Freeradius + PEAP.. stuck on validating identity..
Hi, I have freeradius for WPA2 Enterprise authentification in small network in library, it is stable version (2.0.4) on Debian Lenny compiled from sources with OpenSSL support.. Everything seems to be OK, but when I try to connect to AP from laptop with Windows XP after I enter name and password I am stuck on Validating identity, same on Ubuntu machine... My configuration is pretty much default except of enabling MySQL and setting paths and passwords to certificates (generated with make script in /etc/freeradius/certs, so they should be OK) and addresses of clients. This is what freeradius -X gives me when I try to connect to AP: Ready to process requests. rad_recv: Access-Request packet from host 192.168.3.1 port 1291, id=0, length=123 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650eb532" NAS-Identifier = "00259c523046" NAS-Port = 9 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000a01706f6b7573 Message-Authenticator = 0x634f3b088572fda3a12eca56ed6035b9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> pokus rlm_sql (sql): sql_set_user escaped user --> 'pokus' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'pokus' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [pokus/<via Auth-Type = Accept>] (from client router port 9 cli 001e650eb532) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.3.1 port 1291 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +59 Ready to process requests. To me it seems that name/password was accepted so I have no clue where is the problem.. Thank you in advance for any help..
Bruno Kremel wrote:
My configuration is pretty much default except of enabling MySQL and setting paths and passwords to certificates (generated with make script in /etc/freeradius/certs, so they should be OK) and addresses of clients.
And what did you put in SQL?
expand: %{User-Name} -> pokus rlm_sql (sql): sql_set_user escaped user --> 'pokus' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'pokus' ORDER BY priority ... rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user
Why did you put "Auth-Type = Accept" in SQL? It's breaking the server. Delete it.
To me it seems that name/password was accepted so I have no clue where is the problem..
The password was NOT accepted. It was *ignored*. Alan DeKok.
On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote:
Bruno Kremel wrote:
My configuration is pretty much default except of enabling MySQL and setting paths and passwords to certificates (generated with make script in /etc/freeradius/certs, so they should be OK) and addresses of clients.
And what did you put in SQL?
expand: %{User-Name} -> pokus rlm_sql (sql): sql_set_user escaped user --> 'pokus' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'pokus' ORDER BY priority
...
rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user
Why did you put "Auth-Type = Accept" in SQL?
It's breaking the server. Delete it. What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface...
To me it seems that name/password was accepted so I have no clue where is the problem..
The password was NOT accepted. It was *ignored*.
And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL...
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you for answer.
Bruno Kremel wrote:
Why did you put "Auth-Type = Accept" in SQL?
It's breaking the server. Delete it. What should be there?
The user's password?
Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface...
<shrug> I don't use daloradius. All I know is from the debug output, which shows that the server isn't configured properly.
And what is that Accept-Accept on the end of the log?...
It's useless. The EAP conversation has been short-circuited, and the user WILL NOT end up being online.
also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL...
Since you obviously know the product better than I do, good luck solving the problem. Alan DeKok.
On 01/04/2010, at 7:39 AM, Bruno Kremel wrote:
On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface...
Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | +----+----------+---------------+----+------------+ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the "validating" issue in Windows.
To me it seems that name/password was accepted so I have no clue where is the problem..
The password was NOT accepted. It was *ignored*.
And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL...
As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum
On 01/04/2010, at 1:44 PM, Matt Harlum wrote:
On 01/04/2010, at 7:39 AM, Bruno Kremel wrote:
On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface...
Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | +----+----------+---------------+----+------------+ | 1 | exampleuser | User-Password | == | password123 |
This is how yours should be set up, otherwise you will get the "validating" issue in Windows.
I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | +----+----------+---------------+----+------------+ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum
To me it seems that name/password was accepted so I have no clue where is the problem..
The password was NOT accepted. It was *ignored*.
And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL...
As Alan said, it was simply ignored because of the misconfiguration
Regards, Matt Harlum
2010/4/1 Matt Harlum <matt@cactuar.net>:
On 01/04/2010, at 1:44 PM, Matt Harlum wrote:
On 01/04/2010, at 7:39 AM, Bruno Kremel wrote:
On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface...
Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | +----+----------+---------------+----+------------+ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the "validating" issue in Windows.
I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | +----+----------+---------------+----+------------+ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum
To me it seems that name/password was accepted so I have no clue where
is the problem..
The password was NOT accepted. It was *ignored*.
And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL...
As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this: Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650eb532" NAS-Identifier = "00259c523046" NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate...
On 01/04/2010, at 8:40 PM, Bruno Kremel wrote:
2010/4/1 Matt Harlum <matt@cactuar.net>:
On 01/04/2010, at 1:44 PM, Matt Harlum wrote:
On 01/04/2010, at 7:39 AM, Bruno Kremel wrote:
On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface...
Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | +----+----------+---------------+----+------------+ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the "validating" issue in Windows.
I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | +----+----------+---------------+----+------------+ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum
To me it seems that name/password was accepted so I have no clue where
is the problem..
The password was NOT accepted. It was *ignored*.
And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL...
As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this:
Are you trying to use EAP-TTLS?
Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650eb532" NAS-Identifier = "00259c523046" NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests.
Hard for me to tell what's going wrong here, radiusd -X should give more diagnostic information that would help also, what was the exact section of your users file like? with obfuscated login credentials of course.
That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate...
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bruno Kremel wrote:
Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests.
This is documented in the FAQ, in the comments in raddb/eap.conf, and on my web site (http://deployingradius.com/). Please read the existing documentation,
That Access-Challenge should authenticate my client if I am not wrong,
No. Alan DeKok.
2010/4/1 Alan DeKok <aland@deployingradius.com>:
Bruno Kremel wrote:
Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests.
This is documented in the FAQ, in the comments in raddb/eap.conf, and on my web site (http://deployingradius.com/).
Please read the existing documentation,
That Access-Challenge should authenticate my client if I am not wrong,
No.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you for that links... I have read that FAQ and so I copyed over default eap.conf and tryed it with uses file.. it is working OK i can connect to AP with username/password, but when I tryed to use SQL (I have corret format in SQL now) again it ends up this with Accept-Reject: rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [pokus2/<via Auth-Type = EAP>] (from client ciscorouter port 44 cli 001e650ece6c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> pokus2 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 23 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 23 Sending Access-Reject of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 23 ID 0 with timestamp +735 Ready to process requests. Bud radtest gives me: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 54224, id=218, length=57 User-Name = "test2" User-Password = "pokus2" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "test2", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> test2 rlm_sql (sql): sql_set_user escaped user --> 'test2' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test2' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test2' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test2' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "pokus2" rlm_pap: Using clear text password "pokus2" rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [test2/pokus2] (from client localhost port 1812) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 218 to 127.0.0.1 port 54224 Finished request 10. Going to the next request Waking up in 4.9 seconds. Cleaning up request 10 ID 218 with timestamp +263 Ready to process requests. So is it sql problem or something with eap?
I am posting full log with first is radtest accepted and others are failde login from wifi client with 2 different accounts... FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Mar 29 2010 at 15:58:09 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.3.1 { require_message_authenticator = no secret = "amerika7452" shortname = "ciscorouter" nastype = "cisco" } client 192.168.3.3 { require_message_authenticator = no secret = "amerika7452" shortname = "AP_Prveposchodie" nastype = "other" } client 192.168.3.2 { require_message_authenticator = no secret = "amerika7452" shortname = "AP_Druheposchodie" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.pem" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "amerika7452" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_sql Module: Instantiating sql sql { driver = "rlm_sql_mysql" server = "localhost" port = "" login = "radius" password = "uPq7cP9wMhMDMjyh" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/var/log/freeradius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 5 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime = NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime = NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 34571, id=92, length=55 User-Name = "123" User-Password = "123" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> 123 rlm_sql (sql): sql_set_user escaped user --> '123' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '123' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "123" rlm_pap: Using clear text password "123" rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [123/123] (from client localhost port 1812) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 92 to 127.0.0.1 port 34571 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 92 with timestamp +10 Ready to process requests. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=119 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000801313233 Message-Authenticator = 0xefb6ee4d88c5de31b2808aeaabbb5e7f +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> 123 rlm_sql (sql): sql_set_user escaped user --> '123' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '123' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010100160410067b70733dcd38b8291e5f17a2720acd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e66733918c0f9543479c82591 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=135 Cleaning up request 1 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e66733918c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060319 Message-Authenticator = 0x6fa3c5c56bd9374326c39055674f9e39 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> 123 rlm_sql (sql): sql_set_user escaped user --> '123' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '123' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '123' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '123' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e67702418c0f9543479c82591 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=209 Cleaning up request 2 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e67702418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202005019800000004616030100410100003d03014bb4bc83fed9c1c47c98d2472920397e85b03463108acace89d1212cd3337a7800001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x9fba80024fc68c5163800fc95c4419ad +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 70 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 07a1], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x0103040019c0000007fe160301004a0200004603014bb4bc3cedbc5d837c56ea5137ec6b0171b17af239998a062ee186277a93d965203384c6cbe86dec141946c5770b5f5ed1fcda003f07248f4726bb5b4ffd29e7be00040016030107a10b00079d00079a000369308203653082024da003020102020101300d06092a864886f70d0101040500306a310b300906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a204341301e170d313030333239 EAP-Message = 0x3136313031395a170d3230303332363136313031395a3069310b300906035504061302534b310f300d06035504081306526164697573310c300a060355040a13034b4b5a311f301d060355040313164b4b5a20536572766572204365727469666963617465311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a30820122300d06092a864886f70d01010105000382010f003082010a0282010100d579693bfaece2c1322a55a64dd6bdc6af206a59a7f2e64626cbb3c8b4fb6b392fc24786ecbe9f34025216491731e390d05aba630f277d7f6d7ee9727a07aefc5c9841b56d7941841b391db2e5539b8f7c9e7d0638d676601d43dd EAP-Message = 0x7bf0a40d796a102473637db3a35f438b9e4af0bbe0d01b86f864dcfcefacb9759c512548c942950fc8e28e9bafaa996b4afd136cf207aadab3511930e8d4d92748410554f89c428d00d4cc98f543f9ffe16ab3e7051cbd5810044bc52297d09f4fd66f6b38f6274de4e7d2bd4254f18830910526fc989954cd85f27628207aa3f7f2cfcd48bbf3f70be736e37f204ef0302bd63208c499702197be97fe7f95c0a7202d36c30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010084609cecd6d3b00a7f600da98eb18901b726f84eb884a6e1c3d9ffc45c4b2c83ca79d09319ca EAP-Message = 0xcb5ee3fc021b6be9460b31b3cfddd12fd883da847b76fe46a14be8379b1ab0e0d1620b045b18d4894655d9ddf9c99fa250524d4c90e6d0fcf257996a68eee1b3a12c145adb3068ea616435d56a8a8c8eca84178019730efb7db3701e30572c4fd71eb8a7f25833b8e9b155288a56a0f2da707859a1aa990b94eff3a2a9097670c78ab12b358c117a5b99e359d1daefbed75689ef97c3c198ceb0f58b0a1022ef5b8e1cb74af315c35e9e24362ce43ad86a505b297330c783e731d2b86bd5334758f67db59e266b1f555fb01575d62311aacdc125837aa7cadeb000042b308204273082030fa003020102020900ac4020fc7454ca94300d06092a864886 EAP-Message = 0xf70d0101050500306a310b30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e64712418c0f9543479c82591 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=135 Cleaning up request 3 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e64712418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0x58f1c6897251c0190ea2fd2ac695e9af +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010403fc19400906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a204341301e170d3130303332393136313135395a170d3130303432383136313135395a306a310b300906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a20434130820122 EAP-Message = 0x300d06092a864886f70d01010105000382010f003082010a0282010100a1b39f27a494fb2d6f5e163b41709b6c7d670595b5b2094a71957d4edf6a1753254fef52b606ced87269a80069f4b86b7ae5492bad1d93432794412c85e8cb75d08597ff66fa17cc1e91afbf2739d36a16c289b78389a0073cb7b1d05f55d6a358f5a24d84bc62d0a4009101aa40a95316f9b50209f0b731256a10b504a3d024349307536efdd7128f104ca554b82782b73bfa1f86b9d9a5b1f77e8c6bba0617ae1c7b51fb95f36791cdb08dde834cd8faae43b7af81fbb3728475860332ca7935a2d74a879e4c3e3bcb8313eea755454622b4400de27b13e73f1eb1d8f67bf9 EAP-Message = 0xab41c984962c6810454a41aad17e3e0f46870753d5e76875ad6fcfc4648ba52d0203010001a381cf3081cc301d0603551d0e041604149a7c6fd4e6f2837aeb3607242cdc7cb5ad8bc69930819c0603551d2304819430819180149a7c6fd4e6f2837aeb3607242cdc7cb5ad8bc699a16ea46c306a310b300906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a204341820900ac4020fc7454ca94300c0603551d13040530030101ff300d06092a86 EAP-Message = 0x4886f70d010105050003820101003181c959e5f84a0ae2a187457617b6a4563fad6a9fc317891362c3f5ec8266983cadd56bde7e3e57d2d189c6d01722ba93fb820ec83e21a68bb8e45f8b42e0e47f188020cababe8d9971009d43daacab4dc89237e134ab6ac1b48d8e174ab1c94b2e7261ce7e3fb4c802b8dbb47b58bfd98bbbc6c89cc1d4f0eb727e16309e631e14ca91d0937e4fa529125e4116d536b3ac9ebe91873a0bdba3ab3bfb3a6ab7d349d5b1c537617cc81296b70884994e5595626cf97a3ff6f9fec75eecea28130173d4fae7186353df4663ced8bb67f9964dae6aa7e43471ad282fa8629c0a4126eb37a592ef4dbcde01e694b9256f EAP-Message = 0x0eaabc8560dd656e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e65762418c0f9543479c82591 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=135 Cleaning up request 4 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e65762418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0xf70cb3dc846b94996049a79331a9a356 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010500181900ce06fa04b0dba2f6ae16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e62772418c0f9543479c82591 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=451 Cleaning up request 5 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e62772418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020501401980000001361603010106100001020100577e96d8c409c105721fb2b9f83489849a2dd841eefe7da6c0b51359f171f7dc0f62c42ce47748de3ccc3fef0a61baf3b084848c5ca8547e6de7cc94ba2ec73c1c4f8f30d61495032ab57e35b1bd1c9fcefedc65aac06736f096009ae5e159951a34cb8ac658252e033ca77bbc6f1431252ece0b94504a709cc86e1046b7fc835a7929207705e5b1d2ed5b3e5912666238a59e8725512bd5231e981acf9b21aba8ce82e226a75bfaba9bc2bc694449be10a1fb8f7ef2f56a985bc72d82eec90efac854436ef97595a65e00fc97693a95778acc4f2b7549b4ba673bbd6a977cf99825b7919d09b8e6 EAP-Message = 0x37ae8307386da9a444292eec12497526a455a9215fe750221403010001011603010020560d51f197badcb69582d91d84b797c8239c0aedfa1df58f1c18090dc82b2df4 Message-Authenticator = 0xb82c7b3eb2cb2bd13ac350a9e0982bdb +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x0106003119001403010001011603010020c5c290d110c1c6b81a6c1c8e15dc903e668eaed8f298c7a436d6768cdfcbdf51 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e63742418c0f9543479c82591 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=135 Cleaning up request 6 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e63742418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061900 Message-Authenticator = 0xd483882af20d521d7f580979e2f27133 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x01070020190017030100158459c4f8f2dfc2f1b6b98fc6cb859070ba60773363 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e60752418c0f9543479c82591 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=160 Cleaning up request 7 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e60752418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207001f19001703010014b056d90384636556333d6feefb416a1dde840c76 Message-Authenticator = 0x0e7dc12d1d3b3f40545f4fe0a1ca198a +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 31 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - 123 PEAP: Got tunneled EAP-Message EAP-Message = 0x0207000801313233 PEAP: Got tunneled identity of 123 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to 123 PEAP: Sending tunneled request EAP-Message = 0x0207000801313233 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "123" server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001d1a010800181034b648a7ca776e033f81e3768ffb903f313233 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae49dd0aae41c7b2ff4db56c61fe8872 PEAP: Processing from tunneled session code 0x81b8f70 11 EAP-Message = 0x0108001d1a010800181034b648a7ca776e033f81e3768ffb903f313233 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae49dd0aae41c7b2ff4db56c61fe8872 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x0108003419001703010029e466cb5716a0436c5d11902e4d0bb11d6e05f995cc10b786dff009aa883564f89c51fad980babbe746 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e617a2418c0f9543479c82591 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=214 Cleaning up request 8 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e617a2418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800551900170301004a0b982a6ed2e5c3d6d889c7484feaea43da62618eb60e8b5a9cb0b76cd1e02ba99144f42debde680a29455064933f4e5bece6561305da274582d2326d01c38fb07d8c9bf8d16f3c45b22f Message-Authenticator = 0xe28e64981aff83c048f7a1c4e3a18adf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 85 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Got tunneled EAP-Message EAP-Message = 0x0208003e1a0208003931c18aabf24b6c2efc7a588ebdc7134b740000000000000000fcdcc23f2ae0ecad715899443f6a4d8ad3b6a583fa9238a600313233 PEAP: Setting User-Name to 123 PEAP: Sending tunneled request EAP-Message = 0x0208003e1a0208003931c18aabf24b6c2efc7a588ebdc7134b740000000000000000fcdcc23f2ae0ecad715899443f6a4d8ad3b6a583fa9238a600313233 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "123" State = 0xae49dd0aae41c7b2ff4db56c61fe8872 server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 62 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for 123 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [123/<via Auth-Type = EAP>] (from client ciscorouter port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81b8f70 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010900261900170301001be1bd984b584aa1d06568832111475b8d71d5d24df7ea22c454e3e4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x66723d8e6e7b2418c0f9543479c82591 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=167 Cleaning up request 9 ID 0 with timestamp +101 User-Name = "123" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0x66723d8e6e7b2418c0f9543479c82591 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001b0e3905c958b77a26c5f49d89bcc618c6d6252d6a9e9156dd418ad3 Message-Authenticator = 0xf55b29e57abb32fccbc8e9927e2217a6 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [123/<via Auth-Type = EAP>] (from client ciscorouter port 44 cli 001e650ece6c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 123 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 10 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 10 Sending Access-Reject of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 10 ID 0 with timestamp +101 Ready to process requests. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=123 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000a01706f6b7573 Message-Authenticator = 0xb85f05786382f2c54ea0261ba6222d68 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> pokus rlm_sql (sql): sql_set_user escaped user --> 'pokus' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'pokus' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x0101001604101191f37f5df77c76fb6de3e51bf5d7fa Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b4bd529a2654aefb6456b1e9 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=137 Cleaning up request 11 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b4bd529a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060319 Message-Authenticator = 0x3dc7a47b7c7588595fbc8527fe0f87eb +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> pokus rlm_sql (sql): sql_set_user escaped user --> 'pokus' rlm_sql (sql): Reserving sql socket id: 0 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'pokus' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'pokus' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'pokus' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b5be4f9a2654aefb6456b1e9 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=211 Cleaning up request 12 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b5be4f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202005019800000004616030100410100003d03014bb4bccc5dc9e90125f42c50bbc9cbab888d4bbfc9578ffeaf076597fbce203b00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x15033f5962cc41ebb0b69b6d91ddedc8 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 70 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 07a1], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x0103040019c0000007fe160301004a0200004603014bb4bc85e47df6958850c0d3447f338d476af4314f875aafca2c8b6fe901692b20780806347b4a01c0bf6457fd7fdda91f59bfad9a9fbaf7d59b12cdd5aa4d602400040016030107a10b00079d00079a000369308203653082024da003020102020101300d06092a864886f70d0101040500306a310b300906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a204341301e170d313030333239 EAP-Message = 0x3136313031395a170d3230303332363136313031395a3069310b300906035504061302534b310f300d06035504081306526164697573310c300a060355040a13034b4b5a311f301d060355040313164b4b5a20536572766572204365727469666963617465311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a30820122300d06092a864886f70d01010105000382010f003082010a0282010100d579693bfaece2c1322a55a64dd6bdc6af206a59a7f2e64626cbb3c8b4fb6b392fc24786ecbe9f34025216491731e390d05aba630f277d7f6d7ee9727a07aefc5c9841b56d7941841b391db2e5539b8f7c9e7d0638d676601d43dd EAP-Message = 0x7bf0a40d796a102473637db3a35f438b9e4af0bbe0d01b86f864dcfcefacb9759c512548c942950fc8e28e9bafaa996b4afd136cf207aadab3511930e8d4d92748410554f89c428d00d4cc98f543f9ffe16ab3e7051cbd5810044bc52297d09f4fd66f6b38f6274de4e7d2bd4254f18830910526fc989954cd85f27628207aa3f7f2cfcd48bbf3f70be736e37f204ef0302bd63208c499702197be97fe7f95c0a7202d36c30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010084609cecd6d3b00a7f600da98eb18901b726f84eb884a6e1c3d9ffc45c4b2c83ca79d09319ca EAP-Message = 0xcb5ee3fc021b6be9460b31b3cfddd12fd883da847b76fe46a14be8379b1ab0e0d1620b045b18d4894655d9ddf9c99fa250524d4c90e6d0fcf257996a68eee1b3a12c145adb3068ea616435d56a8a8c8eca84178019730efb7db3701e30572c4fd71eb8a7f25833b8e9b155288a56a0f2da707859a1aa990b94eff3a2a9097670c78ab12b358c117a5b99e359d1daefbed75689ef97c3c198ceb0f58b0a1022ef5b8e1cb74af315c35e9e24362ce43ad86a505b297330c783e731d2b86bd5334758f67db59e266b1f555fb01575d62311aacdc125837aa7cadeb000042b308204273082030fa003020102020900ac4020fc7454ca94300d06092a864886 EAP-Message = 0xf70d0101050500306a310b30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b6bf4f9a2654aefb6456b1e9 Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=137 Cleaning up request 13 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b6bf4f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0xa3cfa8d724cac46cbb0c741ea6180333 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010403fc19400906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a204341301e170d3130303332393136313135395a170d3130303432383136313135395a306a310b300906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a20434130820122 EAP-Message = 0x300d06092a864886f70d01010105000382010f003082010a0282010100a1b39f27a494fb2d6f5e163b41709b6c7d670595b5b2094a71957d4edf6a1753254fef52b606ced87269a80069f4b86b7ae5492bad1d93432794412c85e8cb75d08597ff66fa17cc1e91afbf2739d36a16c289b78389a0073cb7b1d05f55d6a358f5a24d84bc62d0a4009101aa40a95316f9b50209f0b731256a10b504a3d024349307536efdd7128f104ca554b82782b73bfa1f86b9d9a5b1f77e8c6bba0617ae1c7b51fb95f36791cdb08dde834cd8faae43b7af81fbb3728475860332ca7935a2d74a879e4c3e3bcb8313eea755454622b4400de27b13e73f1eb1d8f67bf9 EAP-Message = 0xab41c984962c6810454a41aad17e3e0f46870753d5e76875ad6fcfc4648ba52d0203010001a381cf3081cc301d0603551d0e041604149a7c6fd4e6f2837aeb3607242cdc7cb5ad8bc69930819c0603551d2304819430819180149a7c6fd4e6f2837aeb3607242cdc7cb5ad8bc699a16ea46c306a310b300906035504061302534b310f300d06035504081306526164697573310f300d060355040713065a696c696e61310c300a060355040a13034b4b5a311a301806092a864886f70d010901160b6b6b7a406b6b7a2e6b6b7a310f300d060355040313064b4b5a204341820900ac4020fc7454ca94300c0603551d13040530030101ff300d06092a86 EAP-Message = 0x4886f70d010105050003820101003181c959e5f84a0ae2a187457617b6a4563fad6a9fc317891362c3f5ec8266983cadd56bde7e3e57d2d189c6d01722ba93fb820ec83e21a68bb8e45f8b42e0e47f188020cababe8d9971009d43daacab4dc89237e134ab6ac1b48d8e174ab1c94b2e7261ce7e3fb4c802b8dbb47b58bfd98bbbc6c89cc1d4f0eb727e16309e631e14ca91d0937e4fa529125e4116d536b3ac9ebe91873a0bdba3ab3bfb3a6ab7d349d5b1c537617cc81296b70884994e5595626cf97a3ff6f9fec75eecea28130173d4fae7186353df4663ced8bb67f9964dae6aa7e43471ad282fa8629c0a4126eb37a592ef4dbcde01e694b9256f EAP-Message = 0x0eaabc8560dd656e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b7b84f9a2654aefb6456b1e9 Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=137 Cleaning up request 14 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b7b84f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0xaf95dc5e8bc109bd496444d13cb7b37f +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010500181900ce06fa04b0dba2f6ae16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b0b94f9a2654aefb6456b1e9 Finished request 15. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=453 Cleaning up request 15 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b0b94f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020501401980000001361603010106100001020100023a7b095e535c2174f9b63c1a4b99040bc7f85ca4d747a2a8be8bc1347829d41f20405592585e9d9f2ba6325a62ac1ad8d351dbec78303f23588e6dced5a4c536633d94abf57d7dfddc0dc2d076846daaf562dc0e191279ad35f540d6eb810b9d5f38fb7d28308393810036447b1f9a21815206574117efc45ebf7f56223771c63fce0907027945f69088568e5be174f68c042b5c0e3641a2805edae378195e477e8ad7b575a25a9705f9ae0a6da5182165735e1408d0b35bc2e5853e4cdbdf8f18313bda568961f81911b26346b068c886e10b2c609cdfa8c4c864af20b4b795c9b45d271d5dba EAP-Message = 0xf198007180c16f746aeb2266cf5faf7b83098e9b91e53683140301000101160301002018aa6e182c4d1678a4ea10665c7480c24b50e37bac8745e2ff7fe2570e4ba22b Message-Authenticator = 0xc9c6bc817d9fb8abcdefc16b5179b620 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 253 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 310 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x0106003119001403010001011603010020afc67012f55ae30e1d97c24bb6cba15d8703864f7df3e4b310a8068222efcfdd Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b1ba4f9a2654aefb6456b1e9 Finished request 16. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=137 Cleaning up request 16 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b1ba4f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061900 Message-Authenticator = 0x3d065021dd804e5c8fb91e6058170fba +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x01070020190017030100154abd16005b7ba52d8a20d1768c7510e2f88f49868b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b2bb4f9a2654aefb6456b1e9 Finished request 17. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=164 Cleaning up request 17 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b2bb4f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02070021190017030100162be7b16e55c97cbfda261c4be13183c4dd01c00606ea Message-Authenticator = 0xec05fbfc78a9a7262003b9b009af0d1d +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 33 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - pokus PEAP: Got tunneled EAP-Message EAP-Message = 0x0207000a01706f6b7573 PEAP: Got tunneled identity of pokus PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to pokus PEAP: Sending tunneled request EAP-Message = 0x0207000a01706f6b7573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "pokus" server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001f1a0108001a103c9a250911e1ad30afaed5bcb9c5ee00706f6b7573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x81b96fc381b175d869dfc719100d29c1 PEAP: Processing from tunneled session code 0x81b5128 11 EAP-Message = 0x0108001f1a0108001a103c9a250911e1ad30afaed5bcb9c5ee00706f6b7573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x81b96fc381b175d869dfc719100d29c1 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010800361900170301002b70b6783f00c3f1d85ae06803a523ea543fbbb8886d75c6fbdbaa8e71123e6b8007b3b7a6bb09aa7589af48 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696b3b44f9a2654aefb6456b1e9 Finished request 18. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=218 Cleaning up request 18 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696b3b44f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800571900170301004c98ee9b705e0a9b8041ecbee05adcb51c08c1edf9a195ae5667a9c155dc050c0511ab8b3aac21630149e5fefaf9dab8136ce8fb32d34f9accb05dff53db3e2ce2e13a37abdfa71d1ad9b09470 Message-Authenticator = 0x51967c88196131db97363ef9f79d73e3 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 87 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Got tunneled EAP-Message EAP-Message = 0x020800401a0208003b31b0b136330d519f80a3f96ad2a674eecb00000000000000005bb9070272ab0df2637c3318ac6ee4bfbabecf70a0a16da600706f6b7573 PEAP: Setting User-Name to pokus PEAP: Sending tunneled request EAP-Message = 0x020800401a0208003b31b0b136330d519f80a3f96ad2a674eecb00000000000000005bb9070272ab0df2637c3318ac6ee4bfbabecf70a0a16da600706f6b7573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "pokus" State = 0x81b96fc381b175d869dfc719100d29c1 server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 64 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for pokus with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [pokus/<via Auth-Type = EAP>] (from client ciscorouter port 0 via TLS tunnel) } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x81b7820 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x010900261900170301001bd3d5deb3a1b8b775d8f66878c399a4f98b94f38060b0bd21451d74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb4bc5696bcb54f9a2654aefb6456b1e9 Finished request 19. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1327, id=0, length=169 Cleaning up request 19 ID 0 with timestamp +174 User-Name = "pokus" NAS-IP-Address = 192.168.3.1 Called-Station-Id = "00259c523046" Calling-Station-Id = "001e650ece6c" NAS-Identifier = "00259c523046" NAS-Port = 44 Framed-MTU = 1400 State = 0xb4bc5696bcb54f9a2654aefb6456b1e9 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001bb82564c0558ebfa0155cac5c0a8a20b725a110b4719573333a7195 Message-Authenticator = 0xd411b960b2053b66dc3f61d32db347e6 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [pokus/<via Auth-Type = EAP>] (from client ciscorouter port 44 cli 001e650ece6c) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> pokus attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 20 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 20 Sending Access-Reject of id 0 to 192.168.3.1 port 1327 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 20 ID 0 with timestamp +174 Ready to process requests.
Bruno Kremel wrote:
I am posting full log with first is radtest accepted and others are failde login from wifi client with 2 different accounts...
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Mar 29 2010 at 15:58:09
You should probably upgrade to 2.1.8. It has a lot of fixes && features over 2.0.4.
server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "123", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 62 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop
And no "sql". Edit raddb/sites-available/inner-tunnel, and add "sql" to the "authorize" section. It's already there, so you likely just have to uncomment it.
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for 123 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Yup. No "known good" password means no authentication. You could also try: http://networkradius.com/freeradius.html This lets you cut && paste the debug output into a form. The response is a colorized HTML page indicating common errors, and things you should look into. It won't catch this problem, but it will highlight the fact that there was no "known good" password for the user. Alan DeKok.
participants (3)
-
Alan DeKok -
Bruno Kremel -
Matt Harlum