Problem in import sqlite3 library in freeradius python module
Hi I have tried to use sqlite3 library in freeradius 3.0.16 python module on ubuntu 18.04 . I have installed freeradius via standard repositories . but I got this error message : reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "python" from file /etc/freeradius/3.0/mods-enabled/python Python version: 2.7.15rc1 (default, Nov 12 2018, 14:31:15) [GCC 7.3.0] python_function_load - Module 'example' not found <type 'exceptions.ImportError'> (No module named sqlite3) python_function_load - Failed to import python function 'example.instantiate' /etc/freeradius/3.0/mods-enabled/python[9]: Instantiation failed for module "python" any other library its ok -like os socket and etc - ! just have problem with sqlite3 ! there is my config files : mods-avalaible > python : python { # Path to the python modules # # Note that due to limitations on Python, this configuration # item is GLOBAL TO THE SERVER. That is, you cannot have two # instances of the python module, each with a different path. # python_path="/etc/freeradius/3.0/mods-config/python:/usr/lib/python2.7/s$ module = example mods-config > python > example.py import radiusd import sqlite3 DATABASE='path/to/database.db' def get_acls(): con=sqlite3.connect(DATABASE) cur=con.execute("SELECT * FROM acl") acls=cur.fetchall() con.close() acl_list=[] for acl in acls : .... I test python 2.7 and 3 but no differences , I tried installed freeradius from source -freeradius 3.0.19- what should I do ?
On Mar 3, 2019, at 8:44 AM, Mehrzad Moghaddas <mehrzadmo@gmail.com> wrote:
I have tried to use sqlite3 library in freeradius 3.0.16 python module on ubuntu 18.04 . I have installed freeradius via standard repositories . but I got this error message :
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "python" from file /etc/freeradius/3.0/mods-enabled/python Python version: 2.7.15rc1 (default, Nov 12 2018, 14:31:15) [GCC 7.3.0] python_function_load - Module 'example' not found <type 'exceptions.ImportError'> (No module named sqlite3)
Well, that's clear. Mostly. There could be some underlying issue, like it can find the *python* sqlite3 module but not the underlying sqlite3 *library*.
any other library its ok -like os socket and etc - ! just have problem with sqlite3 !
Are all of those modules in the same directory? Do they all have similar permissions? Where is the sqlite3 dynamic library? Is it in a standard location? Or a custom one? Alan DeKok.
Hi Alan
Are all of those modules in the same directory? Do they all have similar permissions? yes . yes Are all of those modules in the same directory?
import sqlite3 print (sqlite3.__file__) /usr/lib/python3.6/sqlite3/__init__.py import os print (os.__file__) /usr/lib/python3.6/os.py
the diffrencess is just sqlite3 is not file is a folder . the others is xxxx.py file just this one is a folder with multiple files . but they have same permissions . and when I wrote a program with python that works correctly . On Sun, Mar 3, 2019 at 5:21 PM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 3, 2019, at 8:44 AM, Mehrzad Moghaddas <mehrzadmo@gmail.com> wrote:
I have tried to use sqlite3 library in freeradius 3.0.16 python module on ubuntu 18.04 . I have installed freeradius via standard repositories . but I got this error message :
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog # Instantiating module "python" from file /etc/freeradius/3.0/mods-enabled/python Python version: 2.7.15rc1 (default, Nov 12 2018, 14:31:15) [GCC 7.3.0] python_function_load - Module 'example' not found <type 'exceptions.ImportError'> (No module named sqlite3)
Well, that's clear. Mostly.
There could be some underlying issue, like it can find the *python* sqlite3 module but not the underlying sqlite3 *library*.
any other library its ok -like os socket and etc - ! just have problem with sqlite3 !
Are all of those modules in the same directory? Do they all have similar permissions?
Where is the sqlite3 dynamic library? Is it in a standard location? Or a custom one?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 3, 2019, at 9:07 AM, Mehrzad Moghaddas <mehrzadmo@gmail.com> wrote:
Hi Alan
Are all of those modules in the same directory? Do they all have similar permissions? yes . yes
That's good.
the diffrencess is just sqlite3 is not file is a folder . the others is xxxx.py file just this one is a folder with multiple files . but they have same permissions . and when I wrote a program with python that works correctly .
And where is the sqlite3 *library*? Not the Python module. The "libsqlite3.so", or whatever it's called. Alan DeKok.
And where is the sqlite3 *library*? Not the Python module. The "libsqlite3.so", or whatever it's called. /usr/lib/x86_64-linux-gnu/libsqlite3.so
On Sun, Mar 3, 2019 at 5:46 PM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 3, 2019, at 9:07 AM, Mehrzad Moghaddas <mehrzadmo@gmail.com> wrote:
Hi Alan
Are all of those modules in the same directory? Do they all have
similar
permissions? yes . yes
That's good.
the diffrencess is just sqlite3 is not file is a folder . the others is xxxx.py file just this one is a folder with multiple files . but they have same permissions . and when I wrote a program with python that works correctly .
And where is the sqlite3 *library*? Not the Python module. The "libsqlite3.so", or whatever it's called.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 3, 2019, at 9:53 AM, Mehrzad Moghaddas <mehrzadmo@gmail.com> wrote:
And where is the sqlite3 *library*? Not the Python module. The "libsqlite3.so", or whatever it's called. /usr/lib/x86_64-linux-gnu/libsqlite3.so
Hmm.. it's likely a python tooling problem. I'm not a python expert, so I'm not really sure how to fix it. Alan DeKok.
I solved it ! I did run the script via python directly and got all python path , ans add that to python config . On Sun, Mar 3, 2019 at 8:52 PM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 3, 2019, at 9:53 AM, Mehrzad Moghaddas <mehrzadmo@gmail.com> wrote:
And where is the sqlite3 *library*? Not the Python module. The "libsqlite3.so", or whatever it's called. /usr/lib/x86_64-linux-gnu/libsqlite3.so
Hmm.. it's likely a python tooling problem. I'm not a python expert, so I'm not really sure how to fix it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
El 4/3/19 a las 6:54, Mehrzad Moghaddas escribió: > I solved it ! I did run the script via python directly and got all python > path , ans add that to python config . Yep, that is required. Another way of doing it (sometimes better) is installing your script in any of the pre-defined PYTHON library paths (ej. /usr/lib/python2.7/) and leave the "python_path" module configuration item untouched. Alejandro > > On Sun, Mar 3, 2019 at 8:52 PM Alan DeKok <aland@deployingradius.com> wrote: > >> On Mar 3, 2019, at 9:53 AM, Mehrzad Moghaddas <mehrzadmo@gmail.com> wrote: >>>> And where is the sqlite3 *library*? Not the Python module. The >>> "libsqlite3.so", or whatever it's called. >>> /usr/lib/x86_64-linux-gnu/libsqlite3.so >> Hmm.. it's likely a python tooling problem. I'm not a python expert, so >> I'm not really sure how to fix it. >> >> Alan DeKok. >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
> > El 4/3/19 a las 6:54, Mehrzad Moghaddas escribió: >> I solved it ! I did run the script via python directly and got all python >> path , ans add that to python config . > Yep, that is required. > Another way of doing it (sometimes better) is installing your script in > any of the pre-defined PYTHON library paths (ej. /usr/lib/python2.7/) > and leave the "python_path" module configuration item untouched. In relation with this, I always wanted to add a "python_path_add" (or similar), which just adds an additional path to the system ones without having to specify them all. I'll look into how to do this, since the Python API does not allow it directly, but you can always do a get + add the new one + set to get a similar result. Does this sound like something you might want, Alan? Alejandro > > Alejandro >> On Sun, Mar 3, 2019 at 8:52 PM Alan DeKok <aland@deployingradius.com> wrote: >> >>> On Mar 3, 2019, at 9:53 AM, Mehrzad Moghaddas <mehrzadmo@gmail.com> wrote: >>>>> And where is the sqlite3 *library*? Not the Python module. The >>>> "libsqlite3.so", or whatever it's called. >>>> /usr/lib/x86_64-linux-gnu/libsqlite3.so >>> Hmm.. it's likely a python tooling problem. I'm not a python expert, so >>> I'm not really sure how to fix it. >>> >>> Alan DeKok. >>> >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
We have recently upgraded FR to 3.0.18 and, after that, EAP-FAST stopped working. Any pointers will be appreciated. We are using exactly the same config files (or configuration) and username as for FR 3.0.16. This is the debug output: <snip> Ready to process requests (0) Received Access-Request Id 0 from 127.0.0.1:49204 to 0.0.0.0:1812 length 122 (0) User-Name = "1234" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) EAP-Message = 0x021c00090131323334 (0) Message-Authenticator = 0x9595390c5fd44a0ccce57a3fede5a6e1 (0) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "1234", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 28 length 9 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 29 length 22 (0) eap: EAP session adding &reply:State = 0xf540c2dff55dc67c (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 0 from 0.0.0.0:1812 to 127.0.0.1:49204 length 0 (0) EAP-Message = 0x011d00160410ac61f64094e18473ade4269472ec8adb (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xf540c2dff55dc67c76779efebe71ec85 (0) Finished request Waking up in 5.0 seconds. (1) Received Access-Request Id 1 from 127.0.0.1:49204 to 0.0.0.0:1812 length 137 (1) User-Name = "1234" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) EAP-Message = 0x021d0006032b (1) State = 0xf540c2dff55dc67c76779efebe71ec85 (1) Message-Authenticator = 0x4846d98467d5a0127cf502d55e85f521 (1) session-state: No cached attributes (1) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "1234", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 29 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop Not doing PAP as Auth-Type is already set. (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xf540c2dff55dc67c (1) eap: Finished EAP session with state 0xf540c2dff55dc67c (1) eap: Previous EAP request found for state 0xf540c2dff55dc67c, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type FAST (43) (1) eap: Calling submodule eap_fast to process data (1) eap_fast: Initiating new TLS session (1) eap_fast: Over-riding main cipher list with 'ALL:!EXPORT:!eNULL:!SSLv2:@SECLEVEL=0' (1) eap: Sending EAP Request (code 1) ID 30 length 26 (1) eap: EAP session adding &reply:State = 0xf540c2dff45ee97c (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 1 from 0.0.0.0:1812 to 127.0.0.1:49204 length 0 (1) EAP-Message = 0x011e001a2b210004001081dc9bdb52d04dc20036dbd8313ed055 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xf540c2dff45ee97c76779efebe71ec85 (1) Finished request Waking up in 4.8 seconds. (2) Received Access-Request Id 2 from 127.0.0.1:49204 to 0.0.0.0:1812 length 251 (2) User-Name = "1234" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) EAP-Message = 0x021e00782b01160301006d0100006903038acbcbfc969276fb0e0518c403095b1be72236a7ef8f58e712ba57da668c1135000004003400ff0100003c0016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602 (2) State = 0xf540c2dff45ee97c76779efebe71ec85 (2) Message-Authenticator = 0x6859a98df1727d3af2c5ef58574ca780 (2) session-state: No cached attributes (2) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "1234", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 30 length 120 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop Not doing PAP as Auth-Type is already set. (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xf540c2dff45ee97c (2) eap: Finished EAP session with state 0xf540c2dff45ee97c (2) eap: Previous EAP request found for state 0xf540c2dff45ee97c, released from the list (2) eap: Peer sent packet with method EAP FAST (43) (2) eap: Calling submodule eap_fast to process data (2) eap_fast: Authenticate (2) eap_fast: Continuing EAP-TLS (2) eap_fast: [eaptls verify] = ok (2) eap_fast: Done initial handshake (2) eap_fast: (other): before SSL initialization (2) eap_fast: TLS_accept: before SSL initialization (2) eap_fast: TLS_accept: before SSL initialization (2) eap_fast: <<< recv TLS 1.3 [length 006d] (2) eap_fast: TLS_accept: SSLv3/TLS read client hello (2) eap_fast: >>> send TLS 1.1 [length 0039] (2) eap_fast: TLS_accept: SSLv3/TLS write server hello (2) eap_fast: >>> send TLS 1.1 [length 010b] (2) eap_fast: TLS_accept: SSLv3/TLS write key exchange (2) eap_fast: >>> send TLS 1.1 [length 0004] (2) eap_fast: TLS_accept: SSLv3/TLS write server done (2) eap_fast: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_fast: TLS - In Handshake Phase (2) eap_fast: TLS - got 343 bytes of data (2) eap_fast: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 31 length 349 (2) eap: EAP session adding &reply:State = 0xf540c2dff75fe97c (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 2 from 0.0.0.0:1812 to 127.0.0.1:49204 length 0 (2) EAP-Message = 0x011f015d2b011603020039020000350302cc8669f3184b48d3359ecb19037cd7a9e200e7e379a2850c22188448c3b64fe900003400000dff010001000016000000170000160302010b0c0001070080c8ddbb8a072e74a5ca13d31d8db294878ca03afa611f23c7e8be9b6a1619282a498d7a01c0e5756ffff663dbde2046394f48f1affa990ccd08a181e013f81968e4bfc93019d0228dff8cdea67cb8dbaae69885ed3dd29914cb1fe36797fca043f27da21cc9a7b08a7dee3abeacae9d280a6ff78d26de8a3fb9e1a4bef720e1fb000102008035af77841ab14f4fc4fc02d2c47fae7ea00ec9684e2bdf117c0c767e5ceb382a2bfdda9376cc70a19df58549a03aa128d546ebeae2d59f00c9ee0f6a9909706dc1f02ead0089f02afb66fba38d0ab519dadadabfdd6b0ad34e95560e94078f5d1501276f6173f6f8317ca4ec521fdb3f5f66671d2c010f5d97b6426eb84195ba16030200040e000000 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xf540c2dff75fe97c76779efebe71ec85 (2) Finished request Waking up in 4.7 seconds. (3) Received Access-Request Id 3 from 127.0.0.1:49204 to 0.0.0.0:1812 length 355 (3) User-Name = "1234" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) EAP-Message = 0x021f00e02b01160302008610000082008091b1bc9afe7f5e45ca9ab808449356e28927ad7abc9f7d564819aa3ef72df210f2832bcb4633ed299e2107e7a6dc83580269ec749f0be3053bf5dea1bcbb2f29ee3ce23ae1ab45535238ca7af7b4157768ca9abec4470c42aa0c3d5bc74d2da819a905675ca4a0eda4f722b30d3529335531d21a0d3ec7fbfbcf6d1a82c4a3c51403020001011603020044043eb85621fe819171d4c29f9a166af39d50a603c363f204df4a2005587f397671e5cba5df33955be39c1d819de9931e6486e85328887ba91e7b5217e7ce00183cee0151 (3) State = 0xf540c2dff75fe97c76779efebe71ec85 (3) Message-Authenticator = 0x516e989840b0744b250186295665cef0 (3) session-state: No cached attributes (3) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "1234", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 31 length 224 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop Not doing PAP as Auth-Type is already set. (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xf540c2dff75fe97c (3) eap: Finished EAP session with state 0xf540c2dff75fe97c (3) eap: Previous EAP request found for state 0xf540c2dff75fe97c, released from the list (3) eap: Peer sent packet with method EAP FAST (43) (3) eap: Calling submodule eap_fast to process data (3) eap_fast: Authenticate (3) eap_fast: Continuing EAP-TLS (3) eap_fast: [eaptls verify] = ok (3) eap_fast: Done initial handshake (3) eap_fast: TLS_accept: SSLv3/TLS write server done (3) eap_fast: <<< recv TLS 1.1 [length 0086] (3) eap_fast: TLS_accept: SSLv3/TLS read client key exchange (3) eap_fast: TLS_accept: SSLv3/TLS read change cipher spec (3) eap_fast: <<< recv TLS 1.1 [length 0010] (3) eap_fast: TLS_accept: SSLv3/TLS read finished (3) eap_fast: >>> send TLS 1.1 [length 0001] (3) eap_fast: TLS_accept: SSLv3/TLS write change cipher spec (3) eap_fast: >>> send TLS 1.1 [length 0010] (3) eap_fast: TLS_accept: SSLv3/TLS write finished (3) eap_fast: (other): SSL negotiation finished successfully (3) eap_fast: TLS - Connection Established (3) eap_fast: TLS-Session-Cipher-Suite = "ADH-AES128-SHA" (3) eap_fast: TLS-Session-Version = "TLS 1.1" (3) eap_fast: TLS - got 79 bytes of data (3) eap_fast: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 32 length 85 (3) eap: EAP session adding &reply:State = 0xf540c2dff660e97c (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) TLS-Session-Cipher-Suite = "ADH-AES128-SHA" (3) TLS-Session-Version = "TLS 1.1" (3) Sent Access-Challenge Id 3 from 0.0.0.0:1812 to 127.0.0.1:49204 length 0 (3) EAP-Message = 0x012000552b01140302000101160302004494f4be804a16f041b8a6f6f4830f84159464d08067d76207e52cf37eeae1b419fc7f0551d2d1f1ec263c6143c3c1052dd3444fe39f6de6e27a57f98b9ea02db1ba223dc7 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xf540c2dff660e97c76779efebe71ec85 (3) Finished request Waking up in 4.4 seconds. (4) Received Access-Request Id 4 from 127.0.0.1:49204 to 0.0.0.0:1812 length 137 (4) User-Name = "1234" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) EAP-Message = 0x022000062b01 (4) State = 0xf540c2dff660e97c76779efebe71ec85 (4) Message-Authenticator = 0xda6392c49454b58b4a593412381f07dc (4) Restoring &session-state (4) &session-state:TLS-Session-Cipher-Suite = "ADH-AES128-SHA" (4) &session-state:TLS-Session-Version = "TLS 1.1" (4) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "1234", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 32 length 6 (4) eap: No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) [files] = noop (4) [expiration] = noop (4) [logintime] = noop Not doing PAP as Auth-Type is already set. (4) [pap] = noop (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xf540c2dff660e97c (4) eap: Finished EAP session with state 0xf540c2dff660e97c (4) eap: Previous EAP request found for state 0xf540c2dff660e97c, released from the list (4) eap: Peer sent packet with method EAP FAST (43) (4) eap: Calling submodule eap_fast to process data (4) eap_fast: Authenticate (4) eap_fast: Continuing EAP-TLS (4) eap_fast: Peer ACKed our handshake fragment. handshake is finished (4) eap_fast: [eaptls verify] = success (4) eap_fast: [eaptls process] = success (4) eap_fast: Session established. Proceeding to decode tunneled attributes (4) eap_fast: Using anonymous provisioning (4) eap_fast: Deriving EAP-FAST keys (4) eap_fast: OpenSSL: cipher nid 419 digest nid 64 (4) eap_fast: OpenSSL: keyblock size: key_len=16 MD_size=20 IV_len=16 (4) eap_fast: Sending EAP-Identity (4) eap_fast: Challenge (4) eap: Sending EAP Request (code 1) ID 33 length 63 (4) eap: EAP session adding &reply:State = 0xf540c2dff161e97c (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) TLS-Session-Cipher-Suite = "ADH-AES128-SHA" (4) TLS-Session-Version = "TLS 1.1" (4) Sent Access-Challenge Id 4 from 0.0.0.0:1812 to 127.0.0.1:49204 length 0 (4) EAP-Message = 0x0121003f2b011703020034d629443eefc4591552544c471ba204bad095da78bd2efdc76ff173e118037b617b0d71500de53c9d4826fda67b7c182f37f1e98d (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xf540c2dff161e97c76779efebe71ec85 (4) Finished request Waking up in 4.3 seconds. (5) Received Access-Request Id 5 from 127.0.0.1:49204 to 0.0.0.0:1812 length 194 (5) User-Name = "1234" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) EAP-Message = 0x0221003f2b011703020034c86484807adb72db9f79883ad2451d0a2c4ac2c8040d70371fd228857acae9e45320b7cb2bb35eaa1e8b42d114788db234561606 (5) State = 0xf540c2dff161e97c76779efebe71ec85 (5) Message-Authenticator = 0x83af6cbabd67c8118afc616ff6d80030 (5) Restoring &session-state (5) &session-state:TLS-Session-Cipher-Suite = "ADH-AES128-SHA" (5) &session-state:TLS-Session-Version = "TLS 1.1" (5) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "1234", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 33 length 63 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) [files] = noop (5) [expiration] = noop (5) [logintime] = noop Not doing PAP as Auth-Type is already set. (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xf540c2dff161e97c (5) eap: Finished EAP session with state 0xf540c2dff161e97c (5) eap: Previous EAP request found for state 0xf540c2dff161e97c, released from the list (5) eap: Peer sent packet with method EAP FAST (43) (5) eap: Calling submodule eap_fast to process data (5) eap_fast: Authenticate (5) eap_fast: Continuing EAP-TLS (5) eap_fast: [eaptls verify] = ok (5) eap_fast: Done initial handshake (5) eap_fast: [eaptls process] = ok (5) eap_fast: Session established. Proceeding to decode tunneled attributes (5) eap_fast: Got Tunneled FAST TLVs (5) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x02210008016d6777 (5) eap_fast: Processing received EAP Payload (5) eap_fast: Got tunneled request (5) eap_fast: EAP-Message = 0x02210008016d6777 (5) eap_fast: Got tunneled identity of mgw (5) eap_fast: AUTHENTICATION (5) Virtual server inner-tunnel received request (5) EAP-Message = 0x02210008016d6777 (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) User-Name = "mgw" (5) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (5) server inner-tunnel { (5) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "mgw", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 33 length 8 (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (5) authenticate { (5) eap: Peer sent packet with method EAP Identity (1) (5) eap: Calling submodule eap_mschapv2 to process data (5) eap_mschapv2: Issuing Challenge (5) eap: Sending EAP Request (code 1) ID 34 length 43 (5) eap: EAP session adding &reply:State = 0x07f19ece07d38470 (5) [eap] = handled (5) } # authenticate = handled (5) } # server inner-tunnel (5) Virtual server sending reply (5) EAP-Message = 0x0122002b1a0122002610ddcd742c8b24135c123a2f200a7cad0e667265657261646975732d332e302e3138 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x07f19ece07d38470fa0d479343028091 (5) eap_fast: Got tunneled Access-Challenge (5) eap_fast: Challenge (5) eap: Sending EAP Request (code 1) ID 34 length 95 (5) eap: EAP session adding &reply:State = 0xf540c2dff062e97c (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) TLS-Session-Cipher-Suite = "ADH-AES128-SHA" (5) TLS-Session-Version = "TLS 1.1" (5) Sent Access-Challenge Id 5 from 0.0.0.0:1812 to 127.0.0.1:49204 length 0 (5) EAP-Message = 0x0122005f2b011703020054478b902e23448fc14e95749d81654e35f87d372ca1b3fca3114f4842892b1a47dc54a8cf5d092e9c8bb622085cd1de16f35bbc338e5d6c7eed5ed56c77518075fccc66865917f5822ae28092fbdf65f5aa8c16ef (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xf540c2dff062e97c76779efebe71ec85 (5) Finished request Waking up in 4.1 seconds. (6) Received Access-Request Id 6 from 127.0.0.1:49204 to 0.0.0.0:1812 length 258 (6) User-Name = "1234" (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) EAP-Message = 0x0222007f2b011703020074bfd7109dd1f74f44a31b87c9e4e17d2e58350d73040b02920bcbcbcedbb66014a7dc0f15bd1ddad6867988ee068de96ffec417720e1f22d3379725dbd15640a96e5fba5664bc2ee459bff67223281f4b8a66d1473af065f6eea9f69a333ee2af98adf369846a052784d975f6c451bd4737c91c2a (6) State = 0xf540c2dff062e97c76779efebe71ec85 (6) Message-Authenticator = 0xfc6a058256cad438f3f03e0beae59b62 (6) Restoring &session-state (6) &session-state:TLS-Session-Cipher-Suite = "ADH-AES128-SHA" (6) &session-state:TLS-Session-Version = "TLS 1.1" (6) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "1234", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 34 length 127 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) [files] = noop (6) [expiration] = noop (6) [logintime] = noop Not doing PAP as Auth-Type is already set. (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x07f19ece07d38470 (6) eap: Finished EAP session with state 0xf540c2dff062e97c (6) eap: Previous EAP request found for state 0xf540c2dff062e97c, released from the list (6) eap: Peer sent packet with method EAP FAST (43) (6) eap: Calling submodule eap_fast to process data (6) eap_fast: Authenticate (6) eap_fast: Continuing EAP-TLS (6) eap_fast: [eaptls verify] = ok (6) eap_fast: Done initial handshake (6) eap_fast: [eaptls process] = ok (6) eap_fast: Session established. Proceeding to decode tunneled attributes (6) eap_fast: Got Tunneled FAST TLVs (6) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x0222003e1a022200393100000000000000000000000000000000000000000000000055aa671c53b32f8297f5c46c8231a5e75b67987b94f1ad46006d6777 (6) eap_fast: Processing received EAP Payload (6) eap_fast: Got tunneled request (6) eap_fast: EAP-Message = 0x0222003e1a022200393100000000000000000000000000000000000000000000000055aa671c53b32f8297f5c46c8231a5e75b67987b94f1ad46006d6777 (6) eap_fast: AUTHENTICATION (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x0222003e1a022200393100000000000000000000000000000000000000000000000055aa671c53b32f8297f5c46c8231a5e75b67987b94f1ad46006d6777 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "mgw" (6) State = 0x07f19ece07d38470fa0d479343028091 (6) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (6) server inner-tunnel { (6) session-state: No cached attributes (6) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "mgw", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 34 length 62 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) files: users: Matched entry mgw at line 68 (6) [files] = ok (6) [expiration] = noop (6) [logintime] = noop (6) pap: WARNING: Auth-Type already set. Not setting to PAP (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (6) authenticate { (6) eap: Expiring EAP session with state 0x07f19ece07d38470 (6) eap: Finished EAP session with state 0x07f19ece07d38470 (6) eap: Previous EAP request found for state 0x07f19ece07d38470, released from the list (6) eap: Peer sent packet with method EAP MSCHAPv2 (26) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap_mschapv2: # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (6) eap_mschapv2: authenticate { (6) mschap: Found Cleartext-Password, hashing to create NT-Password (6) mschap: Found Cleartext-Password, hashing to create LM-Password (6) mschap: Overriding peer challenge (6) mschap: Creating challenge hash with username: mgw (6) mschap: Client is using MS-CHAPv2 (6) mschap: Adding MS-CHAPv2 MPPE keys (6) [mschap] = ok (6) } # authenticate = ok (6) MSCHAP Success (6) eap: Sending EAP Request (code 1) ID 35 length 51 (6) eap: EAP session adding &reply:State = 0x07f19ece06d28470 (6) [eap] = handled (6) } # authenticate = handled (6) } # server inner-tunnel (6) Virtual server sending reply (6) EAP-Message = 0x012300331a0322002e533d41383643464332354243453044384342463742423842413942453638463842353741434542394636 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x07f19ece06d28470fa0d479343028091 (6) eap_fast: Got tunneled Access-Challenge (6) eap_fast: Challenge (6) eap: Sending EAP Request (code 1) ID 35 length 111 (6) eap: EAP session adding &reply:State = 0xf540c2dff363e97c (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) TLS-Session-Cipher-Suite = "ADH-AES128-SHA" (6) TLS-Session-Version = "TLS 1.1" (6) Sent Access-Challenge Id 6 from 0.0.0.0:1812 to 127.0.0.1:49204 length 0 (6) EAP-Message = 0x0123006f2b011703020064184b7e2dc0e6bc0b99e7a64ef85e0bede16cf06db067012bd9b02ca01abaafccc651dd505153b179bec63e89174ee79373221eb40818dd8b0a7fd8274e29900cb31e9315d95afcb4ccb3c041e1d44bbd0f9f856bd2a69888324911195a9c7e775ba503ef (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xf540c2dff363e97c76779efebe71ec85 (6) Finished request Waking up in 3.8 seconds. (7) Received Access-Request Id 7 from 127.0.0.1:49204 to 0.0.0.0:1812 length 194 (7) User-Name = "1234" (7) NAS-IP-Address = 127.0.0.1 (7) Calling-Station-Id = "02-00-00-00-00-01" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Connect-Info = "CONNECT 11Mbps 802.11b" (7) EAP-Message = 0x0223003f2b011703020034a6802a5acca406ebdca8770f57606d91dd04fee78c7992c6dc19c79213fb7347d0176cb26f76207c6c630dcd5acb52e2664f618c (7) State = 0xf540c2dff363e97c76779efebe71ec85 (7) Message-Authenticator = 0xa776d76668ce413ef33a80ada3722757 (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ADH-AES128-SHA" (7) &session-state:TLS-Session-Version = "TLS 1.1" (7) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "1234", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 35 length 63 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop Not doing PAP as Auth-Type is already set. (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x07f19ece06d28470 (7) eap: Finished EAP session with state 0xf540c2dff363e97c (7) eap: Previous EAP request found for state 0xf540c2dff363e97c, released from the list (7) eap: Peer sent packet with method EAP FAST (43) (7) eap: Calling submodule eap_fast to process data (7) eap_fast: Authenticate (7) eap_fast: Continuing EAP-TLS (7) eap_fast: [eaptls verify] = ok (7) eap_fast: Done initial handshake (7) eap_fast: [eaptls process] = ok (7) eap_fast: Session established. Proceeding to decode tunneled attributes (7) eap_fast: Got Tunneled FAST TLVs (7) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x022300061a03 (7) eap_fast: Processing received EAP Payload (7) eap_fast: Got tunneled request (7) eap_fast: EAP-Message = 0x022300061a03 (7) eap_fast: AUTHENTICATION (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x022300061a03 (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "mgw" (7) State = 0x07f19ece06d28470fa0d479343028091 (7) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (7) server inner-tunnel { (7) session-state: No cached attributes (7) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "mgw", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 35 length 6 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) files: users: Matched entry mgw at line 68 (7) [files] = ok (7) [expiration] = noop (7) [logintime] = noop (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0x07f19ece06d28470 (7) eap: Finished EAP session with state 0x07f19ece06d28470 (7) eap: Previous EAP request found for state 0x07f19ece06d28470, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap: Sending EAP Success (code 3) ID 35 length 4 (7) eap: Freeing handler (7) [eap] = ok (7) } # authenticate = ok (7) # Executing section post-auth from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (7) post-auth { (7) if (0) { (7) if (0) -> FALSE (7) } # post-auth = noop (7) } # server inner-tunnel (7) Virtual server sending reply (7) MS-MPPE-Encryption-Policy = Encryption-Allowed (7) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (7) MS-MPPE-Send-Key = 0x22cc5b6ea129122966c0d5f8fde4321d (7) MS-MPPE-Recv-Key = 0xc732209c6264f5d1e4aef598f57c6ee3 (7) EAP-Message = 0x03230004 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) User-Name = "mgw" (7) eap_fast: Got tunneled Access-Accept (7) eap_fast: ERROR: Found CHAP-Challenge with incorrect length. Expected 16, got 4 (7) eap_fast: Reject (7) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module failed (7) eap: Sending EAP Failure (code 4) ID 35 length 4 (7) eap: Failed in EAP select (7) [eap] = invalid (7) } # authenticate = invalid (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %{User-Name} (7) attr_filter.access_reject: --> 1234 (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) [eap] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # Post-Auth-Type REJECT = updated (7) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (7) Sending delayed response (7) Sent Access-Reject Id 7 from 0.0.0.0:1812 to 127.0.0.1:49204 length 44 (7) EAP-Message = 0x04230004 (7) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.6 seconds. (0) Cleaning up request packet ID 0 with timestamp +10 (1) Cleaning up request packet ID 1 with timestamp +10 Waking up in 0.1 seconds. (2) Cleaning up request packet ID 2 with timestamp +10 Waking up in 0.2 seconds. (3) Cleaning up request packet ID 3 with timestamp +10 Waking up in 0.1 seconds. (4) Cleaning up request packet ID 4 with timestamp +11 Waking up in 0.1 seconds. (5) Cleaning up request packet ID 5 with timestamp +11 Waking up in 0.2 seconds. (6) Cleaning up request packet ID 6 with timestamp +11 Waking up in 0.2 seconds. (7) Cleaning up request packet ID 7 with timestamp +11 Ready to process requests
On Mar 4, 2019, at 8:43 AM, Sergio NNX <sfhacker@hotmail.com> wrote:
We have recently upgraded FR to 3.0.18 and, after that, EAP-FAST stopped working. Any pointers will be appreciated.
We are using exactly the same config files (or configuration) and username as for FR 3.0.16.
<sigh> I pushed a fix. That was Arran's bug... Alan DeKok.
<sigh> I pushed a fix.
Thanks Alan. That seems to fix it! <snip> Ready to process requests (0) Received Access-Request Id 0 from 127.0.0.1:62244 to 0.0.0.0:1812 length 122 (0) User-Name = "1234" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "02-00-00-00-00-01" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) EAP-Message = 0x02e900090131323334 (0) Message-Authenticator = 0x8862b1c49abc0f9646933a0c5bd925df (0) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "1234", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 233 length 9 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 234 length 22 (0) eap: EAP session adding &reply:State = 0xb22431b3b2ce35db (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 0 from 0.0.0.0:1812 to 127.0.0.1:62244 length 0 (0) EAP-Message = 0x01ea001604101b80c0994cef15a0e2e3c889ab57c1fb (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xb22431b3b2ce35db7f72bc3d985e2006 (0) Finished request Waking up in 5.0 seconds. (1) Received Access-Request Id 1 from 127.0.0.1:62244 to 0.0.0.0:1812 length 137 (1) User-Name = "1234" (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = "02-00-00-00-00-01" (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Connect-Info = "CONNECT 11Mbps 802.11b" (1) EAP-Message = 0x02ea0006032b (1) State = 0xb22431b3b2ce35db7f72bc3d985e2006 (1) Message-Authenticator = 0x0d4078ec678e91427c5dcdea27f451ed (1) session-state: No cached attributes (1) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "1234", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 234 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop Not doing PAP as Auth-Type is already set. (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xb22431b3b2ce35db (1) eap: Finished EAP session with state 0xb22431b3b2ce35db (1) eap: Previous EAP request found for state 0xb22431b3b2ce35db, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type FAST (43) (1) eap: Calling submodule eap_fast to process data (1) eap_fast: Initiating new TLS session (1) eap_fast: Over-riding main cipher list with 'ALL:!EXPORT:!eNULL:!SSLv2:@SECLEVEL=0' (1) eap: Sending EAP Request (code 1) ID 235 length 26 (1) eap: EAP session adding &reply:State = 0xb22431b3b3cf1adb (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 1 from 0.0.0.0:1812 to 127.0.0.1:62244 length 0 (1) EAP-Message = 0x01eb001a2b210004001081dc9bdb52d04dc20036dbd8313ed055 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xb22431b3b3cf1adb7f72bc3d985e2006 (1) Finished request Waking up in 4.8 seconds. (2) Received Access-Request Id 2 from 127.0.0.1:62244 to 0.0.0.0:1812 length 435 (2) User-Name = "1234" (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = "02-00-00-00-00-01" (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Connect-Info = "CONNECT 11Mbps 802.11b" (2) EAP-Message = 0x02eb012e2b0116030101230100011f030378420a4919f64442d67aff80fc92e77ed25aa36ae5f79d8ab4a67bf0dae196be000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff010000be000b000403000102000a000c000a001d0017001e00190018002300660002006281dc9bdb52d04dc20036dbd8313ed05500000000000000000000000000000000c74015d15ee1a1baa583108cdc4cd94aa2de29d0a3da8ae33197c989c7a371d3f1d17a12e553b578c02414b0fd3653d967add12b7843eb713e03e320b050a04ef2290016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602 (2) State = 0xb22431b3b3cf1adb7f72bc3d985e2006 (2) Message-Authenticator = 0x6736bdb225fc511ed8430552ebaa7960 (2) session-state: No cached attributes (2) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "1234", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 235 length 302 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop Not doing PAP as Auth-Type is already set. (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = eap (2) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xb22431b3b3cf1adb (2) eap: Finished EAP session with state 0xb22431b3b3cf1adb (2) eap: Previous EAP request found for state 0xb22431b3b3cf1adb, released from the list (2) eap: Peer sent packet with method EAP FAST (43) (2) eap: Calling submodule eap_fast to process data (2) eap_fast: Authenticate (2) eap_fast: Continuing EAP-TLS (2) eap_fast: [eaptls verify] = ok (2) eap_fast: Done initial handshake (2) eap_fast: (other): before SSL initialization (2) eap_fast: TLS_accept: before SSL initialization (2) eap_fast: TLS_accept: before SSL initialization (2) eap_fast: <<< recv TLS 1.3 [length 0123] (2) eap_fast: PAC provided via ClientHello SessionTicket extension (2) eap_fast: processing PAC-Opaque (2) eap_fast: TLS_accept: SSLv3/TLS read client hello (2) eap_fast: >>> send TLS 1.1 [length 0061] (2) eap_fast: TLS_accept: SSLv3/TLS write server hello (2) eap_fast: >>> send TLS 1.1 [length 0001] (2) eap_fast: TLS_accept: SSLv3/TLS write change cipher spec (2) eap_fast: >>> send TLS 1.1 [length 0010] (2) eap_fast: TLS_accept: SSLv3/TLS write finished (2) eap_fast: TLS_accept: Need to read more data: SSLv3/TLS write finished (2) eap_fast: TLS - In Handshake Phase (2) eap_fast: TLS - got 181 bytes of data (2) eap_fast: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 236 length 187 (2) eap: EAP session adding &reply:State = 0xb22431b3b0c81adb (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 2 from 0.0.0.0:1812 to 127.0.0.1:62244 length 0 (2) EAP-Message = 0x01ec00bb2b0116030200610200005d0302bbf51c0cb48cc0765363b9c213a47cf6931892812fe8759e3b6e827995a9b67e20330701c670dbe0d22ffb307123950ac4c6c2ee823ba2dfec928d2a04df3c56c4c014000015ff01000100000b0004030001020016000000170000140302000101160302004495074e2bdb445df173c2d6d8ae04bb4c8c87aac49bc347a09c48fa5e5f992a7c93a5f1b2489d1b00d083a5da13dd60fc0c8872815e8053599ca2188727d82ffd92b0a92e (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xb22431b3b0c81adb7f72bc3d985e2006 (2) Finished request Waking up in 4.7 seconds. (3) Received Access-Request Id 3 from 127.0.0.1:62244 to 0.0.0.0:1812 length 216 (3) User-Name = "1234" (3) NAS-IP-Address = 127.0.0.1 (3) Calling-Station-Id = "02-00-00-00-00-01" (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Connect-Info = "CONNECT 11Mbps 802.11b" (3) EAP-Message = 0x02ec00552b01140302000101160302004461b980a6609a1ebb3672eb7087f4eb6eee13106d7747b84de958e9744e47b923804398bf7909c30d7735b1b56364b07b6198879b4ebaf4f99d3b0f0631cf3c64f04922f7 (3) State = 0xb22431b3b0c81adb7f72bc3d985e2006 (3) Message-Authenticator = 0x7aaf468640e84bc844d9bc88c00e0741 (3) session-state: No cached attributes (3) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "1234", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 236 length 85 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop Not doing PAP as Auth-Type is already set. (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xb22431b3b0c81adb (3) eap: Finished EAP session with state 0xb22431b3b0c81adb (3) eap: Previous EAP request found for state 0xb22431b3b0c81adb, released from the list (3) eap: Peer sent packet with method EAP FAST (43) (3) eap: Calling submodule eap_fast to process data (3) eap_fast: Authenticate (3) eap_fast: Continuing EAP-TLS (3) eap_fast: [eaptls verify] = ok (3) eap_fast: Done initial handshake (3) eap_fast: TLS_accept: SSLv3/TLS write finished (3) eap_fast: TLS_accept: SSLv3/TLS read change cipher spec (3) eap_fast: <<< recv TLS 1.1 [length 0010] (3) eap_fast: TLS_accept: SSLv3/TLS read finished (3) eap_fast: (other): SSL negotiation finished successfully (3) eap_fast: TLS - Connection Established (3) eap_fast: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (3) eap_fast: TLS-Session-Version = "TLS 1.1" (3) eap_fast: TLS - Application data. (3) eap_fast: WARNING: No information in cached session 330701c670dbe0d22ffb307123950ac4c6c2ee823ba2dfec928d2a04df3c56c4 (3) eap_fast: [eaptls process] = success (3) eap_fast: Session established. Proceeding to decode tunneled attributes (3) eap_fast: Session Resumed from PAC (3) eap_fast: Deriving EAP-FAST keys (3) eap_fast: OpenSSL: cipher nid 427 digest nid 64 (3) eap_fast: OpenSSL: keyblock size: key_len=32 MD_size=20 IV_len=16 (3) eap_fast: Sending EAP-Identity (3) eap_fast: Challenge (3) eap: Sending EAP Request (code 1) ID 237 length 63 (3) eap: EAP session adding &reply:State = 0xb22431b3b1c91adb (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (3) TLS-Session-Version = "TLS 1.1" (3) Sent Access-Challenge Id 3 from 0.0.0.0:1812 to 127.0.0.1:62244 length 0 (3) EAP-Message = 0x01ed003f2b011703020034cb57db7430b66bf855e9064c66187f83f6585c2f20fca65dc9ed6f7d3f0fde0a6fe8ed752bb936ca202c3cab5796671194d77336 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xb22431b3b1c91adb7f72bc3d985e2006 (3) Finished request Waking up in 4.5 seconds. (4) Received Access-Request Id 4 from 127.0.0.1:62244 to 0.0.0.0:1812 length 194 (4) User-Name = "1234" (4) NAS-IP-Address = 127.0.0.1 (4) Calling-Station-Id = "02-00-00-00-00-01" (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Connect-Info = "CONNECT 11Mbps 802.11b" (4) EAP-Message = 0x02ed003f2b011703020034f4ff56e41a0cba313310f866b62b2c6c1e23d9884a80a3cb2b820560f85529fd79e6b93eccf6c842fa56a30c0bc9d1bc0745898e (4) State = 0xb22431b3b1c91adb7f72bc3d985e2006 (4) Message-Authenticator = 0x7147944225bb3ebc6566df9d97ee45fb (4) Restoring &session-state (4) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (4) &session-state:TLS-Session-Version = "TLS 1.1" (4) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "1234", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 237 length 63 (4) eap: No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) [files] = noop (4) [expiration] = noop (4) [logintime] = noop Not doing PAP as Auth-Type is already set. (4) [pap] = noop (4) } # authorize = updated (4) Found Auth-Type = eap (4) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xb22431b3b1c91adb (4) eap: Finished EAP session with state 0xb22431b3b1c91adb (4) eap: Previous EAP request found for state 0xb22431b3b1c91adb, released from the list (4) eap: Peer sent packet with method EAP FAST (43) (4) eap: Calling submodule eap_fast to process data (4) eap_fast: Authenticate (4) eap_fast: Continuing EAP-TLS (4) eap_fast: [eaptls verify] = ok (4) eap_fast: Done initial handshake (4) eap_fast: [eaptls process] = ok (4) eap_fast: Session established. Proceeding to decode tunneled attributes (4) eap_fast: Got Tunneled FAST TLVs (4) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x02ed0008016d6777 (4) eap_fast: Processing received EAP Payload (4) eap_fast: Got tunneled request (4) eap_fast: EAP-Message = 0x02ed0008016d6777 (4) eap_fast: Got tunneled identity of mgw (4) eap_fast: AUTHENTICATION (4) Virtual server inner-tunnel received request (4) EAP-Message = 0x02ed0008016d6777 (4) FreeRADIUS-Proxied-To = 127.0.0.1 (4) User-Name = "mgw" (4) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (4) server inner-tunnel { (4) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [chap] = noop (4) [mschap] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "mgw", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) update control { (4) &Proxy-To-Realm := LOCAL (4) } # update control = noop (4) eap: Peer sent EAP Response (code 2) ID 237 length 8 (4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (4) authenticate { (4) eap: Peer sent packet with method EAP Identity (1) (4) eap: Calling submodule eap_mschapv2 to process data (4) eap_mschapv2: Issuing Challenge (4) eap: Sending EAP Request (code 1) ID 238 length 43 (4) eap: EAP session adding &reply:State = 0xe3368f25e3d895bc (4) [eap] = handled (4) } # authenticate = handled (4) } # server inner-tunnel (4) Virtual server sending reply (4) EAP-Message = 0x01ee002b1a01ee0026103110d50663aee1e22b52404ccb89303b667265657261646975732d332e302e3138 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xe3368f25e3d895bc2c65ae25c75c3478 (4) eap_fast: Got tunneled Access-Challenge (4) eap_fast: Challenge (4) eap: Sending EAP Request (code 1) ID 238 length 95 (4) eap: EAP session adding &reply:State = 0xb22431b3b6ca1adb (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (4) TLS-Session-Version = "TLS 1.1" (4) Sent Access-Challenge Id 4 from 0.0.0.0:1812 to 127.0.0.1:62244 length 0 (4) EAP-Message = 0x01ee005f2b011703020054473429758f9db17f0ae8957b91950face79823365b7cad281515172e53715604e136da70224095aa01ec8400f754cec046515d4fcda35efbc8350dda31439607a2d92976a20e10f2138756795d04eabf0c8693f7 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xb22431b3b6ca1adb7f72bc3d985e2006 (4) Finished request Waking up in 4.3 seconds. (5) Received Access-Request Id 5 from 127.0.0.1:62244 to 0.0.0.0:1812 length 258 (5) User-Name = "1234" (5) NAS-IP-Address = 127.0.0.1 (5) Calling-Station-Id = "02-00-00-00-00-01" (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Connect-Info = "CONNECT 11Mbps 802.11b" (5) EAP-Message = 0x02ee007f2b0117030200747f38e22f07b9ac8bca3a0398c0a7794d11e0a33a3b2b94219f11a1d2442e381d8942a8febe3444e2c28707aab957908f3c0b9254418499b373868e39ce13b825d9718ef42b7a98d699a68e85c9fbf49dfb1a45d9e7762b76f1ed6bde2fe30df088210f67a394d9c4e3becb26d81e9ff41144c0f7 (5) State = 0xb22431b3b6ca1adb7f72bc3d985e2006 (5) Message-Authenticator = 0x8e40c8ea8e4f541690157aa75c2732d6 (5) Restoring &session-state (5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (5) &session-state:TLS-Session-Version = "TLS 1.1" (5) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "1234", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 238 length 127 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) [files] = noop (5) [expiration] = noop (5) [logintime] = noop Not doing PAP as Auth-Type is already set. (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0xe3368f25e3d895bc (5) eap: Finished EAP session with state 0xb22431b3b6ca1adb (5) eap: Previous EAP request found for state 0xb22431b3b6ca1adb, released from the list (5) eap: Peer sent packet with method EAP FAST (43) (5) eap: Calling submodule eap_fast to process data (5) eap_fast: Authenticate (5) eap_fast: Continuing EAP-TLS (5) eap_fast: [eaptls verify] = ok (5) eap_fast: Done initial handshake (5) eap_fast: [eaptls process] = ok (5) eap_fast: Session established. Proceeding to decode tunneled attributes (5) eap_fast: Got Tunneled FAST TLVs (5) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x02ee003e1a02ee003931b788fe4ec73ae1dcef2977c9f261a20b0000000000000000bbfadae962ed13ccba78ef79edde455a8bb19177712d7a9c006d6777 (5) eap_fast: Processing received EAP Payload (5) eap_fast: Got tunneled request (5) eap_fast: EAP-Message = 0x02ee003e1a02ee003931b788fe4ec73ae1dcef2977c9f261a20b0000000000000000bbfadae962ed13ccba78ef79edde455a8bb19177712d7a9c006d6777 (5) eap_fast: AUTHENTICATION (5) Virtual server inner-tunnel received request (5) EAP-Message = 0x02ee003e1a02ee003931b788fe4ec73ae1dcef2977c9f261a20b0000000000000000bbfadae962ed13ccba78ef79edde455a8bb19177712d7a9c006d6777 (5) FreeRADIUS-Proxied-To = 127.0.0.1 (5) User-Name = "mgw" (5) State = 0xe3368f25e3d895bc2c65ae25c75c3478 (5) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (5) server inner-tunnel { (5) session-state: No cached attributes (5) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [chap] = noop (5) [mschap] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "mgw", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) update control { (5) &Proxy-To-Realm := LOCAL (5) } # update control = noop (5) eap: Peer sent EAP Response (code 2) ID 238 length 62 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) files: users: Matched entry mgw at line 68 (5) [files] = ok (5) [expiration] = noop (5) [logintime] = noop (5) pap: WARNING: Auth-Type already set. Not setting to PAP (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (5) authenticate { (5) eap: Expiring EAP session with state 0xe3368f25e3d895bc (5) eap: Finished EAP session with state 0xe3368f25e3d895bc (5) eap: Previous EAP request found for state 0xe3368f25e3d895bc, released from the list (5) eap: Peer sent packet with method EAP MSCHAPv2 (26) (5) eap: Calling submodule eap_mschapv2 to process data (5) eap_mschapv2: # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (5) eap_mschapv2: authenticate { (5) mschap: Found Cleartext-Password, hashing to create NT-Password (5) mschap: Found Cleartext-Password, hashing to create LM-Password (5) mschap: Creating challenge hash with username: mgw (5) mschap: Client is using MS-CHAPv2 (5) mschap: Adding MS-CHAPv2 MPPE keys (5) [mschap] = ok (5) } # authenticate = ok (5) MSCHAP Success (5) eap: Sending EAP Request (code 1) ID 239 length 51 (5) eap: EAP session adding &reply:State = 0xe3368f25e2d995bc (5) [eap] = handled (5) } # authenticate = handled (5) } # server inner-tunnel (5) Virtual server sending reply (5) EAP-Message = 0x01ef00331a03ee002e533d37393836433534434446394230334436444441393837384442413736333044303244383234344142 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xe3368f25e2d995bc2c65ae25c75c3478 (5) eap_fast: Got tunneled Access-Challenge (5) eap_fast: Challenge (5) eap: Sending EAP Request (code 1) ID 239 length 111 (5) eap: EAP session adding &reply:State = 0xb22431b3b7cb1adb (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (5) TLS-Session-Version = "TLS 1.1" (5) Sent Access-Challenge Id 5 from 0.0.0.0:1812 to 127.0.0.1:62244 length 0 (5) EAP-Message = 0x01ef006f2b011703020064e77850006db663e3cb8f8bc0a50bc2da30a5689ce3dc0a39c694374e26c5cc5932f3e543c1ff63b44aafa554bdc04d5c8a1bc8beb819653b75ac4760be0c7f6ce69f0f9d23a1d819176fba30e9269991d7901a377638e0cdb86599cecb11d552c614b262 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xb22431b3b7cb1adb7f72bc3d985e2006 (5) Finished request Waking up in 4.1 seconds. (6) Received Access-Request Id 6 from 127.0.0.1:62244 to 0.0.0.0:1812 length 194 (6) User-Name = "1234" (6) NAS-IP-Address = 127.0.0.1 (6) Calling-Station-Id = "02-00-00-00-00-01" (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Connect-Info = "CONNECT 11Mbps 802.11b" (6) EAP-Message = 0x02ef003f2b011703020034215c7108855a146498fb7e075f8a21004c222739fd3a10199ec97b6661def96b46be7a7fd36d88cb87d5adf864a7bc008cdafefb (6) State = 0xb22431b3b7cb1adb7f72bc3d985e2006 (6) Message-Authenticator = 0x2789e6c321d010bb4970f96d043f9a91 (6) Restoring &session-state (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (6) &session-state:TLS-Session-Version = "TLS 1.1" (6) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "1234", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 239 length 63 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) [files] = noop (6) [expiration] = noop (6) [logintime] = noop Not doing PAP as Auth-Type is already set. (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xe3368f25e2d995bc (6) eap: Finished EAP session with state 0xb22431b3b7cb1adb (6) eap: Previous EAP request found for state 0xb22431b3b7cb1adb, released from the list (6) eap: Peer sent packet with method EAP FAST (43) (6) eap: Calling submodule eap_fast to process data (6) eap_fast: Authenticate (6) eap_fast: Continuing EAP-TLS (6) eap_fast: [eaptls verify] = ok (6) eap_fast: Done initial handshake (6) eap_fast: [eaptls process] = ok (6) eap_fast: Session established. Proceeding to decode tunneled attributes (6) eap_fast: Got Tunneled FAST TLVs (6) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x02ef00061a03 (6) eap_fast: Processing received EAP Payload (6) eap_fast: Got tunneled request (6) eap_fast: EAP-Message = 0x02ef00061a03 (6) eap_fast: AUTHENTICATION (6) Virtual server inner-tunnel received request (6) EAP-Message = 0x02ef00061a03 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) User-Name = "mgw" (6) State = 0xe3368f25e2d995bc2c65ae25c75c3478 (6) WARNING: Outer User-Name is not anonymized. User privacy is compromised. (6) server inner-tunnel { (6) session-state: No cached attributes (6) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) [mschap] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "mgw", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: Peer sent EAP Response (code 2) ID 239 length 6 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) files: users: Matched entry mgw at line 68 (6) [files] = ok (6) [expiration] = noop (6) [logintime] = noop (6) pap: WARNING: Auth-Type already set. Not setting to PAP (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (6) authenticate { (6) eap: Expiring EAP session with state 0xe3368f25e2d995bc (6) eap: Finished EAP session with state 0xe3368f25e2d995bc (6) eap: Previous EAP request found for state 0xe3368f25e2d995bc, released from the list (6) eap: Peer sent packet with method EAP MSCHAPv2 (26) (6) eap: Calling submodule eap_mschapv2 to process data (6) eap: Sending EAP Success (code 3) ID 239 length 4 (6) eap: Freeing handler (6) [eap] = ok (6) } # authenticate = ok (6) # Executing section post-auth from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/inner-tunnel (6) post-auth { (6) if (0) { (6) if (0) -> FALSE (6) } # post-auth = noop (6) } # server inner-tunnel (6) Virtual server sending reply (6) MS-MPPE-Encryption-Policy = Encryption-Allowed (6) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (6) MS-MPPE-Send-Key = 0xce9491926bc2c79a3f1431e5e21391f5 (6) MS-MPPE-Recv-Key = 0xeb638c24bfa050d0069792e946c20e23 (6) EAP-Message = 0x03ef0004 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) User-Name = "mgw" (6) eap_fast: Got tunneled Access-Accept (6) eap_fast: Updating ICMK (6) eap_fast: Sending Cryptobinding (6) eap_fast: Challenge (6) eap: Sending EAP Request (code 1) ID 240 length 127 (6) eap: EAP session adding &reply:State = 0xb22431b3b4d41adb (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (6) TLS-Session-Version = "TLS 1.1" (6) Sent Access-Challenge Id 6 from 0.0.0.0:1812 to 127.0.0.1:62244 length 0 (6) EAP-Message = 0x01f0007f2b011703020074299c8187b828c7d3995e79e4ff3d74d800a552a67ffd98f85b3d0bc79e5aee5f0f1f5cdcb314ced5f0a322acf7722de24b0610dc0e98f6413d77620150aa052194b876d892cef177aa7ce513411df490a3fc7460e8c44c491d183df33eabc4dd34f5266ab8c869d902547e859054c24b60b15dfb (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xb22431b3b4d41adb7f72bc3d985e2006 (6) Finished request Waking up in 3.9 seconds. (7) Received Access-Request Id 7 from 127.0.0.1:62244 to 0.0.0.0:1812 length 258 (7) User-Name = "1234" (7) NAS-IP-Address = 127.0.0.1 (7) Calling-Station-Id = "02-00-00-00-00-01" (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Connect-Info = "CONNECT 11Mbps 802.11b" (7) EAP-Message = 0x02f0007f2b011703020074780334064673d0fb51e06fe8ec527ed50174de91c8e6105d1c66c95e40987481ac18b2559b8642a58e12e8dbc8ebdfb5666c973da24b5f437251ac90cedb46b871fb0b1894810a453546090d56eed532a88d2d63ebecb4f0f5c66c44f5e22b338889b42e7cfb746d5dbe9d91069feb40f1b3f66e (7) State = 0xb22431b3b4d41adb7f72bc3d985e2006 (7) Message-Authenticator = 0x4553f5e6d65b5993e23f64147bf95f06 (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA" (7) &session-state:TLS-Session-Version = "TLS 1.1" (7) # Executing section authorize from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "1234", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 240 length 127 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop Not doing PAP as Auth-Type is already set. (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0xb22431b3b4d41adb (7) eap: Finished EAP session with state 0xb22431b3b4d41adb (7) eap: Previous EAP request found for state 0xb22431b3b4d41adb, released from the list (7) eap: Peer sent packet with method EAP FAST (43) (7) eap: Calling submodule eap_fast to process data (7) eap_fast: Authenticate (7) eap_fast: Continuing EAP-TLS (7) eap_fast: [eaptls verify] = ok (7) eap_fast: Done initial handshake (7) eap_fast: [eaptls process] = ok (7) eap_fast: Session established. Proceeding to decode tunneled attributes (7) eap_fast: Got Tunneled FAST TLVs (7) eap_fast: FreeRADIUS-EAP-FAST-Result = 1 (7) eap_fast: FreeRADIUS-EAP-FAST-Crypto-Binding = 0x00010101ac837d7f5580b23cd65efd092cef4cc5a7fe7d46b32327c6ba8037304146643d4f9e2cef97169b908fe30c1865b53909b0903557 (7) eap_fast: Forcibly stopping session resumption as it is not allowed (7) eap: Sending EAP Success (code 3) ID 240 length 4 (7) eap: Freeing handler (7) [eap] = ok (7) } # authenticate = ok (7) # Executing section post-auth from file C:\freeradius-3.0.18\etc\raddb\sites-enabled/default (7) post-auth { (7) update { (7) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-SHA' (7) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.1' (7) } # update = noop (7) [exec] = noop (7) policy remove_reply_message_if_eap { (7) if (&reply:EAP-Message && &reply:Reply-Message) { (7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (7) else { (7) [noop] = noop (7) } # else = noop (7) } # policy remove_reply_message_if_eap = noop (7) } # post-auth = noop (7) Sent Access-Accept Id 7 from 0.0.0.0:1812 to 127.0.0.1:62244 length 0 (7) MS-MPPE-Recv-Key = 0x41cce86a7d5697650b7f5ffce0fc1285f330cae573c5140484f030572881adee (7) MS-MPPE-Send-Key = 0xc0b77cfa7d332913d1fe7741d41a25139c0c73523d31f70cc5cc211a44a3318a (7) EAP-Message = 0x03f00004 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) User-Name = "1234" (7) Finished request Waking up in 3.7 seconds. (0) Cleaning up request packet ID 0 with timestamp +10 (1) Cleaning up request packet ID 1 with timestamp +10 Waking up in 0.1 seconds. (2) Cleaning up request packet ID 2 with timestamp +10 Waking up in 0.1 seconds. (3) Cleaning up request packet ID 3 with timestamp +10 Waking up in 0.1 seconds. (4) Cleaning up request packet ID 4 with timestamp +10 Waking up in 0.2 seconds. (5) Cleaning up request packet ID 5 with timestamp +11 Waking up in 0.1 seconds. (6) Cleaning up request packet ID 6 with timestamp +11 Waking up in 0.1 seconds. (7) Cleaning up request packet ID 7 with timestamp +11 Ready to process requests
On Mar 4, 2019, at 10:23 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 4, 2019, at 8:43 AM, Sergio NNX <sfhacker@hotmail.com> wrote:
We have recently upgraded FR to 3.0.18 and, after that, EAP-FAST stopped working. Any pointers will be appreciated.
We are using exactly the same config files (or configuration) and username as for FR 3.0.16.
<sigh> I pushed a fix.
That was Arran's bug...
Apologies. Maybe EAP-Fast could be integrated into CIT so we could catch these issues in future? As a style note, why is RADIUS_CHAP_CHALLENGE_LENGTH being used to specify the length of the MPPE key attributes, just because it happens to be 16bytes? That probably accounts for the naming discrepancy in the original commit. -Arran
On Mar 4, 2019, at 11:36 AM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
Maybe EAP-Fast could be integrated into CIT so we could catch these issues in future?
We'll work on it.
As a style note, why is RADIUS_CHAP_CHALLENGE_LENGTH being used to specify the length of the MPPE key attributes, just because it happens to be 16bytes? That probably accounts for the naming discrepancy in the original commit.
CHAP-Challenge just happens to be the same length as the MPPE keys. There's no real reason for it. Alan DeKok.
participants (5)
-
Alan DeKok -
Alex Perez-Mendez -
Arran Cudbard-Bell -
Mehrzad Moghaddas -
Sergio NNX