TLS authentication works, but does not check usernames against 'users' file.
Hi, I'm trying to get WPA Enterprise EAP/TLS working with my wireless router. It appears that the TLS portion of the authentication works (valid certificates give me a working connection) but it does NOT appear to actually be checking the username/password combination that is also sent along the line. I have followed the WPA_HOWTO as best I could (my clients are OS X and Android and Gentoo, not Windows XP) but I can't figure out how to 'fail' an auth attempt with an invalid user/pass combination. Here is the debug output: Thanks for any advice. I didn't want to start reconfiguring with a shotgun :) freeradius -X FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 17 2010 at 04:06:04 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 3com4400_1 { ipaddr = 192.168.183.5 netmask = 32 require_message_authenticator = no secret = "testing123" nastype = "other" } client wrt54gl_testbed { ipaddr = 192.168.183.110 netmask = 32 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=70, length=154 User-Name = "invaliduser1" NAS-Identifier = "openwrt" NAS-Port = 1 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-17-F2-E7-39-C0" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02d4000a01706f6f7079 Message-Authenticator = 0x96155aae1c1a13904212926041844222 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 212 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 70 to 192.168.183.110 port 55425 EAP-Message = 0x01d5001604104b7e073f1d295b16bd346d251f67ed9b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1925f89c19f0fce511765369958e0fff Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=71, length=168 User-Name = "invaliduser1" NAS-Identifier = "openwrt" NAS-Port = 1 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-17-F2-E7-39-C0" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02d50006030d State = 0x1925f89c19f0fce511765369958e0fff Message-Authenticator = 0xfb81366232f27755b84f3d53880e6793 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 213 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/tls [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 71 to 192.168.183.110 port 55425 EAP-Message = 0x01d600060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1925f89c18f3f5e511765369958e0fff Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=72, length=274 User-Name = "invaliduser1" NAS-Identifier = "openwrt" NAS-Port = 1 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-17-F2-E7-39-C0" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02d600700d800000006616030100610100005d03014cf47dccabafcd6559461322e0d11b2781c65dca5f1d237073c77169593a5ace000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100 State = 0x1925f89c18f3f5e511765369958e0fff Message-Authenticator = 0x7d9b552c05313f4f8e4e66559782ed1e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 214 length 112 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 102 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0061], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0861], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a7], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 72 to 192.168.183.110 port 55425 EAP-Message = 0x01d704000dc000000941160301002a0200002603014cf47dcd98edd353ce39b099785a7e97da101613c63adf77d9643d0092c71e6500002f0016030108610b00085d00085a0003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f726974 EAP-Message = 0x79301e170d3130313132363037323333305a170d3131313132363037323333305a307b310b30090603550406130255533111300f0603550408130856697267696e696131123010060355040a13094565626c652e6e6574312530230603550403131c4565626c652e6e657420536572766572204365727469666963617465311e301c06092a864886f70d010901160f61646d696e406565626c652e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100ab4afd83acd6fea4fce7bb07d045a43436798b06b2f2be86ab6f19386c5e7d536585255834652f9a40160c6d19947c5fd02148f127b1d6d58558e055a952 EAP-Message = 0xaaaaaeb915a8475944790f539aa2084dfcd4de24636182bf350426db1a04320019b47a8d32229c4f4d4f0039bf7c4840673502f1eaefe170447fc3a508944ea8cd2197867ddb4e8f3cf5cba3da5d10f4714f40f4b28e1f48805023bb26cd940e96a68a4dc2a73243321c0af06b9b5356162641a5099fc439255340c3c02df4433f88969ce4e6035d40db3a0b4f74d31ac421e2faeec27c6fc6385d91755c1c4ed458ff850d37d7e06e9f95e87a59a5d63b25e44d3e608f6802ee9ef42619251a13ef0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010048267d769b012e4e35 EAP-Message = 0xee42366711bc376d503f76bd2da75c7a4040a07878b5bc5a1ad52e5e3e803b526cefeb61c58bb3db5041f4383377c39b5a72b0d35a0edde4fc3469abdaf0acb14920cc11ca1bf93e95089a627a1b99de8124c51a2dc7524e473e9333eda0aa213b11ecf188fcacbc20c2840beb0906e283d8e9025bbb2eb83ac816b2dcefe20edadddc2d5dfc171882bb8dde3f07a008fb4caa66e98a1c9ae3b452dee84971cfe892cfeab83846a60d9be8dfc0866ab93473c83541dd2d182076da789ec03128445292be43d0150e299e33030f45e4344a32ba4f6ed33a10e1e10f4a472649b92b2da7233986ed251adc2ea59764ef2187070e23a8743c0004ae308204 EAP-Message = 0xaa30820392a0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1925f89c1bf2f5e511765369958e0fff Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=73, length=168 User-Name = "invaliduser1" NAS-Identifier = "openwrt" NAS-Port = 1 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-17-F2-E7-39-C0" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02d700060d00 State = 0x1925f89c1bf2f5e511765369958e0fff Message-Authenticator = 0xe6897b99aab4241541cb41bf88f8a8c6 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 215 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 73 to 192.168.183.110 port 55425 EAP-Message = 0x01d804000dc0000009410097852e5140914149300d06092a864886f70d0101050500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037323333305a170d3230313132333037323333305a308194310b30090603550406130255533111300f0603550408130856697267696e696131 EAP-Message = 0x1430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009a8f48c1dab2627525533672059ac65f037f7e96dca2744211718eda8e799239ada3486e9872eb0b811e888df90de8d5fc0837f5a146191528f1d1ff35adbad8a9b8928080363eb64a6ab03942480f48534902136d8c94b34e01d7e331ad215c11b35bb6990bafc17f EAP-Message = 0xd261890769bb00533729a6fcc0b5d4d18e08bf54b1d66127996136d9577f12a4513304da016917577afdf64b02cf91d0a39b3c451dce5a920c810b4d23bd34931bb03d156f8d7fe834536b9ae11bd62195b59177db765d9982b232369e5bd89b10f4a0031ba2dbff86f672ac101a155d11ae07b904a4f74ffbb86f2524bc227167e41ca889fa9c56735a5665cfa5de0ad81b7ddaa0785d0203010001a381fc3081f9301d0603551d0e04160414a1454d2d4a35b362e6397fe81e7964fa6d2e9a9a3081c90603551d230481c13081be8014a1454d2d4a35b362e6397fe81e7964fa6d2e9a9aa1819aa48197308194310b30090603550406130255533111 EAP-Message = 0x300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747982090097852e5140914149300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a090448190a316f43d373decd0d9e53a75d10c17c49043984a6c492f8bf96d303796e7c4e4539c5c3d49ebbe972a9ca204067bbf9886462119bb1ce627ffb6fe9beb21a56dc152facef50 EAP-Message = 0x40cfcbdd5a55e31c0c9eb904 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1925f89c1afdf5e511765369958e0fff Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=74, length=168 User-Name = "invaliduser1" NAS-Identifier = "openwrt" NAS-Port = 1 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-17-F2-E7-39-C0" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02d800060d00 State = 0x1925f89c1afdf5e511765369958e0fff Message-Authenticator = 0x13f202928ab1d3156068c6d2ecc9fcb9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 216 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 74 to 192.168.183.110 port 55425 EAP-Message = 0x01d9015f0d8000000941914f2148c7338774e1eb3f21449d3bbf86fe03d78f34a07df485fbff7dc3b305fadf41bfcbc41ec076c5c542b8f858008b3b3be00f858d2737331cf567c738692d8723ac6307cac62801513bf055cd6a9c726953195fbd7dbcf9e0a44289e5f1eee447c9ce87570f77a7e8574bc1fff0a2dbf4f85b545d5b6fa0b4c96b5f8db94b42686f9fdc9b7daebd59d83ddbf5dd64e1ac041d4653a4a5175ce9079c27b4a60d4115166c619f3d16030100a70d00009f0301024000990097308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c65 EAP-Message = 0x31123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1925f89c1dfcf5e511765369958e0fff Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=75, length=1568 User-Name = "invaliduser1" NAS-Identifier = "openwrt" NAS-Port = 1 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-17-F2-E7-39-C0" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02d905740dc000000aa816030108520b00084e00084b000397308203933082027ba003020102020102300d06092a864886f70d0101040500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037333533385a170d3131313132363037333533385a306c310b30090603550406130255 EAP-Message = 0x533111300f0603550408130856697267696e696131123010060355040a13094565626c652e6e6574311730150603550403140e616e6479406565626c652e6e6574311d301b06092a864886f70d010901160e616e6479406565626c652e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b4023777541709e539867d3033954f764c3a207c352dba4ee043642002ed4df123cb5edbe0d7a35cf9c21c88cd4ea537f3f297d9be68cb7bcbc49fdbc6ed94745d1aa057fcf259ad7898a6eb1b123b277e55da4d877972f169d29b922bfedd8dab070dbe905d1437ef1c84e9c7be7fd9736882d153993e36aa498819 EAP-Message = 0x68e526722d720427a9b2cccece64fcae119806c9ae5a925f68c09d0df5fcd9ebc6e20040cb97dac3f44a32ade71f6cfc40f90ac4b64f2585d45fd6901b13b2ae12347460853c30dab72c88c4f0becccd393433e47037ecb61544cb38155bb8ce9f75a9e5a024b5e03139cacb74d47d4af87aa3b9781903b8b6976260c39fc83df288482f0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101040500038201010049c7d67a933fd63a42cf33f6adb61bdc203bc30007ed3dfa9da446a6c3e78bced49ae68d7fd3611a431e888a9144d196bf30f46ae1be3d673006bbb6e50d3191f6756b38506838 EAP-Message = 0xad445350dfa97ac88297b8f36979dea39a92c4add1e5f6050eb5af41f3c8702b682365719456074d7623c2a0bca5be7c86c65ad538d4e8c615dde70df4967e6ea2acc5e2e76dde0ca0f13c4a34eddc93615cc7eba93b75ea9c23a85f74f1240ee999c08416d080a36246deec5b552046232ad3470f042bbe1774bb386c84aaa3ddcd4dc38acd816de90983e5a44231e77ae4d641ea14d6e822bbf969852387230eef0e02b3f84916b2bd0ba4aa159a4cb7aeb542b8cf3bd8dd0004ae308204aa30820392a00302010202090097852e5140914149300d06092a864886f70d0101050500308194310b30090603550406130255533111300f060355040813 EAP-Message = 0x0856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037323333305a170d3230313132333037323333305a308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f6164 EAP-Message = 0x6d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009a8f48c1dab2627525533672059ac65f037f7e96dca2744211718eda8e799239ada3486e9872eb0b811e88 State = 0x1925f89c1dfcf5e511765369958e0fff Message-Authenticator = 0xfcf4cb45ff5347d477c93f6722c86b03 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 217 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 2728 [tls] Received EAP-TLS First Fragment of the message [tls] eaptls_verify returned 9 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 75 to 192.168.183.110 port 55425 EAP-Message = 0x01da00060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1925f89c1cfff5e511765369958e0fff Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=76, length=1520 User-Name = "invaliduser1" NAS-Identifier = "openwrt" NAS-Port = 1 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-17-F2-E7-39-C0" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02da05440d008df90de8d5fc0837f5a146191528f1d1ff35adbad8a9b8928080363eb64a6ab03942480f48534902136d8c94b34e01d7e331ad215c11b35bb6990bafc17fd261890769bb00533729a6fcc0b5d4d18e08bf54b1d66127996136d9577f12a4513304da016917577afdf64b02cf91d0a39b3c451dce5a920c810b4d23bd34931bb03d156f8d7fe834536b9ae11bd62195b59177db765d9982b232369e5bd89b10f4a0031ba2dbff86f672ac101a155d11ae07b904a4f74ffbb86f2524bc227167e41ca889fa9c56735a5665cfa5de0ad81b7ddaa0785d0203010001a381fc3081f9301d0603551d0e04160414a1454d2d4a35b362e6397fe8 EAP-Message = 0x1e7964fa6d2e9a9a3081c90603551d230481c13081be8014a1454d2d4a35b362e6397fe81e7964fa6d2e9a9aa1819aa48197308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747982090097852e5140914149300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a090448190a31 EAP-Message = 0x6f43d373decd0d9e53a75d10c17c49043984a6c492f8bf96d303796e7c4e4539c5c3d49ebbe972a9ca204067bbf9886462119bb1ce627ffb6fe9beb21a56dc152facef5040cfcbdd5a55e31c0c9eb904914f2148c7338774e1eb3f21449d3bbf86fe03d78f34a07df485fbff7dc3b305fadf41bfcbc41ec076c5c542b8f858008b3b3be00f858d2737331cf567c738692d8723ac6307cac62801513bf055cd6a9c726953195fbd7dbcf9e0a44289e5f1eee447c9ce87570f77a7e8574bc1fff0a2dbf4f85b545d5b6fa0b4c96b5f8db94b42686f9fdc9b7daebd59d83ddbf5dd64e1ac041d4653a4a5175ce9079c27b4a60d4115166c619f3d16030101 EAP-Message = 0x061000010201006cd3d5d42d02607bad6cccbd821c47acc842e535db3091bd9cd1cc369c7e0399623ccdcf02b6920f15b853cd89adf40f5f89b1702349e6b4c943b5b52ab983384011ca214a2be1672a68ae91f347060b74fe93db442fe65b09718d6a6b34c87b3b2b5de157bebcecb313bdaf56a437e1eef95a2ece695c37eb54914dc08e08dee09449a011ccfb7124872bc841651511c86fbdffc7f58f5a9b8ad2fae518b0c72c41460ddc486e9dddde73478a990836218d14253d864260ef3902315fca7a5acd21eea5171b6ab224e9b2191cc61958ccb4527d83161f1c369e5164ea82f3339c5165155cc64489ad348571165ce25f2fe83dd92ea6 EAP-Message = 0x5f5e14f428dc80c3f16616030101060f00010201002e81b25e6082ccd1e0f71b7954b92d248e76fbd5734e683991e4409fd0a4e3ec0d13f13fafe41a35824c883c23a2ced28e19ac8659cc7297ef9e6f4a0c5a32dd1eb8c0e832ed929ac41a5f67c1aeeaa95aae9af57b230ba7753ca57783081910e59830c3ad1982499fcde5884bab2b451d026679a613a728d2128123fb76d0fb78944d099d81e86b81a16137633e15ed533401586c3fe773c93fcf2472ac73e41ecbb4c0393638891db14325d52ebe991e29bc976650924f34ffb45e25543d53c869a3cea0638f6fc188ee34a1ff07acb77226722bbfdffa6f04c56614797a8a4cce2abc53b764de EAP-Message = 0x58cc7ef38ce7145532fde4d99063e60183e6a9e9405a92311403010001011603010030bc0ee785b2ff17529ace39c5a6c66ba168cfc082558510afdbcc3f5114014bbc66545699903692ff3b004ae50fc841b3 State = 0x1925f89c1cfff5e511765369958e0fff Message-Authenticator = 0x1b3aea67ccedae9d41055d48e08deeca # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 218 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 0852], Certificate [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = invaliduser1 [tls] --> BUF-Name = Example.net Certificate Authority [tls] --> subject = /C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin@example.net/CN=Example.net Certificate Authority [tls] --> issuer = /C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin@example.net/CN=Example.net Certificate Authority [tls] --> verify return:1 [tls] chain-depth=0, [tls] error=0 [tls] --> User-Name = invaliduser1 [tls] --> BUF-Name = andy@example.net [tls] --> subject = /C=US/ST=Virginia/O=Example.net/CN=andy@example.net/emailAddress=andy@example.net [tls] --> issuer = /C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin@example.net/CN=Example.net Certificate Authority [tls] --> verify return:1 [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 read finished A [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS_accept: SSLv3 write change cipher spec A [tls] >>> TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 write finished A [tls] TLS_accept: SSLv3 flush data [tls] (other): SSL negotiation finished successfully SSL Connection Established [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 76 to 192.168.183.110 port 55425 EAP-Message = 0x01db00450d800000003b1403010001011603010030327d72375b8df7a3e6ed4e0575b76d753a34c65a21ed33bcb3036e2b37006404c7356e779df933c9af852f525a6877d1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1925f89c1ffef5e511765369958e0fff Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=77, length=168 User-Name = "invaliduser1" NAS-Identifier = "openwrt" NAS-Port = 1 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-17-F2-E7-39-C0" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02db00060d00 State = 0x1925f89c1ffef5e511765369958e0fff Message-Authenticator = 0x532e5b192c2b3f42d94eca4f8f1b6322 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 219 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake is finished [tls] eaptls_verify returned 3 [tls] eaptls_process returned 3 [tls] Adding user data to cached session [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 77 to 192.168.183.110 port 55425 MS-MPPE-Recv-Key = 0xad6a9918758ca549457e3cb1635cebde2c308c218cd1ba3bb1fcb0e6222964f9 MS-MPPE-Send-Key = 0x2d9a175670e6428ae1c84bd869cac06f47b47703c29addc0f8fbbe4081ffe5e7 EAP-Message = 0x03db0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "invaliduser1" Finished request 7. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 70 with timestamp +46 Cleaning up request 1 ID 71 with timestamp +46 Cleaning up request 2 ID 72 with timestamp +46 Cleaning up request 3 ID 73 with timestamp +46 Cleaning up request 4 ID 74 with timestamp +46 Cleaning up request 5 ID 75 with timestamp +46 Cleaning up request 6 ID 76 with timestamp +46 Cleaning up request 7 ID 77 with timestamp +46 Ready to process requests. ^[[Brad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=78, length=156 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0265000b01626f6f676572 Message-Authenticator = 0xcbeda4a2bb48dac1e14a1e77420b9ad3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 101 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 78 to 192.168.183.110 port 55425 EAP-Message = 0x016600160410fab91c864c3e522df93d00b39b6c51bf Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9106cfd89160cb8160f4a77ced516b61 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=79, length=169 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02660006030d State = 0x9106cfd89160cb8160f4a77ced516b61 Message-Authenticator = 0xcc79781441efd250c146b39492c1e6e8 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 102 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/tls [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 79 to 192.168.183.110 port 55425 EAP-Message = 0x016700060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9106cfd89061c28160f4a77ced516b61 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=80, length=278 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x026700730d0016030100680100006403014cf481b4d6922495a82e8d872689752cd335368ce1d573362881aef4ad676af700003600390038003500880087008400160013000a00330032002f0045004400410007000500040015001200090014001100080006000300ff020100000400230000 State = 0x9106cfd89061c28160f4a77ced516b61 Message-Authenticator = 0x3fb0727493ed1edbe0bae2c6c3dd0501 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 103 length 115 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0068], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0861], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [tls] TLS_accept: SSLv3 write key exchange A [tls] >>> TLS 1.0 Handshake [length 00a9], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 80 to 192.168.183.110 port 55425 EAP-Message = 0x016804000dc000000b55160301002a0200002603014cf481afc3b222e7c1332f8cc59549c4b063a8bf9077bbd1cde56575eafe36cb0000390116030108610b00085d00085a0003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f726974 EAP-Message = 0x79301e170d3130313132363037323333305a170d3131313132363037323333305a307b310b30090603550406130255533111300f0603550408130856697267696e696131123010060355040a13094565626c652e6e6574312530230603550403131c4565626c652e6e657420536572766572204365727469666963617465311e301c06092a864886f70d010901160f61646d696e406565626c652e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100ab4afd83acd6fea4fce7bb07d045a43436798b06b2f2be86ab6f19386c5e7d536585255834652f9a40160c6d19947c5fd02148f127b1d6d58558e055a952 EAP-Message = 0xaaaaaeb915a8475944790f539aa2084dfcd4de24636182bf350426db1a04320019b47a8d32229c4f4d4f0039bf7c4840673502f1eaefe170447fc3a508944ea8cd2197867ddb4e8f3cf5cba3da5d10f4714f40f4b28e1f48805023bb26cd940e96a68a4dc2a73243321c0af06b9b5356162641a5099fc439255340c3c02df4433f88969ce4e6035d40db3a0b4f74d31ac421e2faeec27c6fc6385d91755c1c4ed458ff850d37d7e06e9f95e87a59a5d63b25e44d3e608f6802ee9ef42619251a13ef0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010048267d769b012e4e35 EAP-Message = 0xee42366711bc376d503f76bd2da75c7a4040a07878b5bc5a1ad52e5e3e803b526cefeb61c58bb3db5041f4383377c39b5a72b0d35a0edde4fc3469abdaf0acb14920cc11ca1bf93e95089a627a1b99de8124c51a2dc7524e473e9333eda0aa213b11ecf188fcacbc20c2840beb0906e283d8e9025bbb2eb83ac816b2dcefe20edadddc2d5dfc171882bb8dde3f07a008fb4caa66e98a1c9ae3b452dee84971cfe892cfeab83846a60d9be8dfc0866ab93473c83541dd2d182076da789ec03128445292be43d0150e299e33030f45e4344a32ba4f6ed33a10e1e10f4a472649b92b2da7233986ed251adc2ea59764ef2187070e23a8743c0004ae308204 EAP-Message = 0xaa30820392a0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9106cfd8936ec28160f4a77ced516b61 Finished request 10. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=81, length=169 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x026800060d00 State = 0x9106cfd8936ec28160f4a77ced516b61 Message-Authenticator = 0x9a957e238e6c0098c09f429bab8a5cfb # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 104 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 81 to 192.168.183.110 port 55425 EAP-Message = 0x016904000dc000000b550097852e5140914149300d06092a864886f70d0101050500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037323333305a170d3230313132333037323333305a308194310b30090603550406130255533111300f0603550408130856697267696e696131 EAP-Message = 0x1430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009a8f48c1dab2627525533672059ac65f037f7e96dca2744211718eda8e799239ada3486e9872eb0b811e888df90de8d5fc0837f5a146191528f1d1ff35adbad8a9b8928080363eb64a6ab03942480f48534902136d8c94b34e01d7e331ad215c11b35bb6990bafc17f EAP-Message = 0xd261890769bb00533729a6fcc0b5d4d18e08bf54b1d66127996136d9577f12a4513304da016917577afdf64b02cf91d0a39b3c451dce5a920c810b4d23bd34931bb03d156f8d7fe834536b9ae11bd62195b59177db765d9982b232369e5bd89b10f4a0031ba2dbff86f672ac101a155d11ae07b904a4f74ffbb86f2524bc227167e41ca889fa9c56735a5665cfa5de0ad81b7ddaa0785d0203010001a381fc3081f9301d0603551d0e04160414a1454d2d4a35b362e6397fe81e7964fa6d2e9a9a3081c90603551d230481c13081be8014a1454d2d4a35b362e6397fe81e7964fa6d2e9a9aa1819aa48197308194310b30090603550406130255533111 EAP-Message = 0x300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747982090097852e5140914149300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a090448190a316f43d373decd0d9e53a75d10c17c49043984a6c492f8bf96d303796e7c4e4539c5c3d49ebbe972a9ca204067bbf9886462119bb1ce627ffb6fe9beb21a56dc152facef50 EAP-Message = 0x40cfcbdd5a55e31c0c9eb904 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9106cfd8926fc28160f4a77ced516b61 Finished request 11. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=82, length=169 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x026900060d00 State = 0x9106cfd8926fc28160f4a77ced516b61 Message-Authenticator = 0x6a6a344f5929ac78f2ed252a2870d7b2 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 105 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 82 to 192.168.183.110 port 55425 EAP-Message = 0x016a03730d8000000b55914f2148c7338774e1eb3f21449d3bbf86fe03d78f34a07df485fbff7dc3b305fadf41bfcbc41ec076c5c542b8f858008b3b3be00f858d2737331cf567c738692d8723ac6307cac62801513bf055cd6a9c726953195fbd7dbcf9e0a44289e5f1eee447c9ce87570f77a7e8574bc1fff0a2dbf4f85b545d5b6fa0b4c96b5f8db94b42686f9fdc9b7daebd59d83ddbf5dd64e1ac041d4653a4a5175ce9079c27b4a60d4115166c619f3d160301020d0c0002090080ff1dbabee46297bf06de02f05ad815fdf518ce607e3dd1ff5c528dd383fd71430fc86fe3a57b4e2d8e6b2d017f89ff90d03477d409b591bde4502eee1aeb02 EAP-Message = 0x38c518226df76f43435eba774de8611277591c7cbc23913412d8067e5cd7ea38c53f314e3198473832c4f1737a0edb3a09d44f512c4b4131f3e1b5d6d91732691b0001020080a3f58451d5337dde0a183e126d86ee23158947536f4a7a89c279e5fec04915f6052292b9d57c8a0dbe8b3c8feee54217f6c8265da333535fe2b471651c33303cb12abcc1bb925f7d51e35780ba5bc9db2c9f25127abcdd1ad7b239e6fb5542c7bb1b5db0e28695d5e2ac3c84e65f0bd6095edb79a88f8ec2ab64957f34e65ad201007ac7cd7798bb5f7a7bdb90a0db030464d2d7f6e40e085790f1e405b6f627d55f7c70c5ae25951a718f1190462a4b7cbf822a7e7fea EAP-Message = 0x0b918e8224b19c2782deda073f2a26af8e7c00c3f5d257f939f91cb7abd572e0e5eb97bdd82d29549d4b29051865d7f26d92984d226ded73e4838e542a00e3090841845ac4c50411726153c9cc7c90036d815c24b1118b1983dea8226823d9f9cb4ea15eaea198924265f56d32d612a2d819719c7fa6bd07f1c6a8f4624a9e1f6a51ba426e662726c0bc2bc881ac5290d6fdab5763b7cfd4de06955364ec5cb15a454fe78e8b6b4e24d06f18f8e31b0755ca9aeabb2fcb12eb6f9931b4b8284f0adeb8cfec4cfd979b6f2516030100a90d0000a105030401024000990097308194310b30090603550406130255533111300f0603550408130856697267 EAP-Message = 0x696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9106cfd8956cc28160f4a77ced516b61 Finished request 12. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=83, length=1483 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x026a051e0dc000000a2816030108520b00084e00084b000397308203933082027ba003020102020102300d06092a864886f70d0101040500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037333533385a170d3131313132363037333533385a306c310b30090603550406130255 EAP-Message = 0x533111300f0603550408130856697267696e696131123010060355040a13094565626c652e6e6574311730150603550403140e616e6479406565626c652e6e6574311d301b06092a864886f70d010901160e616e6479406565626c652e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b4023777541709e539867d3033954f764c3a207c352dba4ee043642002ed4df123cb5edbe0d7a35cf9c21c88cd4ea537f3f297d9be68cb7bcbc49fdbc6ed94745d1aa057fcf259ad7898a6eb1b123b277e55da4d877972f169d29b922bfedd8dab070dbe905d1437ef1c84e9c7be7fd9736882d153993e36aa498819 EAP-Message = 0x68e526722d720427a9b2cccece64fcae119806c9ae5a925f68c09d0df5fcd9ebc6e20040cb97dac3f44a32ade71f6cfc40f90ac4b64f2585d45fd6901b13b2ae12347460853c30dab72c88c4f0becccd393433e47037ecb61544cb38155bb8ce9f75a9e5a024b5e03139cacb74d47d4af87aa3b9781903b8b6976260c39fc83df288482f0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101040500038201010049c7d67a933fd63a42cf33f6adb61bdc203bc30007ed3dfa9da446a6c3e78bced49ae68d7fd3611a431e888a9144d196bf30f46ae1be3d673006bbb6e50d3191f6756b38506838 EAP-Message = 0xad445350dfa97ac88297b8f36979dea39a92c4add1e5f6050eb5af41f3c8702b682365719456074d7623c2a0bca5be7c86c65ad538d4e8c615dde70df4967e6ea2acc5e2e76dde0ca0f13c4a34eddc93615cc7eba93b75ea9c23a85f74f1240ee999c08416d080a36246deec5b552046232ad3470f042bbe1774bb386c84aaa3ddcd4dc38acd816de90983e5a44231e77ae4d641ea14d6e822bbf969852387230eef0e02b3f84916b2bd0ba4aa159a4cb7aeb542b8cf3bd8dd0004ae308204aa30820392a00302010202090097852e5140914149300d06092a864886f70d0101050500308194310b30090603550406130255533111300f060355040813 EAP-Message = 0x0856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037323333305a170d3230313132333037323333305a308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f6164 EAP-Message = 0x6d696e406565626c652e6e6574312830260603550403131f4565626c652e6e6574204365727469666963617465 State = 0x9106cfd8956cc28160f4a77ced516b61 Message-Authenticator = 0x7f9e18fbc6764ac5d67ed14f4b9af68f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 106 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 2600 [tls] Received EAP-TLS First Fragment of the message [tls] eaptls_verify returned 9 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 83 to 192.168.183.110 port 55425 EAP-Message = 0x016b00060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9106cfd8946dc28160f4a77ced516b61 Finished request 13. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=84, length=1479 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x026b051a0d0020417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009a8f48c1dab2627525533672059ac65f037f7e96dca2744211718eda8e799239ada3486e9872eb0b811e888df90de8d5fc0837f5a146191528f1d1ff35adbad8a9b8928080363eb64a6ab03942480f48534902136d8c94b34e01d7e331ad215c11b35bb6990bafc17fd261890769bb00533729a6fcc0b5d4d18e08bf54b1d66127996136d9577f12a4513304da016917577afdf64b02cf91d0a39b3c451dce5a920c810b4d23bd34931bb03d156f8d7fe834536b9ae11bd62195b59177db765d9982b232369e5bd89b10f4a0 EAP-Message = 0x031ba2dbff86f672ac101a155d11ae07b904a4f74ffbb86f2524bc227167e41ca889fa9c56735a5665cfa5de0ad81b7ddaa0785d0203010001a381fc3081f9301d0603551d0e04160414a1454d2d4a35b362e6397fe81e7964fa6d2e9a9a3081c90603551d230481c13081be8014a1454d2d4a35b362e6397fe81e7964fa6d2e9a9aa1819aa48197308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e65743128302606035504 EAP-Message = 0x03131f4565626c652e6e657420436572746966696361746520417574686f7269747982090097852e5140914149300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a090448190a316f43d373decd0d9e53a75d10c17c49043984a6c492f8bf96d303796e7c4e4539c5c3d49ebbe972a9ca204067bbf9886462119bb1ce627ffb6fe9beb21a56dc152facef5040cfcbdd5a55e31c0c9eb904914f2148c7338774e1eb3f21449d3bbf86fe03d78f34a07df485fbff7dc3b305fadf41bfcbc41ec076c5c542b8f858008b3b3be00f858d2737331cf567c738692d8723ac6307cac62801513bf055cd6a9c726953195fbd EAP-Message = 0x7dbcf9e0a44289e5f1eee447c9ce87570f77a7e8574bc1fff0a2dbf4f85b545d5b6fa0b4c96b5f8db94b42686f9fdc9b7daebd59d83ddbf5dd64e1ac041d4653a4a5175ce9079c27b4a60d4115166c619f3d1603010086100000820080b6a6fc11dae5b0d91c974b23f5776da3286d51dcc75025f7c365a81ee0549d08874f95a097f285ee3a3cce4fdb904f7b3185a82d3481ab460ced11dff2a41eeaaddd17a9244340ea3ff2528e0166cd881bba22eb4430c0912d549f812860cf3b63dbb074e8fc33725756ab1b2f710b3675f49e0ec8718bf1c58dd8638625cf1d16030101060f000102010065ff0cdee1f13a073180ed689e5b2f589463c9ec0e EAP-Message = 0x61ebef4b3bc295e8dbc4c54e118053c49235e051480ab69237c3e50f1440072ebca811ae9e2f41435ae59b87a5032edaae224c416acdc06a9c0226244bb52fccd4d3eb3e9b565762923c7ccafd3d2f9140a705cd5aea3bae0a69b9e3acaf2f93aa68a9f7fb188068bd6e5ef5c3a60abf7bee8a2e6b59bb97ca7cb5ab2eefa0f94956920692c62930e794d5d97c33868b5f6a80b6e1c9732ff5cf42c4fa45e4a96d467b379149cabfd92645560ed128d3d2e295fbb7c1906cfe8497bcb266272e0f659038f9a32b98f6f3264983120b590a5e7ff75cffe1c0b1ea09e45e24536ce0990ecf42d99b2a9a1e8314030100010116030100309cc7400c95d751 EAP-Message = 0xf414988cf618ea3991159a7bcc648fb85a02c193b13b9b4171037012a120b2e36bf4f046a626235d30 State = 0x9106cfd8946dc28160f4a77ced516b61 Message-Authenticator = 0x5ffcc1fbcd380454fd25524389e7c6b3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 107 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 0852], Certificate [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = invaliduser2 [tls] --> BUF-Name = Example.net Certificate Authority [tls] --> subject = /C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin@example.net/CN=Example.net Certificate Authority [tls] --> issuer = /C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin@example.net/CN=Example.net Certificate Authority [tls] --> verify return:1 [tls] chain-depth=0, [tls] error=0 [tls] --> User-Name = invaliduser2 [tls] --> BUF-Name = andy@example.net [tls] --> subject = /C=US/ST=Virginia/O=Example.net/CN=andy@example.net/emailAddress=andy@example.net [tls] --> issuer = /C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin@example.net/CN=Example.net Certificate Authority [tls] --> verify return:1 [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 read finished A [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS_accept: SSLv3 write change cipher spec A [tls] >>> TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 write finished A [tls] TLS_accept: SSLv3 flush data [tls] (other): SSL negotiation finished successfully SSL Connection Established [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 84 to 192.168.183.110 port 55425 EAP-Message = 0x016c00450d800000003b1403010001011603010030963977704c781d4f4d8f2aa3b335d363af8d81e6263bee6d1c02a09b7a0e47957e42cb94ecad93a231e257b94f0abcbd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9106cfd8976ac28160f4a77ced516b61 Finished request 14. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=85, length=169 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x026c00060d00 State = 0x9106cfd8976ac28160f4a77ced516b61 Message-Authenticator = 0x1a64cfaaa61f800e099a0432de248e44 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 108 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake is finished [tls] eaptls_verify returned 3 [tls] eaptls_process returned 3 [tls] Adding user data to cached session [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 85 to 192.168.183.110 port 55425 MS-MPPE-Recv-Key = 0x2d08d6053dd69463c00f28fa96253e6fef7ce1c25fcd636ac7801ea4b30f0c9e MS-MPPE-Send-Key = 0x2436262b744f0612e2b44f856b7e3fa2569a1ee6e6dc68ff6eee62e13fedefb9 EAP-Message = 0x036c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "invaliduser2" Finished request 15. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=86, length=156 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02de000b01626f6f676572 Message-Authenticator = 0x9c78554a3a8b563535d0d903b0c89b00 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 222 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 86 to 192.168.183.110 port 55425 EAP-Message = 0x01df001604105ce2f52a06b4da9a957fd7800282dd99 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9d0db2769dd2b6bf32cdba76f867f4ab Finished request 16. Going to the next request Waking up in 0.5 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=87, length=169 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02df0006030d State = 0x9d0db2769dd2b6bf32cdba76f867f4ab Message-Authenticator = 0x417840b8fd464fb1b5c3de9d7fbab021 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 223 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/tls [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 87 to 192.168.183.110 port 55425 EAP-Message = 0x01e000060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9d0db2769cedbfbf32cdba76f867f4ab Finished request 17. Going to the next request Waking up in 0.5 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=88, length=278 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02e000730d0016030100680100006403014cf481b8c295486f451587fade5111838f65298e8700ee9b233d48421510c46000003600390038003500880087008400160013000a00330032002f0045004400410007000500040015001200090014001100080006000300ff020100000400230000 State = 0x9d0db2769cedbfbf32cdba76f867f4ab Message-Authenticator = 0x8a9e14310b6e47c2c3de26023dae497c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 224 length 115 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0068], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0861], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [tls] TLS_accept: SSLv3 write key exchange A [tls] >>> TLS 1.0 Handshake [length 00a9], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 88 to 192.168.183.110 port 55425 EAP-Message = 0x01e104000dc000000b55160301002a0200002603014cf481b46e40ddcb8f677105b2abcbca4ea593ed6f3982f0b5f536ad4d045fe70000390116030108610b00085d00085a0003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f726974 EAP-Message = 0x79301e170d3130313132363037323333305a170d3131313132363037323333305a307b310b30090603550406130255533111300f0603550408130856697267696e696131123010060355040a13094565626c652e6e6574312530230603550403131c4565626c652e6e657420536572766572204365727469666963617465311e301c06092a864886f70d010901160f61646d696e406565626c652e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100ab4afd83acd6fea4fce7bb07d045a43436798b06b2f2be86ab6f19386c5e7d536585255834652f9a40160c6d19947c5fd02148f127b1d6d58558e055a952 EAP-Message = 0xaaaaaeb915a8475944790f539aa2084dfcd4de24636182bf350426db1a04320019b47a8d32229c4f4d4f0039bf7c4840673502f1eaefe170447fc3a508944ea8cd2197867ddb4e8f3cf5cba3da5d10f4714f40f4b28e1f48805023bb26cd940e96a68a4dc2a73243321c0af06b9b5356162641a5099fc439255340c3c02df4433f88969ce4e6035d40db3a0b4f74d31ac421e2faeec27c6fc6385d91755c1c4ed458ff850d37d7e06e9f95e87a59a5d63b25e44d3e608f6802ee9ef42619251a13ef0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010048267d769b012e4e35 EAP-Message = 0xee42366711bc376d503f76bd2da75c7a4040a07878b5bc5a1ad52e5e3e803b526cefeb61c58bb3db5041f4383377c39b5a72b0d35a0edde4fc3469abdaf0acb14920cc11ca1bf93e95089a627a1b99de8124c51a2dc7524e473e9333eda0aa213b11ecf188fcacbc20c2840beb0906e283d8e9025bbb2eb83ac816b2dcefe20edadddc2d5dfc171882bb8dde3f07a008fb4caa66e98a1c9ae3b452dee84971cfe892cfeab83846a60d9be8dfc0866ab93473c83541dd2d182076da789ec03128445292be43d0150e299e33030f45e4344a32ba4f6ed33a10e1e10f4a472649b92b2da7233986ed251adc2ea59764ef2187070e23a8743c0004ae308204 EAP-Message = 0xaa30820392a0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9d0db2769fecbfbf32cdba76f867f4ab Finished request 18. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=89, length=169 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02e100060d00 State = 0x9d0db2769fecbfbf32cdba76f867f4ab Message-Authenticator = 0x3b7277d4745b9e98ca72f95ab5737f7e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 225 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 89 to 192.168.183.110 port 55425 EAP-Message = 0x01e204000dc000000b550097852e5140914149300d06092a864886f70d0101050500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037323333305a170d3230313132333037323333305a308194310b30090603550406130255533111300f0603550408130856697267696e696131 EAP-Message = 0x1430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009a8f48c1dab2627525533672059ac65f037f7e96dca2744211718eda8e799239ada3486e9872eb0b811e888df90de8d5fc0837f5a146191528f1d1ff35adbad8a9b8928080363eb64a6ab03942480f48534902136d8c94b34e01d7e331ad215c11b35bb6990bafc17f EAP-Message = 0xd261890769bb00533729a6fcc0b5d4d18e08bf54b1d66127996136d9577f12a4513304da016917577afdf64b02cf91d0a39b3c451dce5a920c810b4d23bd34931bb03d156f8d7fe834536b9ae11bd62195b59177db765d9982b232369e5bd89b10f4a0031ba2dbff86f672ac101a155d11ae07b904a4f74ffbb86f2524bc227167e41ca889fa9c56735a5665cfa5de0ad81b7ddaa0785d0203010001a381fc3081f9301d0603551d0e04160414a1454d2d4a35b362e6397fe81e7964fa6d2e9a9a3081c90603551d230481c13081be8014a1454d2d4a35b362e6397fe81e7964fa6d2e9a9aa1819aa48197308194310b30090603550406130255533111 EAP-Message = 0x300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747982090097852e5140914149300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a090448190a316f43d373decd0d9e53a75d10c17c49043984a6c492f8bf96d303796e7c4e4539c5c3d49ebbe972a9ca204067bbf9886462119bb1ce627ffb6fe9beb21a56dc152facef50 EAP-Message = 0x40cfcbdd5a55e31c0c9eb904 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9d0db2769eefbfbf32cdba76f867f4ab Finished request 19. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=90, length=169 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02e200060d00 State = 0x9d0db2769eefbfbf32cdba76f867f4ab Message-Authenticator = 0xf97c53a2038663a789e7316935e0a570 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 226 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 90 to 192.168.183.110 port 55425 EAP-Message = 0x01e303730d8000000b55914f2148c7338774e1eb3f21449d3bbf86fe03d78f34a07df485fbff7dc3b305fadf41bfcbc41ec076c5c542b8f858008b3b3be00f858d2737331cf567c738692d8723ac6307cac62801513bf055cd6a9c726953195fbd7dbcf9e0a44289e5f1eee447c9ce87570f77a7e8574bc1fff0a2dbf4f85b545d5b6fa0b4c96b5f8db94b42686f9fdc9b7daebd59d83ddbf5dd64e1ac041d4653a4a5175ce9079c27b4a60d4115166c619f3d160301020d0c0002090080ff1dbabee46297bf06de02f05ad815fdf518ce607e3dd1ff5c528dd383fd71430fc86fe3a57b4e2d8e6b2d017f89ff90d03477d409b591bde4502eee1aeb02 EAP-Message = 0x38c518226df76f43435eba774de8611277591c7cbc23913412d8067e5cd7ea38c53f314e3198473832c4f1737a0edb3a09d44f512c4b4131f3e1b5d6d91732691b000102008045c25ccb2d5fcda4484bd4389895809c2e8bc4ea510ba6c61b2ac53cced54dee16374e3f77d57da1bdd8cad9097bc427581db803f46445b362993f9601bbb8f571de5b8b1874db5a14100f49bf541c82ad0edae92b1d6ff27494ec12872792f88edb19d2fa08d30908c857590b5ed85f6855b88ac7f5ac13bd71bf41a79426b101004c19fc04acceb057ee3b9a5c2083c2803841a17d7d8998feeb2b3966ce510fd9745bb0bfc40dfc00bc2841c0f84ef0360bc103135e EAP-Message = 0x44c8c94508352176b28e83b5bc3db4e2295136fb775d0b48a0d5fe8a1908b26e698f1ac6af338af3acdb6b3b1925e6f0d149ea4da6b9f172ca702562877890f1ef8e551fc46edddf4101087298b9c2d2065e55289acc82102987b090606069b9d4da96c8c96f9b838d97c4a3c10354dadf2bc90873fba7b89213f4b33f19c89e325e842f3b2f2e0d4eae3f55d7693b4837279417914e2c300456d9a99eba20effbc1ac663e4a4bb90607a62ca30aff1fa9f30d7e745a88505b60ebdb5e6473e918051afe27c2990e1d973b16030100a90d0000a105030401024000990097308194310b30090603550406130255533111300f0603550408130856697267 EAP-Message = 0x696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9d0db27699eebfbf32cdba76f867f4ab Finished request 20. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=91, length=1483 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02e3051e0dc000000a2816030108520b00084e00084b000397308203933082027ba003020102020102300d06092a864886f70d0101040500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037333533385a170d3131313132363037333533385a306c310b30090603550406130255 EAP-Message = 0x533111300f0603550408130856697267696e696131123010060355040a13094565626c652e6e6574311730150603550403140e616e6479406565626c652e6e6574311d301b06092a864886f70d010901160e616e6479406565626c652e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b4023777541709e539867d3033954f764c3a207c352dba4ee043642002ed4df123cb5edbe0d7a35cf9c21c88cd4ea537f3f297d9be68cb7bcbc49fdbc6ed94745d1aa057fcf259ad7898a6eb1b123b277e55da4d877972f169d29b922bfedd8dab070dbe905d1437ef1c84e9c7be7fd9736882d153993e36aa498819 EAP-Message = 0x68e526722d720427a9b2cccece64fcae119806c9ae5a925f68c09d0df5fcd9ebc6e20040cb97dac3f44a32ade71f6cfc40f90ac4b64f2585d45fd6901b13b2ae12347460853c30dab72c88c4f0becccd393433e47037ecb61544cb38155bb8ce9f75a9e5a024b5e03139cacb74d47d4af87aa3b9781903b8b6976260c39fc83df288482f0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101040500038201010049c7d67a933fd63a42cf33f6adb61bdc203bc30007ed3dfa9da446a6c3e78bced49ae68d7fd3611a431e888a9144d196bf30f46ae1be3d673006bbb6e50d3191f6756b38506838 EAP-Message = 0xad445350dfa97ac88297b8f36979dea39a92c4add1e5f6050eb5af41f3c8702b682365719456074d7623c2a0bca5be7c86c65ad538d4e8c615dde70df4967e6ea2acc5e2e76dde0ca0f13c4a34eddc93615cc7eba93b75ea9c23a85f74f1240ee999c08416d080a36246deec5b552046232ad3470f042bbe1774bb386c84aaa3ddcd4dc38acd816de90983e5a44231e77ae4d641ea14d6e822bbf969852387230eef0e02b3f84916b2bd0ba4aa159a4cb7aeb542b8cf3bd8dd0004ae308204aa30820392a00302010202090097852e5140914149300d06092a864886f70d0101050500308194310b30090603550406130255533111300f060355040813 EAP-Message = 0x0856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037323333305a170d3230313132333037323333305a308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f6164 EAP-Message = 0x6d696e406565626c652e6e6574312830260603550403131f4565626c652e6e6574204365727469666963617465 State = 0x9d0db27699eebfbf32cdba76f867f4ab Message-Authenticator = 0x30fdfb43685b57ab7bddfa43385223e6 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 227 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 2600 [tls] Received EAP-TLS First Fragment of the message [tls] eaptls_verify returned 9 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 91 to 192.168.183.110 port 55425 EAP-Message = 0x01e400060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9d0db27698e9bfbf32cdba76f867f4ab Finished request 21. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=92, length=1479 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02e4051a0d0020417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009a8f48c1dab2627525533672059ac65f037f7e96dca2744211718eda8e799239ada3486e9872eb0b811e888df90de8d5fc0837f5a146191528f1d1ff35adbad8a9b8928080363eb64a6ab03942480f48534902136d8c94b34e01d7e331ad215c11b35bb6990bafc17fd261890769bb00533729a6fcc0b5d4d18e08bf54b1d66127996136d9577f12a4513304da016917577afdf64b02cf91d0a39b3c451dce5a920c810b4d23bd34931bb03d156f8d7fe834536b9ae11bd62195b59177db765d9982b232369e5bd89b10f4a0 EAP-Message = 0x031ba2dbff86f672ac101a155d11ae07b904a4f74ffbb86f2524bc227167e41ca889fa9c56735a5665cfa5de0ad81b7ddaa0785d0203010001a381fc3081f9301d0603551d0e04160414a1454d2d4a35b362e6397fe81e7964fa6d2e9a9a3081c90603551d230481c13081be8014a1454d2d4a35b362e6397fe81e7964fa6d2e9a9aa1819aa48197308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e65743128302606035504 EAP-Message = 0x03131f4565626c652e6e657420436572746966696361746520417574686f7269747982090097852e5140914149300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a090448190a316f43d373decd0d9e53a75d10c17c49043984a6c492f8bf96d303796e7c4e4539c5c3d49ebbe972a9ca204067bbf9886462119bb1ce627ffb6fe9beb21a56dc152facef5040cfcbdd5a55e31c0c9eb904914f2148c7338774e1eb3f21449d3bbf86fe03d78f34a07df485fbff7dc3b305fadf41bfcbc41ec076c5c542b8f858008b3b3be00f858d2737331cf567c738692d8723ac6307cac62801513bf055cd6a9c726953195fbd EAP-Message = 0x7dbcf9e0a44289e5f1eee447c9ce87570f77a7e8574bc1fff0a2dbf4f85b545d5b6fa0b4c96b5f8db94b42686f9fdc9b7daebd59d83ddbf5dd64e1ac041d4653a4a5175ce9079c27b4a60d4115166c619f3d1603010086100000820080ed1f82c9867a16a46cb828ce67569e8089fa292015add6108605ea65c4b1554f7b03010348b72c9a17540747297560723b4c115a40c201e125d39fe4f751885bef6072ed0712145558e2832085195599ae2f561e1b03ab2e487940ec879517aee794f152e57fc8edc9ba5e1fd9e01d5da21ce38361653a91a238c72c30ea2bf616030101060f000102010097aa1d029159d31e299046a532069c6fa27ad603af EAP-Message = 0xbbc4a426ab9760c880d3f02266acbe7f1ad4315154f756f2991d5102055a26ec46662645be4d8345ce6b4d205527345e23742c0aa4b1856c022029b1366a047d3bb9a990774c066e955fe8abe2e07f5f1eae43e8b35e1e0bedc5e40ee6171ffaf30a3be80509da4d7d14523bf8f983bd70ceef55db745a4e4921a6e31a40024ce4bb980a91a425b298a8a11bce5927cebf9c42fe4bcfc9135027406153830d17aec39512f7361a69d9678bcd3cc612dd316a21abbc66b20d783c8c06eb0ae7f4bf350f43d12f0a53a8b645a5427685b4124c7a1a0aba8dd080baccf4348c532820142970aaee354abe4aea140301000101160301003032caee1780b846 EAP-Message = 0x4f130f80978d53109065f1989f1e9b08d533c103173afaa6ee21584832f318c702f65213964facd4e4 State = 0x9d0db27698e9bfbf32cdba76f867f4ab Message-Authenticator = 0x0e8e533bf04c8f47d5f5da946752536b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 228 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 0852], Certificate [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = invaliduser2 [tls] --> BUF-Name = Example.net Certificate Authority [tls] --> subject = /C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin@example.net/CN=Example.net Certificate Authority [tls] --> issuer = /C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin@example.net/CN=Example.net Certificate Authority [tls] --> verify return:1 [tls] chain-depth=0, [tls] error=0 [tls] --> User-Name = invaliduser2 [tls] --> BUF-Name = andy@example.net [tls] --> subject = /C=US/ST=Virginia/O=Example.net/CN=andy@example.net/emailAddress=andy@example.net [tls] --> issuer = /C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin@example.net/CN=Example.net Certificate Authority [tls] --> verify return:1 [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 read finished A [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS_accept: SSLv3 write change cipher spec A [tls] >>> TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 write finished A [tls] TLS_accept: SSLv3 flush data [tls] (other): SSL negotiation finished successfully SSL Connection Established [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 92 to 192.168.183.110 port 55425 EAP-Message = 0x01e500450d800000003b1403010001011603010030be498792743bbd0dd2b9ac5f315cc590c4c89eefa413141655418f169cf411a0165c48f0f9da635b73b2fee915b73da9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9d0db2769be8bfbf32cdba76f867f4ab Finished request 22. Going to the next request Waking up in 0.3 seconds. rad_recv: Access-Request packet from host 192.168.183.110 port 55425, id=93, length=169 User-Name = "invaliduser2" NAS-Identifier = "openwrt" NAS-Port = 2 Called-Station-Id = "00-18-F8-C1-66-46:testbed" Calling-Station-Id = "00-1F-3A-49-EC-73" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02e500060d00 State = 0x9d0db2769be8bfbf32cdba76f867f4ab Message-Authenticator = 0x476057e77b2c0c0518242a8f101cc275 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 229 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake is finished [tls] eaptls_verify returned 3 [tls] eaptls_process returned 3 [tls] Adding user data to cached session [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 93 to 192.168.183.110 port 55425 MS-MPPE-Recv-Key = 0xbaf2429720d7a5b7d92ace08ca21d2b623a379f67f25b406a314df47b51da996 MS-MPPE-Send-Key = 0xad7b449fcfdc531ebc0c985bab1d25d8843bd0fba29b646bc7c49b97f31df4d7 EAP-Message = 0x03e50004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "invaliduser2" Finished request 23. Going to the next request Waking up in 0.3 seconds. Cleaning up request 8 ID 78 with timestamp +1040 Cleaning up request 9 ID 79 with timestamp +1040 Cleaning up request 10 ID 80 with timestamp +1040 Cleaning up request 11 ID 81 with timestamp +1040 Cleaning up request 12 ID 82 with timestamp +1040 Cleaning up request 13 ID 83 with timestamp +1041 Cleaning up request 14 ID 84 with timestamp +1041 Cleaning up request 15 ID 85 with timestamp +1041 Waking up in 4.1 seconds. Cleaning up request 16 ID 86 with timestamp +1045 Cleaning up request 17 ID 87 with timestamp +1045 Cleaning up request 18 ID 88 with timestamp +1045 Cleaning up request 19 ID 89 with timestamp +1045 Cleaning up request 20 ID 90 with timestamp +1045 Cleaning up request 21 ID 91 with timestamp +1045 Cleaning up request 22 ID 92 with timestamp +1045 Cleaning up request 23 ID 93 with timestamp +1045 Ready to process requests.
-----Original Message----- On Behalf Of Andrew Bovill
Hi,
I'm trying to get WPA Enterprise EAP/TLS working with my wireless router. It appears that the TLS portion of the authentication works (valid certificates give me a working connection) but it does NOT appear to actually be checking the username/password combination that is also sent along the line.
I have followed the WPA_HOWTO as best I could (my clients are OS X and Android and Gentoo, not Windows XP) but I can't figure out how to 'fail' an auth attempt with an invalid user/pass combination.
Here is the debug output: Thanks for any advice. I didn't want to start reconfiguring with a shotgun :) *snipped*
IIRC, that is how EAP-TLS works. If the client has a valid certificate, it can connect. Check this previous message that is similar to what I think you are trying to do: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg66246.h tml -- John D McDonnell Penn Cambria School District mcdonnjd@pcam.org O< ASCII Ribbon Campaign - http://www.asciiribbon.org/
On 11/30/2010 11:05 AM, John McDonnell wrote:
-----Original Message----- On Behalf Of Andrew Bovill
Hi,
I'm trying to get WPA Enterprise EAP/TLS working with my wireless router. It appears that the TLS portion of the authentication works (valid certificates give me a working connection) but it does NOT appear to actually be checking the username/password combination that is also sent along the line.
I have followed the WPA_HOWTO as best I could (my clients are OS X and Android and Gentoo, not Windows XP) but I can't figure out how to 'fail' an auth attempt with an invalid user/pass combination.
Here is the debug output: Thanks for any advice. I didn't want to start reconfiguring with a shotgun :) *snipped* IIRC, that is how EAP-TLS works. If the client has a valid certificate, it can connect.
Check this previous message that is similar to what I think you are trying to do: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg66246.h tml
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Cool, I was wondering about that.
It just seems weird that nearly ALL of the suplicants I've used *require* me to give a username/password (or at least an Identifier + password) in addition to the unlocked certificate. Maybe a better question is: What's the point of the username/pass that's also being sent by the supplicant? Thanks --Andrew Bovill
On 30/11/10 16:10, Andrew Bovill wrote:
It just seems weird that nearly ALL of the suplicants I've used *require* me to give a username/password (or at least an Identifier + password) in addition to the unlocked certificate. Maybe a better question is: What's the point of the username/pass that's also being sent by the supplicant?
Well, the username goes into the EAP-Identity field. For example you might put: user@home.org.com ...and be in a radius roaming federation like eduroam, but your certificate may contain: cn=user,o=Home Org,... ...so you need to be able to specific a username. Password is not used in EAP-TLS; the supplicants I've seen don't ask for it (Windows, MacOS, Linux/NetworkManager, Nokia E-series)
On 11/30/2010 11:15 AM, Phil Mayers wrote:
On 30/11/10 16:10, Andrew Bovill wrote:
It just seems weird that nearly ALL of the suplicants I've used *require* me to give a username/password (or at least an Identifier + password) in addition to the unlocked certificate. Maybe a better question is: What's the point of the username/pass that's also being sent by the supplicant?
Well, the username goes into the EAP-Identity field. For example you might put:
user@home.org.com
...and be in a radius roaming federation like eduroam, but your certificate may contain:
cn=user,o=Home Org,...
...so you need to be able to specific a username.
Password is not used in EAP-TLS; the supplicants I've seen don't ask for it (Windows, MacOS, Linux/NetworkManager, Nokia E-series) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok, this makes more sense now. I think what was throwing me off was that the Android supplicant asks for the following when doing 802.1x EAP: EAP Method (I chose TLS) Phase 2 authentication (I left as none, but has things like CHAP, PAP, etc) CA cert user cert Identity Anonymous Identity Password It seemed to me that it wouldn't connect if I left the Identity blank, so that may be what was confusing me. I doesn't seem to me like there would be, but is there any way to have, say, a 'guest' certificate, that can be handed out to multiple people and be used simultaneously with EAP/TLS? --Andrew
On 30/11/10 16:55, Andrew Bovill wrote:
It seemed to me that it wouldn't connect if I left the Identity blank, so that may be what was confusing me.
Most supplicants will use the "cn=XXX" from the cert as the identity, but it really makes sense to ask, because they may not be (often are not) the same
I doesn't seem to me like there would be, but is there any way to have, say, a 'guest' certificate, that can be handed out to multiple people and be used simultaneously with EAP/TLS?
A certificate is like any other credential; anyone who knows it (or has it) can use it. Whether that's a good idea is another matter; how do you revoke it and manage re-issuance once one guest leaves? How do you distinguish between their activity? And so on.
participants (3)
-
Andrew Bovill -
John McDonnell -
Phil Mayers