up in an inner-tunnel.
what is the PERL script for? does it need to be called for an EAP auth in the outer phase? you need to streamline the policy so only calls to relevant modules are called in the outer phase and only the bits you need (once EAP tunnel has been configured, client happy with cert from server etc) are called....
The perl script is for a custom type of authentication only. I have difficulties understanding what inner and outer identity are. Do you have a good hint on what to read to fully understand this?
With kind regards, Marlen Caemmerer
-- ************************************************ Alice Salomon Hochschule Computerzentrum Marlen Caemmerer Alice-Salomon-Platz 5 12627 Berlin
Email: caemmerer@ash-berlin.eu ************************************************
Links: ------ [1] http://wiki.freeradius.org/modules/Rlm_perl
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi, yes I tried to use a TTLS-PAP profile and it worked without any reconfiguration. I dont like the thought of having weak passwords in LDAP at all and on the other hand TLS on radius clients can also not be made 100% secure. So I guess my next steps is to go for client certs for the people with a lot of permissions on systems. With kind regards, Marlen Caemmerer Am 2016-11-03 08:40, schrieb Stefan Winter:
Hi,
As far as I understand MacOS tries to use MS-CHAPv2 and this does not seem to work.
IIRC, Apple changed the TTLS default inner method away from PAP to EAP-MSCHAPv2 (not just MSCHAPv2) a few releases back.
If you want an inner of (non-EAP)PAP then you have to tell the Mac and iOS devices with a .mobileconfig configuration file.
Or you re-configure your FreeRADIUS to support MSCHAPv2 instead, if you have NT-Hashes or cleartext of the passwords of your users.
If you want to generate .mobileconfig files and also config files for lots of other platforms all in one go, try https://802.1x-config.org [1]
Links: ------ [1] https://802.1x-config.org
Hi,
yes I tried to use a TTLS-PAP profile and it worked without any reconfiguration.
I dont like the thought of having weak passwords in LDAP at all and on the other hand TLS on radius clients can also not be made 100% secure.
So I guess my next steps is to go for client certs for the people with a lot of permissions on systems.
When using passwords, there is no good solution. PAP exposes the password to an attacker as soon as the user is negligent and "clicks accept" to an unknown server warning. But in exchange, you can use more advanced hashing techniques on your database backend; e.g. salted SHA-512 would work for password backend storage. MSCHAPv2 transmits the password in not-quite-cleartext (but really do not have any illusions that this is proper security); but in exchange, you need to store the passwords in your DB in either cleartext or NT-Hash format. If you need more than that, a more recent choice with passwords (but without the opportunity to "click accept" at all) is EAP-pwd. Or if you do make the leap to client certs, EAP-TLS. That's about all the options you have. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Marlen Caemmerer -
Matthew Newton -
Stefan Winter