3com wx - peap-mschapv2 - freeradius - mysql
Hello, I have a wireless network based on wx switch 3com (centrally managed access-point) and I'm trying to activate WPA protection on one ssid "wpa-experimental". I hope to have configured all the component correctly. When I attempt to connect, on radius log (started by radiusd -X) I see: rad_recv: Access-Request packet from host 149.139.32.61:20001, id=118, length=148 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User EAP-Message = 0x0201000d0161676f7374696e69 User-Name = "agostini" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = xxx.xxx.xxx.xxx Message-Authenticator = 0x3c8c9588223b33c4a8dafd70db73e334 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 203 modcall[authorize]: module "preprocess" returns ok for request 203 modcall[authorize]: module "chap" returns noop for request 203 modcall[authorize]: module "mschap" returns noop for request 203 rlm_realm: No '@' in User-Name = "agostini", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 203 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 203 radius_xlat: 'agostini' rlm_sql (sql): sql_set_user escaped user --> 'agostini' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 203 users: Matched DEFAULT at 155 modcall[authorize]: module "files" returns ok for request 203 modcall: group authorize returns updated for request 203 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type Local Warning: Found 2 auth-types on request for user 'agostini' auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [agostini/<no User-Password attribute>] (from client Wx1200-B1D port 0 cli 00-08-E3-B0-73-46) Delaying request 203 for 1 seconds Finished request 203 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 118 to 149.139.32.61:20001 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 203 ID 118 with timestamp 44896cc8 Nothing to do. Sleeping until we see a request. Have you any idea what is wrong? Thank you in advance A Agostini
Hi,
users: Matched DEFAULT at 155 modcall[authorize]: module "files" returns ok for request 203 modcall: group authorize returns updated for request 203 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type Local Warning: Found 2 auth-types on request for user 'agostini' auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user.
reading the above section might have given you a clue that Auth-Type Local is not a good thing (tm). Take a look in the "users" file, line 155, and see if this might force Auth-Type Local. If it does, comment it out. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Stefan Winter ha scritto:
Hi,
users: Matched DEFAULT at 155 modcall[authorize]: module "files" returns ok for request 203 modcall: group authorize returns updated for request 203 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type Local Warning: Found 2 auth-types on request for user 'agostini' auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user.
reading the above section might have given you a clue that Auth-Type Local is not a good thing (tm). Take a look in the "users" file, line 155, and see if this might force Auth-Type Local. If it does, comment it out.
Hi Stefan, please to meet you, I'm following your discussion on "mobility" list. I am very interesting to EDUROAM here in Florence. However, now I have checked "users" file; there was some DEFAULT row. Now I have correct it. I have tried to modify the "Auth-Type" in radcheck table to: EAP (was Local), but the result is similar. Have you any idea what is wrong now? Thanks A.Agostini Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.xxx.xxx:20002, id=35, length=159 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "agostini" State = 0x07ddb48e264cc0bfa432dbc1a5a2bba8 EAP-Message = 0x020a00061900 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = xxx.xxx.xxx.xxx Message-Authenticator = 0x0563e5b96edfc128b52b63cdd553b752 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "agostini", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 10 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 radius_xlat: 'agostini' rlm_sql (sql): sql_set_user escaped user --> 'agostini' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 8 modcall[authorize]: module "files" returns notfound for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'agostini' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 8 modcall: group authenticate returns handled for request 8 Sending Access-Challenge of id 35 to 149.139.32.61:20002 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x010b02f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8 EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010 EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbb58837b0ad36c22eccc43e62d0730b1 Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.xxx.xxx:20002, id=36, length=159 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "agostini" State = 0xbb58837b0ad36c22eccc43e62d0730b1 EAP-Message = 0x020b00061900 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = xxx.xxx.xxx.xxx Message-Authenticator = 0x0349691ed54a09348ce3734b3afbbcd8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "agostini", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 11 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 radius_xlat: 'agostini' rlm_sql (sql): sql_set_user escaped user --> 'agostini' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "sql" returns ok for request 9 modcall[authorize]: module "files" returns notfound for request 9 modcall: group authorize returns updated for request 9 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'agostini' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 9 modcall: group authenticate returns handled for request 9 Sending Access-Challenge of id 36 to xxx.xxx.xxx.xxx:20002 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x010c00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfbbcc6567f4091f2cbd3633228aec4bc Finished request 9 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 32 with timestamp 44898894 Cleaning up request 6 ID 33 with timestamp 44898894 Cleaning up request 7 ID 34 with timestamp 44898894 Cleaning up request 8 ID 35 with timestamp 44898894 Cleaning up request 9 ID 36 with timestamp 44898894 Nothing to do. Sleeping until we see a request.
news.gmane.org wrote:
However, now I have checked "users" file; there was some DEFAULT row. Now I have correct it. I have tried to modify the "Auth-Type" in radcheck table to: EAP (was Local), but the result is similar. Have you any idea what is wrong now?
Just for info - you should NOT set Auth-Type. You don't need to. Correctly configured, the server will set it correctly. Only VERY specialist applications require setting Auth-Type As for below - the NAS stops talking to the server. Find out why. I believe there's some case where the server certificate needs the so-called "magic OIDs" or windows will stop half-way through a PEAP setup. Search the list archives for details.
modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 9 modcall: group authenticate returns handled for request 9 Sending Access-Challenge of id 36 to xxx.xxx.xxx.xxx:20002 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x010c00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfbbcc6567f4091f2cbd3633228aec4bc Finished request 9 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 32 with timestamp 44898894 Cleaning up request 6 ID 33 with timestamp 44898894 Cleaning up request 7 ID 34 with timestamp 44898894 Cleaning up request 8 ID 35 with timestamp 44898894 Cleaning up request 9 ID 36 with timestamp 44898894 Nothing to do. Sleeping until we see a request.
Hello,
Hi Stefan, please to meet you, I'm following your discussion on "mobility" list. I am very interesting to EDUROAM here in Florence.
Ah, very good news indeed! You'll get Gold support from now on ;-)
However, now I have checked "users" file; there was some DEFAULT row. Now I have correct it. I have tried to modify the "Auth-Type" in radcheck table to: EAP (was Local), but the result is similar. Have you any idea what is wrong now?
First, editing "users" made the "Local" go away, which is good. But as Phil said, setting Auth-Type manually is usually not necessary. Just leave the request alone. The server can find out by itself that it is an EAP message by the presence of the "EAP-Message" attribute. So, it will set Auth-Type = EAP itself. Since you also set it manually, it's there twice and a similar warning as before is spit out:
rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'agostini'
But that doesn't disturb the auth process in the initial phase. It might get in the way for the tunneled MS-CHAPv2 request later, so I suggest to take away the manual setting anyway. As for the question why authentication doesn't work: Phil is right in saying that the client doesn't want to talk to the server after he received its certificate (it's not actually the NAS - the EAP conversation is almost completely transparent to the NAS). The client doesn't like the server certificate, which may have a variety (non-FreeRADIUS caused) reasons: - certificate has expired - signed by a CA the client didn't expect or like - the CN field configured in the client doesn't correspond to the one in the certificate - the server certificate doesn't contain the Windows TLS Server Extension OID Of all these reasons (there may be more), my guess is that the last one is true (as also suggested by Phil): if you use the native Windows XP supplicant, the server must have a specific OID in the certificate in order for authentication to work. You may want to search the mailing list archive for this OID and how to include it in a certificate. There are also a few HOWTOs out there. The more proper solution though would be to _not_ use this incredibe freak of nature that calls itself the Windows XP supplicant, but instead use a nicer supplicant like the (free, open source) one at www.securew2.com (which speaks EAP-TTLS, which is more open and easier to handle than the built-in PEAP-MS-CHAPv2). You can find out that the problem is more on the client side by looking towards the end of the logs:
Sending Access-Challenge of id 36 to xxx.xxx.xxx.xxx:20002 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x010c00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfbbcc6567f4091f2cbd3633228aec4bc Finished request 9 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 32 with timestamp 44898894 Cleaning up request 6 ID 33 with timestamp 44898894 Cleaning up request 7 ID 34 with timestamp 44898894 Cleaning up request 8 ID 35 with timestamp 44898894 Cleaning up request 9 ID 36 with timestamp 44898894 Nothing to do. Sleeping until we see a request.
You sent something to the client, but it doesn't answer any more. It doesn't like your server. You can be fairly sure that there is no network problem underneath because the earlier Access-Challenge packets were answered by the client. HTH, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
Stefan Winter ha scritto:
Hello,
Ah, very good news indeed! You'll get Gold support from now on ;-)
Great!
First, editing "users" made the "Local" go away, which is good. But as Phil said, setting Auth-Type manually is usually not necessary. Just leave the request alone. The server can find out by itself that it is an EAP message by the presence of the "EAP-Message" attribute. So, it will set Auth-Type = EAP itself. Since you also set it manually, it's there twice and a similar warning as before is spit out:
How can you see in log following, there is only EAP row now! Thanks. .... I have checked the certificate but seem ok.
You sent something to the client, but it doesn't answer any more. It doesn't like your server. You can be fairly sure that there is no network problem underneath because the earlier Access-Challenge packets were answered by the client.
The network is ok. I have also changed some parameters following some HOWTO and other PDF I have found on NET, but the result is the same. However this is the situation now. I have captured some packets with ethereal an this is the summary of connection session: Client -> AP EAPOL Start AP -> Client EAP Request, Identity [RFC3748] Client -> AP EAP Response, Identity [RFC3748] AP -> Client EAP Request, PEAP [Palekar] Client -> AP TLS Client Hello AP -> Client EAP Request, PEAP [Palekar] Client -> AP EAP Response, PEAP [Palekar] AP -> Client TLS Server Hello, Certificate Server Hello Done Client -> AP EAP Response, PEAP [Palekar] AP -> Client EAP Request, PEAP [Palekar] Client -> AP EAPOL Start ... loop ... also this is the radiusd log: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = no mschap: require_encryption = yes mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = no rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "localhost" sql: port = "" sql: login = "root" sql: password = "" sql: radius_db = "radius" sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck" sql: groupreply_table = "radgroupreply" sql: usergroup_table = "usergroup" sql: nas_table = "nas" sql: dict_table = "dictionary" sql: sqltrace = yes sql: sqltracefile = "/var/log/radius/sqltrace.sql" sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{Stripped-User-Name:-%{User-Name:-DEFAULT}}" sql: default_user_profile = "" sql: query_on_not_found = no sql: authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_reply_query = "SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" sql: authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id" sql: authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id" sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" sql: accounting_update_query = "UPDATE radacct ? SET FramedIPAddress = '%{Framed-IP-Address}', ? AcctSessionTime = '%{Acct-Session-Time}', ? AcctInputOctets = '%{Acct-Input-Octets}', ? AcctOutputOctets = '%{Acct-Output-Octets}' ? WHERE AcctSessionId = '%{Acct-Session-Id}' ? AND UserName = '%{SQL-User-Name}' ? AND NASIPAddress= '%{NAS-IP-Address}'" sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')" sql: accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')" sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" sql: connect_failure_retry_delay = 60 sql: simul_count_query = "" sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0" sql: postauth_table = "radpostauth" sql: postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())" sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to root@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 149.139.32.61:20004, id=30, length=148 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User EAP-Message = 0x0279000d0161676f7374696e69 User-Name = "agostini" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0xcbf1e06a1eba4c559a303df5b7de9ee6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "agostini", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 121 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 radius_xlat: 'agostini' rlm_sql (sql): sql_set_user escaped user --> 'agostini' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 30 to 149.139.32.61:20004 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "2" EAP-Message = 0x017a00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x50ad37e8f1dd24a5f516ec7eeba73f60 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.32.61:20004, id=31, length=233 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "agostini" State = 0x50ad37e8f1dd24a5f516ec7eeba73f60 EAP-Message = 0x027a005019800000004616030100410100003d0301448eb83ad105bb8bfb7ca5aacf000023164f73d5f221c72e5bdc3cf41499c5d800001600040005000a000900640062000300060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0xf010ccb20c22abcc0476cc077613cd1e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "agostini", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 122 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 radius_xlat: 'agostini' rlm_sql (sql): sql_set_user escaped user --> 'agostini' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 1 modcall[authorize]: module "files" returns notfound for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 31 to 149.139.32.61:20004 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "2" EAP-Message = 0x017b040a19c0000006f1160301004a020000460301448eb84e5d75c29cbd62152ab97e13e3b9708dc88c4f4ed065844e69f6a378e2204890781d2cbaee40a75e0e75e96668b489a094f0225889255d17e1b47d1ed76d00040016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365 EAP-Message = 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003 EAP-Message = 0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09 EAP-Message = 0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdb75f68c884e8bdd6c89830398182e8c Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.32.61:20004, id=32, length=159 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "agostini" State = 0xdb75f68c884e8bdd6c89830398182e8c EAP-Message = 0x027b00061900 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0x224819da6a1743647cdfe704a4f86eff Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "agostini", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 123 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 radius_xlat: 'agostini' rlm_sql (sql): sql_set_user escaped user --> 'agostini' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 32 to 149.139.32.61:20004 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "2" EAP-Message = 0x017c02f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8 EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010 EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9db9b57395277d8240d433eb820c018b Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.32.61:20004, id=33, length=159 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "agostini" State = 0x9db9b57395277d8240d433eb820c018b EAP-Message = 0x027c00061900 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0x26c12df176b6d3647ecec0e25015c134 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "agostini", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 124 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 radius_xlat: 'agostini' rlm_sql (sql): sql_set_user escaped user --> 'agostini' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'agostini' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'agostini' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 3 modcall[authorize]: module "files" returns notfound for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 33 to 149.139.32.61:20004 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "2" EAP-Message = 0x017d00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4941735ca0eda4ea16be6e97e54a2c99 Finished request 3 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 30 with timestamp 448eb84e Cleaning up request 1 ID 31 with timestamp 448eb84e Cleaning up request 2 ID 32 with timestamp 448eb84e Cleaning up request 3 ID 33 with timestamp 448eb84e Nothing to do. Sleeping until we see a request. Sorry for this very long,long post. Can you help me? A.Agostini
Hi!
Client -> AP EAPOL Start AP -> Client EAP Request, Identity [RFC3748] Client -> AP EAP Response, Identity [RFC3748] AP -> Client EAP Request, PEAP [Palekar] Client -> AP TLS Client Hello AP -> Client EAP Request, PEAP [Palekar] Client -> AP EAP Response, PEAP [Palekar] AP -> Client TLS Server Hello, Certificate Server Hello Done Client -> AP EAP Response, PEAP [Palekar] AP -> Client EAP Request, PEAP [Palekar] Client -> AP EAPOL Start ...
This is what is also reflected in the debug output later in your mail: the client still doesn't like the server and stops talking to it after it sees the server certificate. If you wish, send me the public part of the certificate via PM and I'll look if the required OIDs are in it. Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Stefan Winter ha scritto:
Hi!
It is incredible! I have just installed SecureW2 and all is ok now! Have you any idea why XP SP2 didn't work? For my user will be more comfortable use XP interface instead install and use SecureW2. A second problema. I have activate accounting but in "radacct" (log file and mysql table) I can't see the IP address of the supplicant client. I see only the nas ip address. There are some parameter to secify to add this feature? Following you can see the AAA log now, thank you very much for your help. Alessandro =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2006.06.16 11:31:56 =~=~=~=~=~=~=~=~=~=~=~= rad_recv: Access-Request packet from host 149.139.32.61:20005, id=50, length=148 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User EAP-Message = 0x0201000d01616e647265756363 User-Name = "andreucc" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0x2b4afa796d61155f27b6541bc1656620 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 40 modcall[authorize]: module "preprocess" returns ok for request 40 modcall[authorize]: module "chap" returns noop for request 40 modcall[authorize]: module "mschap" returns noop for request 40 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 40 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 40 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 40 modcall[authorize]: module "files" returns notfound for request 40 modcall: group authorize returns updated for request 40 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 40 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 40 modcall: group authenticate returns handled for request 40 Sending Access-Challenge of id 50 to 149.139.32.61:20005 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf82c5c85632ef77d01a75cb767b54d0c Finished request 40 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.32.61:20005, id=51, length=159 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "andreucc" State = 0xf82c5c85632ef77d01a75cb767b54d0c EAP-Message = 0x020200060315 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0x5da6d901e58254e66be7474b0cede914 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 41 modcall[authorize]: module "preprocess" returns ok for request 41 modcall[authorize]: module "chap" returns noop for request 41 modcall[authorize]: module "mschap" returns noop for request 41 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 41 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 41 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 41 modcall[authorize]: module "files" returns notfound for request 41 modcall: group authorize returns updated for request 41 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 41 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 41 modcall: group authenticate returns handled for request 41 Sending Access-Challenge of id 51 to 149.139.32.61:20005 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6ac64571854b50844471628e06aab242 Finished request 41 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.32.61:20005, id=52, length=213 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "andreucc" State = 0x6ac64571854b50844471628e06aab242 EAP-Message = 0x0203003c158000000032160301002d010000290301fc020900eed96d87875fcf65bebbd2a946effaeb29a6a5407cf4d58dde28dd79000002000a0100 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0x83c5f67a2d4b53094fc6321a4587300b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 42 modcall[authorize]: module "preprocess" returns ok for request 42 modcall[authorize]: module "chap" returns noop for request 42 modcall[authorize]: module "mschap" returns noop for request 42 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 42 rlm_eap: EAP packet type response id 3 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 42 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 42 modcall[authorize]: module "files" returns notfound for request 42 modcall: group authorize returns updated for request 42 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 42 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 42 modcall: group authenticate returns handled for request 42 Sending Access-Challenge of id 52 to 149.139.32.61:20005 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x0104040a15c0000006f1160301004a02000046030144927a9ae4869ce6957ded8e328b85eaecc585cbd333a6911c18553e72eecde820683d0de362645f22d761ffff6a36da58ffdf7465b61596764a9ee9cdb77c2255000a0016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365 EAP-Message = 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003 EAP-Message = 0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09 EAP-Message = 0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf3b9cd219d3052e9bbb8061ac6c584f9 Finished request 42 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.32.61:20005, id=53, length=159 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "andreucc" State = 0xf3b9cd219d3052e9bbb8061ac6c584f9 EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0xc259d68f8b77337487c5dc11c62c70a3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 43 modcall[authorize]: module "preprocess" returns ok for request 43 modcall[authorize]: module "chap" returns noop for request 43 modcall[authorize]: module "mschap" returns noop for request 43 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 43 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 43 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "sql" returns ok for request 43 modcall[authorize]: module "files" returns notfound for request 43 modcall: group authorize returns updated for request 43 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 43 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 43 modcall: group authenticate returns handled for request 43 Sending Access-Challenge of id 53 to 149.139.32.61:20005 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x010502fb1580000006f1170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52cc EAP-Message = 0xb99b41e80ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e EAP-Message = 0x31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c51603010004 EAP-Message = 0x0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae863cadd3c45a1c9b375f1fcd3b4c9c Finished request 43 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.32.61:20005, id=54, length=353 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "andreucc" State = 0xae863cadd3c45a1c9b375f1fcd3b4c9c EAP-Message = 0x020500c81580000000be16030100861000008200806e4c406596b4f70fd4c45e6560758938a71fb729e106b49689d0d08d5b730f3abc1e464422109e3721fdc238bc7de4e40f43ddad203860447798360e7dfe21a57eb461ffcc87785db4f495d18eb28bb636a37b07b46ffc95c91bcda2f5e17c82f8f27b2ea1972b8abf47ae2fa26b7df0f0b3fa43165a3393ca5ee8240495e8ce1403010001011603010028d471bb3ed5ee049d4dbd994e0e9abdad765aa85434b821ddb8abf3ba1c2f9efc5dbf6778274aa3d1 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0xfe57d7755364df869cc84e2463ebe71d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 44 modcall[authorize]: module "preprocess" returns ok for request 44 modcall[authorize]: module "chap" returns noop for request 44 modcall[authorize]: module "mschap" returns noop for request 44 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 44 rlm_eap: EAP packet type response id 5 length 200 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 44 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 44 modcall[authorize]: module "files" returns notfound for request 44 modcall: group authorize returns updated for request 44 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 44 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 44 modcall: group authenticate returns handled for request 44 Sending Access-Challenge of id 54 to 149.139.32.61:20005 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x0106003d1580000000331403010001011603010028ec2e3c3141e36f760792d396bf52c5400292fbbbf074fef5a9c0a4f193e6eb3fda9d23dfdffb3d4f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf5313c197f9b6b2f6255325aecf98621 Finished request 44 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.32.61:20005, id=55, length=240 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "andreucc" State = 0xf5313c197f9b6b2f6255325aecf98621 EAP-Message = 0x0206005715800000004d1703010048378795a078485cf6d11be71e2fa85c479c4ecb83edf7f245be7c8fc57473d6e97d9ef1a8af1c6a2972499277b9b98584f0262a37d42a2518d45c9ebf488398ef43a2f8c18ab91ddd NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0x9ed901d68235d7ebcb0e263bbdab7021 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 45 modcall[authorize]: module "preprocess" returns ok for request 45 modcall[authorize]: module "chap" returns noop for request 45 modcall[authorize]: module "mschap" returns noop for request 45 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 45 rlm_eap: EAP packet type response id 6 length 87 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 45 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 45 modcall[authorize]: module "files" returns notfound for request 45 modcall: group authorize returns updated for request 45 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 45 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request EAP-Message = 0x0200000d01616e647265756363 Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Got tunneled identity of andreucc TTLS: Setting default EAP type for tunneled EAP session. TTLS: Sending tunneled request EAP-Message = 0x0200000d01616e647265756363 Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "andreucc" NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 45 modcall[authorize]: module "preprocess" returns ok for request 45 modcall[authorize]: module "chap" returns noop for request 45 modcall[authorize]: module "mschap" returns noop for request 45 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 45 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 45 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 45 modcall[authorize]: module "files" returns notfound for request 45 modcall: group authorize returns updated for request 45 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 45 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 45 modcall: group authenticate returns handled for request 45 TTLS: Got tunneled reply RADIUS code 11 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x010100160410d794d1f9227864299706437598f3f1a9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed756e8a67ee45432bfbf8f7b70edabb TTLS: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 45 modcall: group authenticate returns handled for request 45 Sending Access-Challenge of id 55 to 149.139.32.61:20005 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x0107006415800000005a17030100180e7350b38814fbd5d284fc2516fab92a08b7e4bdc77d15121703010038bc63d6cafb8e918683d2833406c12e909853d4adab6f100d735539bbd40a30fa834ae8e5fe8705c5b2ab31c17343cc7da8570099674f929e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa7c64ea508dd3faaf6c04d57b12e3b58 Finished request 45 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.32.61:20005, id=56, length=232 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "andreucc" State = 0xa7c64ea508dd3faaf6c04d57b12e3b58 EAP-Message = 0x0207004f1580000000451703010040de2ea6888cbed92c95d01e061f4bf4ea7d8a615d41bd69870d24635662ce65aa479f1914307d05f608da9319f144855ee99ab67e14869d5b5217698ad53cb2fe NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0xa67089fa201286c426f4c889ed5379c6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 46 modcall[authorize]: module "preprocess" returns ok for request 46 modcall[authorize]: module "chap" returns noop for request 46 modcall[authorize]: module "mschap" returns noop for request 46 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 46 rlm_eap: EAP packet type response id 7 length 79 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 46 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 46 modcall[authorize]: module "files" returns notfound for request 46 modcall: group authorize returns updated for request 46 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 46 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request EAP-Message = 0x02010006031a Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Adding old state with ed 75 TTLS: Sending tunneled request EAP-Message = 0x02010006031a Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "andreucc" State = 0xed756e8a67ee45432bfbf8f7b70edabb NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 46 modcall[authorize]: module "preprocess" returns ok for request 46 modcall[authorize]: module "chap" returns noop for request 46 modcall[authorize]: module "mschap" returns noop for request 46 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 46 rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 46 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "sql" returns ok for request 46 modcall[authorize]: module "files" returns notfound for request 46 modcall: group authorize returns updated for request 46 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 46 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/mschapv2 rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 46 modcall: group authenticate returns handled for request 46 TTLS: Got tunneled reply RADIUS code 11 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x010200221a0102001d100672f896d50b3676aa3970d3f62bb805616e647265756363 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x813684ca3299995136a2c8ba1a5becc0 TTLS: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 46 modcall: group authenticate returns handled for request 46 Sending Access-Challenge of id 56 to 149.139.32.61:20005 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x0108007415800000006a1703010018c7489bc21a04b28bff5feb3a488e6e0d54ecade4ba290db617030100484198f9c1ccfc361cdca2523272a6702629ddeb3668a467479474fbd81458c1986a574be8dce4071995e34a3a97384e8acf9c2843fbea39db279779cbb256a512d586335dc30ffa4c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe98ef96def4d0229110801d949be80e0 Finished request 46 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.32.61:20005, id=57, length=296 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "andreucc" State = 0xe98ef96def4d0229110801d949be80e0 EAP-Message = 0x0208008f1580000000851703010080e21fbe3a570fb59d88896fac19226037768af965ee0098e915d76140250e03f8637097b9cb5cbbb1fe4ce5728a4c5a2b554b435dcf513bf21e3fbf9e360a9c326111a60c329340d294983f84c05673f4c0741500b70f635f9b61386d34fdf28bd7115f13c3ef8b15887dc12b707b431bee1c71cac7ce9efecb364fa3acba8675 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0x22ea7c929a3b9ed4d2ebb34589d46e14 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 47 modcall[authorize]: module "preprocess" returns ok for request 47 modcall[authorize]: module "chap" returns noop for request 47 modcall[authorize]: module "mschap" returns noop for request 47 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 47 rlm_eap: EAP packet type response id 8 length 143 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 47 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 47 modcall[authorize]: module "files" returns notfound for request 47 modcall: group authorize returns updated for request 47 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 47 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request EAP-Message = 0x020200431a0202003e313c9bdaf99b4c49f82fbebb8edddc2eb10000000000000000da3347b81ee40f1622b070dd183cb960042eac7eef5e5ffa00616e647265756363 Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Adding old state with 81 36 TTLS: Sending tunneled request EAP-Message = 0x020200431a0202003e313c9bdaf99b4c49f82fbebb8edddc2eb10000000000000000da3347b81ee40f1622b070dd183cb960042eac7eef5e5ffa00616e647265756363 Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "andreucc" State = 0x813684ca3299995136a2c8ba1a5becc0 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 47 modcall[authorize]: module "preprocess" returns ok for request 47 modcall[authorize]: module "chap" returns noop for request 47 modcall[authorize]: module "mschap" returns noop for request 47 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 47 rlm_eap: EAP packet type response id 2 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 47 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns ok for request 47 modcall[authorize]: module "files" returns notfound for request 47 modcall: group authorize returns updated for request 47 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 47 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 47 rlm_mschap: Told to do MS-CHAPv2 for andreucc with NT-Password modcall[authenticate]: module "mschap" returns ok for request 47 modcall: group Auth-Type returns ok for request 47 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 47 modcall: group authenticate returns handled for request 47 TTLS: Got tunneled reply RADIUS code 11 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" MS-CHAP2-Success = 0x02533d30333538303936453541464133433742454343314434443646413244454230413042314432363539 EAP-Message = 0x010300331a0302002e533d30333538303936453541464133433742454343314434443646413244454230413042314432363539 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0379a708ac4071c773ba2c4a3a7e0acb TTLS: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 47 modcall: group authenticate returns handled for request 47 Sending Access-Challenge of id 57 to 149.139.32.61:20005 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x0109008415800000007a1703010018bb10ca992933491bc84400fb744de89f8bf75831495aaef9170301005840990f60a90497a690a696fc359dd2c2fd12f77846eb29f70957a52fb6448a6a6e24f079c515f0ab7a31890435309e3b63ea26e3077347413b17fd76583434d61404064824c09045e7ccd5f16d94c1788a75845d00f702d3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3590a2833c47e7febedaf889ab3edb56 Finished request 47 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 149.139.32.61:20005, id=58, length=232 NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User User-Name = "andreucc" State = 0x3590a2833c47e7febedaf889ab3edb56 EAP-Message = 0x0209004f1580000000451703010040248cde5e7df4ef59acc9941fc00aeea59913d10c35ae5e1bac74db13e538d0a46c48c0c867318bc3f0dc70b9bd3e3fcc5b76df73744b1c0fc9a0a22f30b905bf NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Message-Authenticator = 0xc1e1400a7bcc245266196c8875764baf Processing the authorize section of radiusd.conf modcall: entering group authorize for request 48 modcall[authorize]: module "preprocess" returns ok for request 48 modcall[authorize]: module "chap" returns noop for request 48 modcall[authorize]: module "mschap" returns noop for request 48 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 48 rlm_eap: EAP packet type response id 9 length 79 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 48 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 48 modcall[authorize]: module "files" returns notfound for request 48 modcall: group authorize returns updated for request 48 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 48 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request EAP-Message = 0x020300061a03 Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Adding old state with 03 79 TTLS: Sending tunneled request EAP-Message = 0x020300061a03 Message-Authenticator = 0x00000000000000000000000000000000 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "andreucc" State = 0x0379a708ac4071c773ba2c4a3a7e0acb NAS-Port-Id = "2/1" Calling-Station-Id = "00-08-E3-B0-73-46" Called-Station-Id = "00-12-A9-17-08-40:wpa-experimental" Service-Type = Framed-User NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 149.139.36.231 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 48 modcall[authorize]: module "preprocess" returns ok for request 48 modcall[authorize]: module "chap" returns noop for request 48 modcall[authorize]: module "mschap" returns noop for request 48 rlm_realm: No '@' in User-Name = "andreucc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 48 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 48 radius_xlat: 'andreucc' rlm_sql (sql): sql_set_user escaped user --> 'andreucc' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'andreucc' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'andreucc' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module "sql" returns ok for request 48 modcall[authorize]: module "files" returns notfound for request 48 modcall: group authorize returns updated for request 48 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 48 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 48 modcall: group authenticate returns ok for request 48 Login OK: [andreucc/<no User-Password attribute>] (from client localhost port 0 cli 00-08-E3-B0-73-46) TTLS: Got tunneled reply RADIUS code 2 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" EAP-Message = 0x03030004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "andreucc" TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler TTLS: Freeing handler for user andreucc modcall[authenticate]: module "eap" returns ok for request 48 modcall: group authenticate returns ok for request 48 Login OK: [andreucc/<no User-Password attribute>] (from client Wx1200-B1D port 0 cli 00-08-E3-B0-73-46) Sending Access-Accept of id 58 to 149.139.32.61:20005 Service-Type := Framed-User Tunnel-Type:0 := VLAN Tunnel-Private-Group-Id:0 := "ifac" MS-MPPE-Recv-Key = 0xd90f9cadd44b9f21dd38c0e810d97dd9f215b83a237cda44a4411895864d760a MS-MPPE-Send-Key = 0xfab59357d9dbc3e653e189305e27d50b47ce321c5a06836d263b35c57674f93a EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "andreucc" Finished request 48 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 40 ID 50 with timestamp 44927a9a Cleaning up request 41 ID 51 with timestamp 44927a9a Cleaning up request 42 ID 52 with timestamp 44927a9a Cleaning up request 43 ID 53 with timestamp 44927a9a Cleaning up request 44 ID 54 with timestamp 44927a9a Cleaning up request 45 ID 55 with timestamp 44927a9a Cleaning up request 46 ID 56 with timestamp 44927a9a Cleaning up request 47 ID 57 with timestamp 44927a9a Cleaning up request 48 ID 58 with timestamp 44927a9a Nothing to do. Sleeping until we see a request.
Hi!
It is incredible! I have just installed SecureW2 and all is ok now! Have you any idea why XP SP2 didn't work? For my user will be more comfortable use XP interface instead install and use SecureW2.
I guess that is because Windows XP requires the TLS Server Certificate Extension to be present in the certificate, while SecureW2 doesn't. You can easily verify if your certificate is right for Win XP: openssl x509 -in certfile.pem -text The output must contain the following lines: X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication If this extension isn't present, things won't work with the built-in supplicant, then you need another certificate. SecureW2 is not as picky about that, so the cert is still fine for SecureW2 and EAP-TTLS. Windows XP supplicant being more comfortable? Arguably. Personally, I find it one of the worst-ever designed User Interfaces. Almost no one gets the correct, secure configuration right on first attempt. You can generate an automated installer with SecureW2, where most of the settings for your users are preconfigured (a "Site Deployment"). This makes it almost as easy as a double-click to get things running.
A second problema. I have activate accounting but in "radacct" (log file and mysql table) I can't see the IP address of the supplicant client. I see only the nas ip address. There are some parameter to secify to add this feature?
Well, the server can only log what the NAS (Access Point) sends to it. You will need to configure your Access Point to send the client's IP address. It depends on your model of Access Point how to do this, if it's at all possible. I don't have a 3Com Access Point, so I have no idea how to do it. It sure comes with a manual, though.
thank you very much for your help.
I'll enjoy free wireless LAN if I ever come to Florence. That's enough of a a revenue :-) Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
Stefan Winter ha scritto:
Hi!
It is incredible! I have just installed SecureW2 and all is ok now! Have you any idea why XP SP2 didn't work? For my user will be more comfortable use XP interface instead install and use SecureW2.
I guess that is because Windows XP requires the TLS Server Certificate Extension to be present in the certificate, while SecureW2 doesn't. You can easily verify if your certificate is right for Win XP:
openssl x509 -in certfile.pem -text
The output must contain the following lines:
X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication
If this extension isn't present, things won't work with the built-in supplicant, then you need another certificate. SecureW2 is not as picky about that, so the cert is still fine for SecureW2 and EAP-TTLS.
I have manually generated the certificate three days ago, so I serach the right way to generate the certificate with right extension, thanks.
Windows XP supplicant being more comfortable? Arguably. Personally, I find it one of the worst-ever designed User Interfaces. Almost no one gets the correct, secure configuration right on first attempt. You can generate an automated installer with SecureW2, where most of the settings for your users are preconfigured (a "Site Deployment"). This makes it almost as easy as a double-click to get things running.
Interesting, I'll checking also this possibility. Alsi I think that it is better than XP dialogs!
A second problema. I have activate accounting but in "radacct" (log file and mysql table) I can't see the IP address of the supplicant client. I see only the nas ip address. There are some parameter to secify to add this feature?
Well, the server can only log what the NAS (Access Point) sends to it. You will need to configure your Access Point to send the client's IP address. It depends on your model of Access Point how to do this, if it's at all possible. I don't have a 3Com Access Point, so I have no idea how to do it. It sure comes with a manual, though.
OK. Thanks again for your support! Alessandro
Hello helpful friends, I am using freeradius 1.1.3 I want to accept users only if the they are members of a sql-Group which name eqals the Huntgroup-Name. I try: DEFAULT Auth-Type := Accept, Sql-Group == MAC, Sql-Group == %{Huntgroup-Name} this gives the error (radiusd -X): module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" /usr/local/etc/raddb/users[161]: Parse error (check) for entry DEFAULT: Expected end of line or comma Errors reading /usr/local/etc/raddb/users radiusd.conf[398]: files: Module instantiation failed. radiusd.conf[828] Unknown module "files". radiusd.conf[742] Failed to parse authorize section. Thank you for any hint. Grüße Hans-Peter Fuchs Hans-Peter Fuchs - RRZK Zimmer 20 Zentrum für angewandte Informatik - Universitätsweiter Service RRZK Universität zu Köln - Tel: 0221-470-6972
"Hans-Peter Fuchs" <fuchs@rrz.uni-koeln.de> wrote:
DEFAULT Auth-Type := Accept, Sql-Group == MAC, Sql-Group == %{Huntgroup-Name}
this gives the error (radiusd -X):
You need to use back-ticks. SQL-Group == `%{...}` Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (6)
-
Alan DeKok -
Alessandro Agostini -
Hans-Peter Fuchs -
news.gmane.org -
Phil Mayers -
Stefan Winter