EAP-TTLS first connection works, other won't
I set up freeradius 2.1.1 for EAP-TTLS, on Debian Lenny. As client I'm using Ubuntu. When I try to connect, first user, (on the logs, "heruan") connect successfully, but subsequent users (e.g. "jamila") won't. If I restart freeradius, and try to connect first with "jamila" and then with "heruan", "jamila" connects and "heruan" doesn't. The only error I'm able to see on the log is: 798:[ttls] FAIL: Forcibly stopping session resumption as it is not allowed. 799-[eap] Freeing handler 800-++[eap] returns reject 801-Failed to authenticate the user. 802-Using Post-Auth-Type Reject 803-+- entering group REJECT {...} But I really don't know what it means. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=125 User-Name = "heruan" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000b0168657275616e Message-Authenticator = 0x4bd473610ad7dcfdcb6b1016a23acb10 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "heruan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for heruan [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}})) -> (|(uid=heruan)(cn=heruan)) [ldap] expand: dc=aldu,dc=net -> dc=aldu,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.laurelin.aldu.net:389, authentication 0 rlm_ldap: bind as cn=radius,dc=aldu,dc=net/RaD-802.1X to ldap.laurelin.aldu.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=heruan)(cn=heruan)) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x30... rlm_ldap: sambaLmPassword -> LM-Password == 0x35... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user heruan authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x010100160410faf366dabc0e2d2eada92aed8a1beef5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf46f03b2f46e07fbc157e3e44121daf3 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=138 Cleaning up request 0 ID 1 with timestamp +11 User-Name = "heruan" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 State = 0xf46f03b2f46e07fbc157e3e44121daf3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060315 Message-Authenticator = 0x24f629997ec0167cb1d9418bb69bf17a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "heruan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for heruan [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}})) -> (|(uid=heruan)(cn=heruan)) [ldap] expand: dc=aldu,dc=net -> dc=aldu,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=heruan)(cn=heruan)) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x30... rlm_ldap: sambaLmPassword -> LM-Password == 0x35... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user heruan authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf46f03b2f56d16fbc157e3e44121daf3 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=393 Cleaning up request 1 ID 1 with timestamp +12 User-Name = "heruan" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 State = 0xf46f03b2f56d16fbc157e3e44121daf3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020103150016030100f8010000f4030148e4e7f928c698fc14284694b68c2ce5e5ad5c04a1d79037c24cd9813e14d02400002600390038003500160013000a00330032002f000500040015001200090014001100080006000302010000a4002300a0f3f755f03310a19873fb5975ca54ee2c19ae8be02615dec2639ee3cc859117d420ddfa88ee933ba72797d57219d2866acb542fa1265c6b02b394ac5cc64d3966bf0734b6513619c825c30980461030e1061454aa062afeb5eeebf04c88d7e5aa76a89c98782c6555301c0f8ade20b29e4e83f7c9e005e07cd2c05173f63f944d065e5000f82e19c313290db58e8cb15f75639d97d17ad3a2da20 EAP-Message = 0x1884e21d7209 Message-Authenticator = 0x5ef1bef4e588c171b000e3c9c399544b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "heruan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 00f8], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0030], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0d44], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 030d], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x0103040015c00000109916030100300200002c030148e4e7f9c882e287b5388f22b083365b35904cc0abea3dea125ea2354b8f4df4000039010004002300001603010d440b000d40000d3d0006d2308206ce308204b6a003020102020114300d06092a864886f70d0101050500308181310b30090603550406130249543110300e06035504081307566963656e7a6131153013060355040a130c416c6475204e6574776f726b312d302b06035504031324416c6475204e6574776f726b2043657274696669636174696f6e20417574686f72697479311a301806092a864886f70d010901160b636140616c64752e6e6574301e170d3038303532353137 EAP-Message = 0x343933375a170d3131303532353137343933375a30818a310b3009060355040613024954310f300d060355040813065665726f6e6131153013060355040a130c416c6475204e6574776f726b3111300f060355040b13084c617572656c696e3121301f060355040313187261646975732e6c617572656c696e2e616c64752e6e6574311d301b06092a864886f70d010901160e61646d696e40616c64752e6e657430820222300d06092a864886f70d01010105000382020f003082020a0282020100e1506dc7d5db924cd5f782f63b4a6e95fbe1fbab0a411397f249f7447e65d266d5fcc166684fd5409a0d2ff5b034972c8b69a7e4fd286b102c7d9a EAP-Message = 0x9a0bd886919dfd9788b679df6ad937124cde203e89c863f10fe1155e09449ef630bb489fe2ec1aac506107ec5f9ce1bd73100992ff5b7863452a6b73e8274e8d4d8ffe8250ed90f83b0739f66bf47fa8d2c6a23f7fd3413b9bb090762d951e4b873ca983e3aaf2690e92b1b2031765f177eecf6046105b6eea4ea422b130eb338aed9be7126ddff6fca11b398463a3e787c33b33851e231721e312da0b979ee794c48b01dc4f59a5cf79cb294c4dc4102abc8e0c93cdcff7ad4228ee4fe5c7ab2a8f4ba2373d0c86d159a2b43e314281120642a1dbe53c7fc5e77c0c32dc5ab8e8cce23e002480f23c31ee7371b2674205b9e48d62f2153082ae67d061 EAP-Message = 0xc368d86793cf6bf20a5721425d2af0e7ffc1a16ebc5d961a44a8d3e11239282767cf346e4c6205d86fc37be511f70dcb5f5f1cb03c971fd8ab68162146ed68476b2c019d1517397bfb956dead83ba2bc3a04a32c071b8654c6bd5b4f0be5e0a144a79bcbc01c259913808239e5ab6c1af15ae2ae5cb21191432312835ead8a68f7e5cb47c5e9ee5fff4d199d8619ad6ad297003fe2b8df4029872064b60c958bb66e41f45da69d5e80f7bceff2817e562fb3e047952f4f821341d039aee30fe5f5b65989bc14826f0203010001a38201443082014030090603551d1304023000301106096086480186f8420101040403020640302e06096086480186f8 EAP-Message = 0x42010d0421161f416c647520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf46f03b2f66c16fbc157e3e44121daf3 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=138 Cleaning up request 2 ID 1 with timestamp +12 User-Name = "heruan" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 State = 0xf46f03b2f66c16fbc157e3e44121daf3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061500 Message-Authenticator = 0x0014a82ba883ba4ae3b8e24f61745d69 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "heruan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x0104040015c0000010994e6574776f726b20736572766572206365727469666963617465301d0603551d0e0416041486c2b9b3402bae0cb4ed277cd43364ab5d483ceb3081ae0603551d230481a63081a38014fe54771221d91a1005efa50f6f8f886af9cf6447a18187a48184308181310b30090603550406130249543110300e06035504081307566963656e7a6131153013060355040a130c416c6475204e6574776f726b312d302b06035504031324416c6475204e6574776f726b2043657274696669636174696f6e20417574686f72697479311a301806092a864886f70d010901160b636140616c64752e6e6574820100300b0603551d0f0404 EAP-Message = 0x030205a030130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038202010081e6d66dea240cd1b99aa67bf1fc1c33f59c3e28412ca6694b1be9bfe8b475c0954b7bee98ed5779654f98edd32d070761641d0b0977704bf918dc81002f6ac48ba27db0b71bfeed4bc8199af442038c9f4bc15e025fe4f86fb5c1b84663d5f3061bff74fe017f3a2e4706b70a6a809c0178b20d98a8af55a3c2cedeba3842d3d120fbc08727984435fac4d4c0dc56ec5ae8b75412935f70242c3c5ff047f8508104b912a2a36ff6cd8860ce938fbcaee40e0b5efb95875b430479d6d3953258a1b824b294be10bae0cf10f2f2983875 EAP-Message = 0x43cdee650acf20db20609ec9df5ee0c144897eb32fe03e5224fb54478169203af95f81345a1f65f589f8115e24fb3e4a9a51b0504751a85dcc79fed0a515c42f1d0e98d55a69f40f3485b3691d2c8fc2ac458c024f911fecf9f87f1319039e129a8da222a245a7822db409b17bc2feca66ecbcd34ff4ffb7f7fb48f472de6bec8227bc2a8b8626b297c4afc54a7165000fe6d34bc56a5119f4b399fd46b5cd77f36f7cc15b884c54348cfc388d2c510a7ff279bf003760f06eee2be7d14e8aef714a65834748992443d7912e7555ba6c842d47eb34cf2a6d8267c4888eb6920b33e23cf1fe1281da00dfacdad69f88fabbbc1fbd034e17a685f07d02fc EAP-Message = 0xb3b3164bf7c1c959a72bcf820a3f8cd4d9fd1c72bdbfcc9031a62642dcc2fe447440eb99a571b10c936c35036d46e0ba5cb9b70006653082066130820449a003020102020100300d06092a864886f70d0101050500308181310b30090603550406130249543110300e06035504081307566963656e7a6131153013060355040a130c416c6475204e6574776f726b312d302b06035504031324416c6475204e6574776f726b2043657274696669636174696f6e20417574686f72697479311a301806092a864886f70d010901160b636140616c64752e6e6574301e170d3038303532353137313532335a170d3133303532343137313532335a30818131 EAP-Message = 0x0b3009060355040613024954 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf46f03b2f76b16fbc157e3e44121daf3 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=138 Cleaning up request 3 ID 1 with timestamp +12 User-Name = "heruan" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 State = 0xf46f03b2f76b16fbc157e3e44121daf3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061500 Message-Authenticator = 0x7d696164144cc750f1bdd7cca30cc641 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "heruan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x0105040015c0000010993110300e06035504081307566963656e7a6131153013060355040a130c416c6475204e6574776f726b312d302b06035504031324416c6475204e6574776f726b2043657274696669636174696f6e20417574686f72697479311a301806092a864886f70d010901160b636140616c64752e6e657430820222300d06092a864886f70d01010105000382020f003082020a0282020100e352d800a194047d72504330b65278cf22b0a7211472a77939e369cd5121e27e119f05cb3c660aefda12d90bad75dda2b965f831d5a2e1038bbe7c9f8addb1c5ab1efe5be47d2eac1b3972b68bba4c406916c302c35dfd5ef11d36f1a563 EAP-Message = 0x7ae33661b27f2e9bb8843a5319061eb7167d274bb6942dfc1878b7f638ed9b9ff4ac4b9b5bdf094e275ff5b53a0551f24d1e63f35d7cfa96c2e00a5ca504b62f5f32cfc3d8aa6f589de482bedeb65224d6e425144be81e36eab9844dbb0fc5388a29b55a23f34798a90f534e626e102a0f0df13ae0f72fe99fe9dcf3575bd85a628c06fe8f6cc51f69271b4203ebebfa52b49df5fd0171c36f204bd64c8989d1fa45628140ffa19d8285702462b34ae01721197aefcd87fb79d2417705f8ef205f2b59bafe222a077c91c22e2481dfcc02eb6a0be6fc6317bd52289ef787f1bd9fe34b5b92b7485408ef15ebe685d408d77dcbd9ba07755e4ecf657479 EAP-Message = 0x3855e64291199a5a77440faa0101f2b4c85a3a92c62aa075cd4f535b0b0321d7839c7b59c02d61cc77cbf1ec4425b8726d315a3228fba109abe1ede78e13f5cf82fa216cf0193fcc641cf3a4e97b43dd425b7e95cfd5d3c692332ced3bb96d9b6d5a2fbb3777a951e0cbeee0e23cb7b911c728db165f153c1e4e1c68ba690d7fbcb04fb05e78b0363308ca5a67f4a3ba844407f51d3a4796dbdf3bb01739e33a60720418dd0203010001a381e13081de301d0603551d0e04160414fe54771221d91a1005efa50f6f8f886af9cf64473081ae0603551d230481a63081a38014fe54771221d91a1005efa50f6f8f886af9cf6447a18187a4818430818131 EAP-Message = 0x0b30090603550406130249543110300e06035504081307566963656e7a6131153013060355040a130c416c6475204e6574776f726b312d302b06035504031324416c6475204e6574776f726b2043657274696669636174696f6e20417574686f72697479311a301806092a864886f70d010901160b636140616c64752e6e6574820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382020100a53bd0a1d836628f9e26a6c7267136549f18ca3cb6d234a5d055d43abdbcbe0e825def229bdc0cbf3c9f38997a15da051b0ce615e8941940dccd43fb24dbea1ee66af0942af577240d47b79a20ecf28741253f7caef99281 EAP-Message = 0x6fb6b25244e2b2eac310fef7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf46f03b2f06a16fbc157e3e44121daf3 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=138 Cleaning up request 4 ID 1 with timestamp +12 User-Name = "heruan" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 State = 0xf46f03b2f06a16fbc157e3e44121daf3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061500 Message-Authenticator = 0x11fda5dbe435a0608c3a63c5155aa8b1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "heruan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x0106040015c000001099d7a86f60a2b967aa0d28ae7fe86fbf4a029e4a6e8ebedbef1eb7c7a344d87591be5b8bb28140d1faec4c4753fac13fb77dab34db643e84a0cb961f8947fc1fc6b0861993319ac5b28086aa3f5b0847b15bb97d24cf1690a3aab0ccff85403dd201abcb1b8b279b4b9ecb641d70269ebc603614afd6c56cbc44c8e0e9ba67661e63c195e60738ae589ce857a6a9e7a38ff15cc4c17f5872efdd743641ce8bf543883c98c8d468635d8c8801b6c8825cd26537ca4f7e1789d4c3bde7c9d1314a1ac5bb5d1eeb2e12ef7a5bb1c3ddef303a68284cd5a53d58aa612852d92b81911302468572546831641111a81733a42bbe129cf9 EAP-Message = 0x85b42790a5eb675e742364bc2cb449da2955062efeaa1f1a661933e9ef6a2d4a85c2611e6cf3b5c42511555c4fcab1e5ea237f8017f3f38d5f84e9adae7549f05128f89779b28586d38257a9883f71939263b4dce4945c13b3048e5f8d6ac94e8eab4c2742671ae683451cfff0bf5aa169f15edf30a7cad9f02ef7d004df5db2d4a8001e10730cdf3b140bc1251ea71d8332b2ddebf0117d6f52cefdde1ba9b055795c10c57b3e53c2160301030d0c000309008080ce0d83f98bb5b938122f41183619678af4e0164cd24f47cb6c69ecf7313e7ac43d06f6fb34b5325985920c43936299b311d655257ed4cb8d3607967a75527d17da7e84e8390ff18b EAP-Message = 0xc461727d7da6f39a11b49f86374fec2f331e878965be0d120ad32452a0d9b351b542cde08bc415b8cd80d966ff4ca1371789b1853940e300010200807cc6f6044995fd93a17e053ddf0bbe507d882e3d8f3b27b0603f2353af138687dcfe87cb5cb7501fdcea18cc6cf67355c9896c4b0818a0163b9f3679059dc182902310021277c8ffe55414a8e99619a2a24a5e2cb5662ab30c75ec82133715ad9e06688b2bc6963521c823eefb086bd740e00951447f4e4fefd88e19c3e14aaf0200016f9884de001868763f3384f0a37c2d5e5f2c546e5651124ff7d87876d0c6106454b23e7727ce9dad73013ebfd31fea3c127dec695615e88bae6c78975129 EAP-Message = 0xcc255fec0bd31afdd66675c29fb77401b7ec5937c8fa709aeea8a776c95a0cf89bd71b3bbb464ef8e36a22c544f16ae465f82d56b96bd677ef57a679da1d55ac3854111535781c9d7b9669d1981a2dfabe289903cc5b85385e7b30b66d1f6c5aadb55a62dcda6d73fc9eea9a2018376dc0cfeac620c890a0488e14fe3803b4aea478d8c56f1b7e54fbc4871b3a5ead95dae254ac8928fadd6a8051ec5c930834f2b1b18a4de92835fe8e048d8f2bc33fc3a1873813afef40a8c657847def19ac8d8741ec4e812d2cc704dfce92977bcbe1555bbdedf75e569423eb02001d5771060506e05ea83daccecdc39c81c53c66f2970e018b5ae548b7a49d8c1c EAP-Message = 0xa6fca7afb134ff1b5e08890f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf46f03b2f16916fbc157e3e44121daf3 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=138 Cleaning up request 5 ID 1 with timestamp +12 User-Name = "heruan" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 State = 0xf46f03b2f16916fbc157e3e44121daf3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061500 Message-Authenticator = 0xff6b6c02b603f2c9cc862800ffbc096c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "heruan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x010700cb158000001099c703820dae9f500e0be2f038c86fd40cf924c4f49781eaca0617a4348a94f66f6013842f7a5c4c6734194d13e75aad29a67799ad0847d46ebfa076adf64fbb05b63f74cf48162ca2a4f1f6a693fae9a8306134d36da2bd8acfca12e55cfa1b900130559d56e6d67806ed885cc680d7d1615f75fdbbfcedbfff275d973b76e16a92a6306c6ba48597d24e322daa794d8b5b08232c204de060884e7d87b351ab3b707c586b1f30ac8d1fe689217a0fef590288d2e43eed6d3616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf46f03b2f26816fbc157e3e44121daf3 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=336 Cleaning up request 6 ID 1 with timestamp +12 User-Name = "heruan" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 State = 0xf46f03b2f26816fbc157e3e44121daf3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700cc15001603010086100000820080673f637cef57b74512a57a131307458ae072e52dfbe740e3cbdec7fea4eb4fd68ad80762590666712aadd701da61f1f89e590be9e4f15d0dfcc7b70736b35ae1467b545d59317ef639995905c98045969583090d2f0f92152b475fcdcaafa228da295afc34ee4d671f41c9b737810956da9ece2877c4bec44d24db7f4c53f354140301000101160301003038789a08b245fc126bbe3a24a5624b34f496185bbefc58f52ba017868c9bcc17a8e50158c370342e857fe3e77b61549f Message-Authenticator = 0xb9d62831c9c7caefdf69c3b99c4d8957 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "heruan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 204 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 Handshake [length 00aa]??? [ttls] TLS_accept: unknown state [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x010800f41580000000ea16030100aa040000a60000000000a060ca7c093b0c08609eda8927d1b01099807479bd89282e811614e29108fea13762dd72c299cdd17f1562f34bf674fc2f08625e4fb6c5538c8505002a70f6343a67f117db650d06a50bcab321e759fcb25d0d64732dada6031d6b5597734f447a9ae20c2f490b02262094c018490ec5489cb437f4c93c328c096a73640dbd921b0930f0f3d7f1885822184235fcd23f2cf7bf739a496de5b4dc6a6480b89d4c5a1403010001011603010030e721d41d48f9ebbf90b0d949e20669215f2fa79c9f55b2a6178276e03b4e1fea4d694027607ef7622edb42291c72ee4a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf46f03b2f36716fbc157e3e44121daf3 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=308 Cleaning up request 7 ID 1 with timestamp +12 User-Name = "heruan" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 State = 0xf46f03b2f36716fbc157e3e44121daf3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800b015001703010020dcff405e309bcc0a01d21f9df29f7399f13a55b30378b767595bc3b11024b5a91703010080aee67219dc7dcd15dfe508647563e4f24f003113bae2c10d9d6fb8dd023da2d3c81bcff3a18c4a2d07c6e27d1e0e2385e3fd86058abe23a074078053446409d45e7ef65e5a6977899a95604f943fa43fdd9d2b70186f66644a916f0cc7673748bf09837d8cc0c3926cc6920a681fd549bd8061977cdc0e7e6c5ff21c849fb5a3 Message-Authenticator = 0x8486851c6545cab5b42fd05d3a183a04 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "heruan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 176 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "heruan" MS-CHAP-Challenge = 0x21baa0943340f88f07f8802a8ac6690f MS-CHAP2-Response = 0x7e0000000019000000c84e1909b04e190903000000000000000085749071e94c2f3f736d3aba3d7874e3961c739ea28340db FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "heruan" MS-CHAP-Challenge = 0x21baa0943340f88f07f8802a8ac6690f MS-CHAP2-Response = 0x7e0000000019000000c84e1909b04e190903000000000000000085749071e94c2f3f736d3aba3d7874e3961c739ea28340db FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[unix] returns notfound [suffix] No '@' in User-Name = "heruan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for heruan [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}})) -> (|(uid=heruan)(cn=heruan)) [ldap] expand: dc=aldu,dc=net -> dc=aldu,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=heruan)(cn=heruan)) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x30... rlm_ldap: sambaLmPassword -> LM-Password == 0x35... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user heruan authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Found LM-Password [mschap] Found NT-Password [mschap] Told to do MS-CHAPv2 for heruan with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok } # server inner-tunnel [ttls] Got tunneled reply code 2 MS-CHAP2-Success = 0x7e533d31324145363332353036363734304334343836353236363239423738453843303538363539334346 MS-MPPE-Recv-Key = 0x90e46fe588c50f30b1fabcf942019be5 MS-MPPE-Send-Key = 0xea3ea373e2e1e279c847a7beb2c5f588 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 [ttls] Got tunneled Access-Accept [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge. ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x0109006f1580000000651703010060616bdc70b991cb3ccc5449f13e93a374a0be21787fc7a91d0195a68017ddc3e1c4bcbbcee2e5aaf6bcae29b09aefd237f693eebc4b3ebcba8068dbe3b71e9d6af3236bee9a2efa8358d594a74f65490319ed9e64ef06f10fe8212068c05844a9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf46f03b2fc6616fbc157e3e44121daf3 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=138 Cleaning up request 8 ID 1 with timestamp +12 User-Name = "heruan" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 State = 0xf46f03b2fc6616fbc157e3e44121daf3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900061500 Message-Authenticator = 0xa01f486fa472b238ae70656c633e9340 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "heruan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 1 to 192.168.22.1 port 3073 MS-MPPE-Recv-Key = 0xa7d9381f75ce74495aa1f0e6aa017f40e573239eb999d715d95e9ff50ae10569 MS-MPPE-Send-Key = 0xbcc49edaa0afd7e62cbe97392c3c01dd52267bd6454a24b4b1f335618528ec18 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "heruan" Finished request 9. Going to the next request Waking up in 4.9 seconds. Cleaning up request 9 ID 1 with timestamp +12 Ready to process requests. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=125 User-Name = "jamila" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000b016a616d696c61 Message-Authenticator = 0xcdae13a716b61cabbcb70e726276d665 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jamila", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for jamila [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}})) -> (|(uid=jamila)(cn=jamila)) [ldap] expand: dc=aldu,dc=net -> dc=aldu,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=jamila)(cn=jamila)) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x44... rlm_ldap: sambaLmPassword -> LM-Password == 0x42... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user jamila authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x01010016041067c2d2ac231b541d1ebb9d5e9aef272e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7d75f9417d74fd26c22394ad8dcd0b12 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=138 Cleaning up request 10 ID 1 with timestamp +25 User-Name = "jamila" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 State = 0x7d75f9417d74fd26c22394ad8dcd0b12 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060315 Message-Authenticator = 0xa8d0e7d17c0e5240d1bb804c2703807d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jamila", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for jamila [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}})) -> (|(uid=jamila)(cn=jamila)) [ldap] expand: dc=aldu,dc=net -> dc=aldu,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=jamila)(cn=jamila)) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x44... rlm_ldap: sambaLmPassword -> LM-Password == 0x42... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user jamila authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7d75f9417c77ec26c22394ad8dcd0b12 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=393 Cleaning up request 11 ID 1 with timestamp +25 User-Name = "jamila" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 State = 0x7d75f9417c77ec26c22394ad8dcd0b12 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020103150016030100f8010000f4030148e4e806522dfb2b7aec334d620648c3c4485a1e0b6d2b0dc25fdd747efeee4600002600390038003500160013000a00330032002f000500040015001200090014001100080006000302010000a4002300a060ca7c093b0c08609eda8927d1b01099807479bd89282e811614e29108fea13762dd72c299cdd17f1562f34bf674fc2f08625e4fb6c5538c8505002a70f6343a67f117db650d06a50bcab321e759fcb25d0d64732dada6031d6b5597734f447a9ae20c2f490b02262094c018490ec5489cb437f4c93c328c096a73640dbd921b0930f0f3d7f1885822184235fcd23f2cf7bf739a496de5b4dc6a EAP-Message = 0x6480b89d4c5a Message-Authenticator = 0x89044f83ea2af62d3bcf0b6260d427df +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jamila", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 00f8], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read finished A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x0103007415800000006a160301002a02000026030148e4e8063dbbed9ca6725e2645bd72a6173fb03e4cb690ea59de42089734b392000039011403010001011603010030d93ac0e280be40fbe5c37337e666f049168441db2ab2559b2c80603a9f691dfa54793f42b378988c90a4dde60351e7b7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7d75f9417f76ec26c22394ad8dcd0b12 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.22.1 port 3073, id=1, length=197 Cleaning up request 12 ID 1 with timestamp +25 User-Name = "jamila" NAS-IP-Address = 192.168.22.1 Called-Station-Id = "00c049d3f40e" Calling-Station-Id = "002268c0eb93" NAS-Identifier = "00c049d3f40e" NAS-Port = 184 Framed-MTU = 1400 State = 0x7d75f9417f76ec26c22394ad8dcd0b12 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300411500140301000101160301003013ca1053acec332d812ff938d32329665b95b49a397a3b018a5ada0c8f43cac051573f2c7f0e18b21941acd317161ed3 Message-Authenticator = 0x600117a5ce085e9040580d94a1a0becf +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jamila", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 65 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] (other): SSL negotiation finished successfully SSL Connection Established SSL Application Data [ttls] eaptls_process returned 3 [ttls] Skipping Phase2 due to session resumption [ttls] FAIL: Forcibly stopping session resumption as it is not allowed. [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jamila attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 13 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 13 Sending Access-Reject of id 1 to 192.168.22.1 port 3073 EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 13 ID 1 with timestamp +25 Ready to process requests. giovanni@radius.laurelin.aldu.net:~$ xit
Giovanni Lovato wrote:
I set up freeradius 2.1.1 for EAP-TTLS, on Debian Lenny. As client I'm using Ubuntu. When I try to connect, first user, (on the logs, "heruan") connect successfully, but subsequent users (e.g. "jamila") won't. If I restart freeradius, and try to connect first with "jamila" and then with "heruan", "jamila" connects and "heruan" doesn't. The only error I'm able to see on the log is:
798:[ttls] FAIL: Forcibly stopping session resumption as it is not allowed.
? Session resumption is done on a per-user basis. Session resumption for one user does NOT affect other users. The only way that this can happen is if you use one user name for the first session, and then using the *same* SSL data, try to authenticate using a different User-Name. All I can say is I can't reproduce this on my system. Alan DeKok.
Alan DeKok wrote:
Giovanni Lovato wrote:
I set up freeradius 2.1.1 for EAP-TTLS, on Debian Lenny. As client I'm using Ubuntu. When I try to connect, first user, (on the logs, "heruan") connect successfully, but subsequent users (e.g. "jamila") won't. If I restart freeradius, and try to connect first with "jamila" and then with "heruan", "jamila" connects and "heruan" doesn't. The only error I'm able to see on the log is:
798:[ttls] FAIL: Forcibly stopping session resumption as it is not allowed.
? Session resumption is done on a per-user basis. Session resumption for one user does NOT affect other users.
The only way that this can happen is if you use one user name for the first session, and then using the *same* SSL data, try to authenticate using a different User-Name.
All I can say is I can't reproduce this on my system.
Mmmm... After a little more investigation, I think it's the AP that cause the problem: it receive an Access-Accept but ignores it, sends another Access-Request and FR correctly generates an Access-Reject because of the duplicate request. So it's not a FR issue, but if someone has an advice on how to debug this, any help will be appreciated!
Giovanni Lovato wrote:
Mmmm... After a little more investigation, I think it's the AP that cause the problem: it receive an Access-Accept but ignores it, sends another Access-Request and FR correctly generates an Access-Reject because of the duplicate request. So it's not a FR issue, but if someone has an advice on how to debug this, any help will be appreciated!
Hmm... I think I see what's happening. The NAS is broken... it not only ignores the Access-Accept, but when it re-transmits the previous request, it does so with a *new* RADIUS Id. This means that the code in FreeRADIUS to detect retransmissions isn't used... and the packet is processed as a new request. If the NAS wasn't broken, it would re-transmit the request using the same RADIUS Id, and FreeRADIUS would send the same (saved) Access-Accept back, without doing any additional processing. The best advice is to replace the NAS. It's broken. Alan DeKok.
Alan DeKok wrote:
Giovanni Lovato wrote:
Mmmm... After a little more investigation, I think it's the AP that cause the problem: it receive an Access-Accept but ignores it, sends another Access-Request and FR correctly generates an Access-Reject because of the duplicate request. So it's not a FR issue, but if someone has an advice on how to debug this, any help will be appreciated!
Hmm... I think I see what's happening. The NAS is broken... it not only ignores the Access-Accept, but when it re-transmits the previous request, it does so with a *new* RADIUS Id. This means that the code in FreeRADIUS to detect retransmissions isn't used... and the packet is processed as a new request.
If the NAS wasn't broken, it would re-transmit the request using the same RADIUS Id, and FreeRADIUS would send the same (saved) Access-Accept back, without doing any additional processing.
The best advice is to replace the NAS. It's broken.
Thank you very much, your explanation is perfectly clear. The NAS is a D-Link DWL-G700AP with a modified firmware (Wive). I'm trying it because I need accounting and the original firmware doesn't send accounting packets. I'll try to replace the daemon which does AAA on the NAS OS and see if the issue persists.
Hi, where can I learn some more about striping usernames?
participants (3)
-
Alan DeKok -
Giovanni Lovato -
Leander S.