Sorry if this is a stupid question, but is there a way to control the Phase 2 Authentication method when doing PEAP? My aim is to only allow MSCHAPV2, however, I also get a good reply from the Server if I select None, PAP, MD5, MSCHAP, or MSCHAPv2 on the supplicant. Or is phase 2 Authentication the prerogative of the supplicant? I've attached the Debug output for When I tried to long on via no Phase 2 Authentication, though there was an interesting line that Appears in my debug output for many different modes (None, PAP, MD5, MSCHAP, MSCHAPv2) that worked. Is freeradius forcing the supplicant into a MSCHAPv2 for the 2nd Phase ignoring what was selected? (8) eap_peap : EAP type MSCHAPv2 (26) However when I tried using GTC as the Phase 2 Authentication method it fails out (as expected) and I get (7) eap_peap : EAP type NAK (3) I've tried this or two different two of Supplicants (Android Phone, and Linux PC) I've commented out any reference to pap, etc in config files and removed the link from mods-enabled. Thank You, Casey Starting FreeRadius Daemon (Test Mode)...[1mradiusd: FreeRADIUS Version 3.0.0, for host x86_64-unknown-linux-gnu, built on Oct 26 2013 at 18:29:10[0m [1mCopyright (C) 1999-2013 The FreeRADIUS server project and contributors.[0m [1mThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A[0m [1mPARTICULAR PURPOSE.[0m [1mYou may redistribute copies of FreeRADIUS under the terms of the[0m [1mGNU General Public License.[0m [1mFor more information about these matters, see the file named COPYRIGHT.[0m [1mStarting - reading configuration files ...[0m including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/logintime including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/filter including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/wifi main { security { user = "radius" group = "radius" chroot = "/srv/freeradius" allow_core_dumps = no } } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/usr/local/var" sbindir = "/usr/local/sbin" logdir = "/var/log" run_dir = "/var/run" libdir = "/lib" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 5096 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no colourise = yes } security { max_attributes = 200 reject_delay = 3 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipv6addr = ::1 IPv6 address [::1] netmask = 128 require_message_authenticator = yes secret = "testing123" proto = "udp" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client wlan-west { ipaddr = 10.50.1.2 netmask = 32 require_message_authenticator = yes secret = "test123" proto = "udp" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_radutmp # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_expiration # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_eap # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 4096 } # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/prouter-radius.pem" certificate_file = "/etc/raddb/certs/prouter-radius_crt.pem" ca_file = "/etc/raddb/certs/cacert.pem" private_key_password = "2rU36=L-mdKYVbG" dh_file = "/etc/raddb/certs/dh_radius" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = yes } } # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_cache # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 16384 epoch = 0 add_stats = no } # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Loaded module rlm_detail # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Loaded module rlm_always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_linelog # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "%{%{Packet-Type}:-format}" } # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Loaded module rlm_files # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" usersfile = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" compat = "no" } reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Loaded module rlm_expr # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } # Loaded module rlm_logintime # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-auth {...} } # server server default { # from file /etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading virtual module filter_username # Loading preacct {...} # Loading virtual module acct_unique # Loading accounting {...} # Loading post-auth {...} # Loading virtual module remove_reply_message_if_eap # Loading virtual module remove_reply_message_if_eap } # server server wifi { # from file /etc/raddb/sites-enabled/wifi # Loading authenticate {...} # Loading authorize {...} # Loading virtual module filter_username # Loading preacct {...} # Loading virtual module acct_unique # Loading accounting {...} # Loading post-auth {...} # Loading virtual module remove_reply_message_if_eap # Loading virtual module remove_reply_message_if_eap } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipv6addr = ::1 IPv6 address [::1] port = 18120 } listen { type = "auth" ipaddr = 10.50.1.1 port = 0 } listen { type = "acct" ipaddr = 10.50.1.1 port = 0 } listen { type = "auth" ipv6addr = ::1 IPv6 address [::1] port = 1812 } listen { type = "acct" ipv6addr = ::1 IPv6 address [::1] port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address ::1 port 18120 as server inner-tunnel Listening on auth interface br0 address 10.50.1.1 port 1812 as server default Listening on acct interface br0 address 10.50.1.1 port 1813 as server default Listening on auth interface lo address ::1 port 1812 as server wifi Listening on acct interface lo address ::1 port 1813 as server wifi [1mReady to process requests.[0m rad_recv: Access-Request packet from host ::1 port 48165, id=0, length=180 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53583CBF-00000000' Framed-MTU = 1400 EAP-Message = 0x0267000a017374657665 Message-Authenticator = 0xd79bddbc4667890f34d4075e791ad2a4 (0) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (0) authorize { (0) filter_username filter_username { (0) ? if (User-Name != "%{tolower:%{User-Name}}") (0) expand: "%{tolower:%{User-Name}}" -> 'steve' (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) ? if (User-Name =~ / /) (0) ? if (User-Name =~ / /) -> FALSE (0) ? if (User-Name =~ /@.*@/ ) (0) ? if (User-Name =~ /@.*@/ ) -> FALSE (0) ? if (User-Name =~ /\\.\\./ ) (0) ? if (User-Name =~ /\\.\\./ ) -> FALSE (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) ? if (User-Name =~ /\\.$/) (0) ? if (User-Name =~ /\\.$/) -> FALSE (0) ? if (User-Name =~ /@\\./) (0) ? if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423' (0) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423 (0) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014' (0) [auth_log] = ok (0) files : users: Matched entry steve at line 73 (0) [files] = ok (0) ? if (control:wifi_key != "true") (0) expand: "true" -> 'true' (0) ? if (control:wifi_key != "true") -> FALSE (0) eap : EAP packet type response id 103 length 10 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/wifi (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_peap to process EAP data (0) eap_peap : Flushing SSL sessions (of #0) (0) eap_peap : Initiate (0) eap_peap : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0xa8ad7918a8c56083 (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge of id 0 from ::1 port 1812 to ::1 port 48165 EAP-Message = 0x016800061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8ad7918a8c560834e7c8f387fecd2a4 (0) Finished request 0. Waking up in 0.3 seconds. rad_recv: Access-Request packet from host ::1 port 48165, id=1, length=396 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53583CBF-00000000' Framed-MTU = 1400 EAP-Message = 0x026800d01980000000c616030100c1010000bd030153583d21bd49160c44cfa32bf122061d9455306e0281a1d48613ca7be42cdb68000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011 State = 0xa8ad7918a8c560834e7c8f387fecd2a4 Message-Authenticator = 0x97948d30a20d05e55e7847bef6bb35ef (1) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (1) authorize { (1) filter_username filter_username { (1) ? if (User-Name != "%{tolower:%{User-Name}}") (1) expand: "%{tolower:%{User-Name}}" -> 'steve' (1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) ? if (User-Name =~ / /) (1) ? if (User-Name =~ / /) -> FALSE (1) ? if (User-Name =~ /@.*@/ ) (1) ? if (User-Name =~ /@.*@/ ) -> FALSE (1) ? if (User-Name =~ /\\.\\./ ) (1) ? if (User-Name =~ /\\.\\./ ) -> FALSE (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) ? if (User-Name =~ /\\.$/) (1) ? if (User-Name =~ /\\.$/) -> FALSE (1) ? if (User-Name =~ /@\\./) (1) ? if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423' (1) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423 (1) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014' (1) [auth_log] = ok (1) files : users: Matched entry steve at line 73 (1) [files] = ok (1) ? if (control:wifi_key != "true") (1) expand: "true" -> 'true' (1) ? if (control:wifi_key != "true") -> FALSE (1) eap : EAP packet type response id 104 length 208 (1) eap : Continuing tunnel setup. (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/wifi (1) authenticate { (1) eap : Expiring EAP session with state 0xa8ad7918a8c56083 (1) eap : Finished EAP session with state 0xa8ad7918a8c56083 (1) eap : Previous EAP request found for state 0xa8ad7918a8c56083, released from the list (1) eap : Peer sent PEAP (25) (1) eap : EAP PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : processing EAP-TLS TLS Length 198 (1) eap_peap : Length Included (1) eap_peap : eaptls_verify returned 11 (1) eap_peap : (other): before/accept initialization (1) eap_peap : TLS_accept: before/accept initialization (1) eap_peap : <<< TLS 1.0 Handshake [length 00c1], ClientHello (1) eap_peap : TLS_accept: SSLv3 read client hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello (1) eap_peap : TLS_accept: SSLv3 write server hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 06cd], Certificate (1) eap_peap : TLS_accept: SSLv3 write certificate A (1) eap_peap : >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange (1) eap_peap : TLS_accept: SSLv3 write key exchange A (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap : TLS_accept: SSLv3 write server done A (1) eap_peap : TLS_accept: SSLv3 flush data (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_peap : eaptls_process returned 13 (1) eap_peap : FR_TLS_HANDLED (1) eap : New EAP session, adding 'State' attribute to reply 0xa8ad7918a9c46083 (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge of id 1 from ::1 port 1812 to ::1 port 48165 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8ad7918a9c460834e7c8f387fecd2a4 (1) Finished request 1. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host ::1 port 48165, id=2, length=194 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53583CBF-00000000' Framed-MTU = 1400 EAP-Message = 0x026900061900 State = 0xa8ad7918a9c460834e7c8f387fecd2a4 Message-Authenticator = 0x98d32114182bbaf058b8ef095dd350f6 (2) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (2) authorize { (2) filter_username filter_username { (2) ? if (User-Name != "%{tolower:%{User-Name}}") (2) expand: "%{tolower:%{User-Name}}" -> 'steve' (2) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) ? if (User-Name =~ / /) (2) ? if (User-Name =~ / /) -> FALSE (2) ? if (User-Name =~ /@.*@/ ) (2) ? if (User-Name =~ /@.*@/ ) -> FALSE (2) ? if (User-Name =~ /\\.\\./ ) (2) ? if (User-Name =~ /\\.\\./ ) -> FALSE (2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) ? if (User-Name =~ /\\.$/) (2) ? if (User-Name =~ /\\.$/) -> FALSE (2) ? if (User-Name =~ /@\\./) (2) ? if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423' (2) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423 (2) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014' (2) [auth_log] = ok (2) files : users: Matched entry steve at line 73 (2) [files] = ok (2) ? if (control:wifi_key != "true") (2) expand: "true" -> 'true' (2) ? if (control:wifi_key != "true") -> FALSE (2) eap : EAP packet type response id 105 length 6 (2) eap : Continuing tunnel setup. (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/wifi (2) authenticate { (2) eap : Expiring EAP session with state 0xa8ad7918a9c46083 (2) eap : Finished EAP session with state 0xa8ad7918a9c46083 (2) eap : Previous EAP request found for state 0xa8ad7918a9c46083, released from the list (2) eap : Peer sent PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS (2) eap_peap : Received TLS ACK (2) eap_peap : Received TLS ACK (2) eap_peap : ACK handshake fragment handler (2) eap_peap : eaptls_verify returned 1 (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xa8ad7918aac76083 (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge of id 2 from ::1 port 1812 to ::1 port 48165 EAP-Message = Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8ad7918aac760834e7c8f387fecd2a4 (2) Finished request 2. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host ::1 port 48165, id=3, length=194 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53583CBF-00000000' Framed-MTU = 1400 EAP-Message = 0x026a00061900 State = 0xa8ad7918aac760834e7c8f387fecd2a4 Message-Authenticator = 0xddba5abc747ee013a391120cd5aaf0eb (3) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (3) authorize { (3) filter_username filter_username { (3) ? if (User-Name != "%{tolower:%{User-Name}}") (3) expand: "%{tolower:%{User-Name}}" -> 'steve' (3) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (3) ? if (User-Name =~ / /) (3) ? if (User-Name =~ / /) -> FALSE (3) ? if (User-Name =~ /@.*@/ ) (3) ? if (User-Name =~ /@.*@/ ) -> FALSE (3) ? if (User-Name =~ /\\.\\./ ) (3) ? if (User-Name =~ /\\.\\./ ) -> FALSE (3) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (3) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) ? if (User-Name =~ /\\.$/) (3) ? if (User-Name =~ /\\.$/) -> FALSE (3) ? if (User-Name =~ /@\\./) (3) ? if (User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423' (3) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423 (3) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014' (3) [auth_log] = ok (3) files : users: Matched entry steve at line 73 (3) [files] = ok (3) ? if (control:wifi_key != "true") (3) expand: "true" -> 'true' (3) ? if (control:wifi_key != "true") -> FALSE (3) eap : EAP packet type response id 106 length 6 (3) eap : Continuing tunnel setup. (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/raddb/sites-enabled/wifi (3) authenticate { (3) eap : Expiring EAP session with state 0xa8ad7918aac76083 (3) eap : Finished EAP session with state 0xa8ad7918aac76083 (3) eap : Previous EAP request found for state 0xa8ad7918aac76083, released from the list (3) eap : Peer sent PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xa8ad7918abc66083 (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge of id 3 from ::1 port 1812 to ::1 port 48165 EAP-Message = 0x016b0023190027d0ad5942b830c50f432697e5a588b8afbade4516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8ad7918abc660834e7c8f387fecd2a4 (3) Finished request 3. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host ::1 port 48165, id=4, length=332 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53583CBF-00000000' Framed-MTU = 1400 EAP-Message = 0x026b0090198000000086160301004610000042410492d0d71260ecb28182a7a04abf0fe0f9252a84a956e2fd903a8e13836d460b23c9296726d0c1f971f367cc6cfbc11285f0e60a40513b2ab6bfbab088dd618419140301000101160301003095e5112ba7cdc234ff9508a9549e3b4941505303a3dc9e9e4bea804c11040dd25efaba55305c75573e27f82cc0ce4a0f State = 0xa8ad7918abc660834e7c8f387fecd2a4 Message-Authenticator = 0x2f89a733b9060aac852a3bc51ca6da47 (4) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (4) authorize { (4) filter_username filter_username { (4) ? if (User-Name != "%{tolower:%{User-Name}}") (4) expand: "%{tolower:%{User-Name}}" -> 'steve' (4) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (4) ? if (User-Name =~ / /) (4) ? if (User-Name =~ / /) -> FALSE (4) ? if (User-Name =~ /@.*@/ ) (4) ? if (User-Name =~ /@.*@/ ) -> FALSE (4) ? if (User-Name =~ /\\.\\./ ) (4) ? if (User-Name =~ /\\.\\./ ) -> FALSE (4) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (4) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) ? if (User-Name =~ /\\.$/) (4) ? if (User-Name =~ /\\.$/) -> FALSE (4) ? if (User-Name =~ /@\\./) (4) ? if (User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423' (4) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423 (4) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014' (4) [auth_log] = ok (4) files : users: Matched entry steve at line 73 (4) [files] = ok (4) ? if (control:wifi_key != "true") (4) expand: "true" -> 'true' (4) ? if (control:wifi_key != "true") -> FALSE (4) eap : EAP packet type response id 107 length 144 (4) eap : Continuing tunnel setup. (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/raddb/sites-enabled/wifi (4) authenticate { (4) eap : Expiring EAP session with state 0xa8ad7918abc66083 (4) eap : Finished EAP session with state 0xa8ad7918abc66083 (4) eap : Previous EAP request found for state 0xa8ad7918abc66083, released from the list (4) eap : Peer sent PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS TLS Length 134 (4) eap_peap : Length Included (4) eap_peap : eaptls_verify returned 11 (4) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (4) eap_peap : TLS_accept: SSLv3 read client key exchange A (4) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (4) eap_peap : TLS_accept: SSLv3 read finished A (4) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_peap : TLS_accept: SSLv3 write change cipher spec A (4) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (4) eap_peap : TLS_accept: SSLv3 write finished A (4) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session 63a4c7ded1e2923518111d54f2f3b342ce1254b65d63095b6c09615c3be6a78a to cache (4) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xa8ad7918acc16083 (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge of id 4 from ::1 port 1812 to ::1 port 48165 EAP-Message = 0x016c00411900140301000101160301003009545d7f94b5e5e3e8f070d78a9404478773a978dda13146eed6d71884901a1d04dc032f3554330c8e2d60ea23524163 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8ad7918acc160834e7c8f387fecd2a4 (4) Finished request 4. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host ::1 port 48165, id=5, length=194 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53583CBF-00000000' Framed-MTU = 1400 EAP-Message = 0x026c00061900 State = 0xa8ad7918acc160834e7c8f387fecd2a4 Message-Authenticator = 0xae54d80b044b43fa45d718577351a2d3 (5) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (5) authorize { (5) filter_username filter_username { (5) ? if (User-Name != "%{tolower:%{User-Name}}") (5) expand: "%{tolower:%{User-Name}}" -> 'steve' (5) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (5) ? if (User-Name =~ / /) (5) ? if (User-Name =~ / /) -> FALSE (5) ? if (User-Name =~ /@.*@/ ) (5) ? if (User-Name =~ /@.*@/ ) -> FALSE (5) ? if (User-Name =~ /\\.\\./ ) (5) ? if (User-Name =~ /\\.\\./ ) -> FALSE (5) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (5) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) ? if (User-Name =~ /\\.$/) (5) ? if (User-Name =~ /\\.$/) -> FALSE (5) ? if (User-Name =~ /@\\./) (5) ? if (User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423' (5) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423 (5) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014' (5) [auth_log] = ok (5) files : users: Matched entry steve at line 73 (5) [files] = ok (5) ? if (control:wifi_key != "true") (5) expand: "true" -> 'true' (5) ? if (control:wifi_key != "true") -> FALSE (5) eap : EAP packet type response id 108 length 6 (5) eap : Continuing tunnel setup. (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/wifi (5) authenticate { (5) eap : Expiring EAP session with state 0xa8ad7918acc16083 (5) eap : Finished EAP session with state 0xa8ad7918acc16083 (5) eap : Previous EAP request found for state 0xa8ad7918acc16083, released from the list (5) eap : Peer sent PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS (5) eap_peap : Received TLS ACK (5) eap_peap : Received TLS ACK (5) eap_peap : ACK handshake is finished (5) eap_peap : eaptls_verify returned 3 (5) eap_peap : eaptls_process returned 3 (5) eap_peap : FR_TLS_SUCCESS (5) eap_peap : Session established. Decoding tunneled attributes. (5) eap_peap : Peap state TUNNEL ESTABLISHED (5) eap : New EAP session, adding 'State' attribute to reply 0xa8ad7918adc06083 (5) [eap] = handled (5) } # authenticate = handled Sending Access-Challenge of id 5 from ::1 port 1812 to ::1 port 48165 EAP-Message = 0x016d002b1900170301002059df3c16dae8dc16851faddfa9adf66b5d377c8d77d4a94b8ddb3dd641a7ff7f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8ad7918adc060834e7c8f387fecd2a4 (5) Finished request 5. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host ::1 port 48165, id=6, length=268 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53583CBF-00000000' Framed-MTU = 1400 EAP-Message = 0x026d0050190017030100204cbd0844571c6a95c351b861ffeb20871e1a268e30eade06b683ab8d37f6b0681703010020a0f7d4d3cb51269adedeebc1a2c50ab9ce06544aa25177e6c47420e308459d98 State = 0xa8ad7918adc060834e7c8f387fecd2a4 Message-Authenticator = 0xc6f194f2722da7c403d8d2b1f3e30e82 (6) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (6) authorize { (6) filter_username filter_username { (6) ? if (User-Name != "%{tolower:%{User-Name}}") (6) expand: "%{tolower:%{User-Name}}" -> 'steve' (6) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (6) ? if (User-Name =~ / /) (6) ? if (User-Name =~ / /) -> FALSE (6) ? if (User-Name =~ /@.*@/ ) (6) ? if (User-Name =~ /@.*@/ ) -> FALSE (6) ? if (User-Name =~ /\\.\\./ ) (6) ? if (User-Name =~ /\\.\\./ ) -> FALSE (6) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (6) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) ? if (User-Name =~ /\\.$/) (6) ? if (User-Name =~ /\\.$/) -> FALSE (6) ? if (User-Name =~ /@\\./) (6) ? if (User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423' (6) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423 (6) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014' (6) [auth_log] = ok (6) files : users: Matched entry steve at line 73 (6) [files] = ok (6) ? if (control:wifi_key != "true") (6) expand: "true" -> 'true' (6) ? if (control:wifi_key != "true") -> FALSE (6) eap : EAP packet type response id 109 length 80 (6) eap : Continuing tunnel setup. (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/wifi (6) authenticate { (6) eap : Expiring EAP session with state 0xa8ad7918adc06083 (6) eap : Finished EAP session with state 0xa8ad7918adc06083 (6) eap : Previous EAP request found for state 0xa8ad7918adc06083, released from the list (6) eap : Peer sent PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS (6) eap_peap : eaptls_verify returned 7 (6) eap_peap : Done initial handshake (6) eap_peap : eaptls_process returned 7 (6) eap_peap : FR_TLS_OK (6) eap_peap : Session established. Decoding tunneled attributes. (6) eap_peap : Peap state WAITING FOR INNER IDENTITY (6) eap_peap : Identity - steve (6) eap_peap : Got inner identity 'steve' (6) eap_peap : Setting default EAP type for tunneled EAP session. (6) eap_peap : Got tunneled request EAP-Message = 0x026d000a017374657665 server wifi { (6) eap_peap : Setting User-Name to steve Sending tunneled request EAP-Message = 0x026d000a017374657665 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'steve' server inner-tunnel { (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) update control { (6) Proxy-To-Realm := 'LOCAL' (6) } # update control = noop (6) eap : EAP packet type response id 109 length 10 (6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (6) [eap] = ok (6) } # authorize = ok [1m[33m(6) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request.[0m (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) authenticate { (6) eap : Peer sent Identity (1) (6) eap : Calling eap_mschapv2 to process EAP data (6) eap_mschapv2 : Issuing Challenge (6) eap : New EAP session, adding 'State' attribute to reply 0x7fd644537fb85e09 (6) [eap] = handled (6) } # authenticate = handled } # server inner-tunnel (6) eap_peap : Got tunneled reply code 11 EAP-Message = 0x016e001f1a016e001a1099100e6ba285ffc3d073d4e27ed041457374657665 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7fd644537fb85e0993bf77b0297ba359 (6) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x016e001f1a016e001a1099100e6ba285ffc3d073d4e27ed041457374657665 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7fd644537fb85e0993bf77b0297ba359 (6) eap_peap : Got tunneled Access-Challenge (6) eap : New EAP session, adding 'State' attribute to reply 0xa8ad7918aec36083 (6) [eap] = handled (6) } # authenticate = handled Sending Access-Challenge of id 6 from ::1 port 1812 to ::1 port 48165 EAP-Message = 0x016e005b19001703010050be2d19115eeec52f8ef7f3924d3e06b1414ac02b93abeabf9b93868a35a635cd8103f213946df5b276e49ebc329d332c3a8b0ea3910c655fe4cb333e2119dd2f87e0c0c816ea7a97744a0e1163a2c8c8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8ad7918aec360834e7c8f387fecd2a4 (6) Finished request 6. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host ::1 port 48165, id=7, length=332 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53583CBF-00000000' Framed-MTU = 1400 EAP-Message = 0x026e009019001703010020c6ef33f59aafabdcbc8e0606fce5b8186e58ff23be26cffd63bc3a9aaba245b61703010060ac4916496f2d9fc82d01c90f2a384f495bc5cad349a90215e8982b81e51084189924a9a22e85ab15c85bf058b0a8742ef055876f95cc446a8dcb0c20160408687c2f1b26e4badf300c802f146318c1cb1c9b2d5ed72aac629b0e3c411aa0aeb5 State = 0xa8ad7918aec360834e7c8f387fecd2a4 Message-Authenticator = 0xe81eb90fcfa5aaf86bf6c12d41a0fb73 (7) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (7) authorize { (7) filter_username filter_username { (7) ? if (User-Name != "%{tolower:%{User-Name}}") (7) expand: "%{tolower:%{User-Name}}" -> 'steve' (7) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (7) ? if (User-Name =~ / /) (7) ? if (User-Name =~ / /) -> FALSE (7) ? if (User-Name =~ /@.*@/ ) (7) ? if (User-Name =~ /@.*@/ ) -> FALSE (7) ? if (User-Name =~ /\\.\\./ ) (7) ? if (User-Name =~ /\\.\\./ ) -> FALSE (7) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (7) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) ? if (User-Name =~ /\\.$/) (7) ? if (User-Name =~ /\\.$/) -> FALSE (7) ? if (User-Name =~ /@\\./) (7) ? if (User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423' (7) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423 (7) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014' (7) [auth_log] = ok (7) files : users: Matched entry steve at line 73 (7) [files] = ok (7) ? if (control:wifi_key != "true") (7) expand: "true" -> 'true' (7) ? if (control:wifi_key != "true") -> FALSE (7) eap : EAP packet type response id 110 length 144 (7) eap : Continuing tunnel setup. (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/wifi (7) authenticate { (7) eap : Expiring EAP session with state 0x7fd644537fb85e09 (7) eap : Finished EAP session with state 0xa8ad7918aec36083 (7) eap : Previous EAP request found for state 0xa8ad7918aec36083, released from the list (7) eap : Peer sent PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : eaptls_verify returned 7 (7) eap_peap : Done initial handshake (7) eap_peap : eaptls_process returned 7 (7) eap_peap : FR_TLS_OK (7) eap_peap : Session established. Decoding tunneled attributes. (7) eap_peap : Peap state phase2 (7) eap_peap : EAP type MSCHAPv2 (26) (7) eap_peap : Got tunneled request EAP-Message = 0x026e00401a026e003b31428de007ac0fdd2b2cceb02df8b1a42f0000000000000000fbc267c343bceaf89088ea12252a9bb2dcd001fc2d44b63b007374657665 server wifi { (7) eap_peap : Setting User-Name to steve Sending tunneled request EAP-Message = 0x026e00401a026e003b31428de007ac0fdd2b2cceb02df8b1a42f0000000000000000fbc267c343bceaf89088ea12252a9bb2dcd001fc2d44b63b007374657665 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'steve' State = 0x7fd644537fb85e0993bf77b0297ba359 server inner-tunnel { (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) update control { (7) Proxy-To-Realm := 'LOCAL' (7) } # update control = noop (7) eap : EAP packet type response id 110 length 64 (7) eap : No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) files : users: Matched entry steve at line 73 (7) [files] = ok (7) [expiration] = noop (7) [logintime] = noop (7) } # authorize = updated [1m[33m(7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request.[0m (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap : Expiring EAP session with state 0x7fd644537fb85e09 (7) eap : Finished EAP session with state 0x7fd644537fb85e09 (7) eap : Previous EAP request found for state 0x7fd644537fb85e09, released from the list (7) eap : Peer sent MSCHAPv2 (26) (7) eap : EAP MSCHAPv2 (26) (7) eap : Calling eap_mschapv2 to process EAP data (7) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) eap_mschapv2 : Auth-Type MS-CHAP { (7) mschap : Creating challenge hash with username: steve (7) mschap : Client is using MS-CHAPv2 for steve, we need NT-Password (7) mschap : adding MS-CHAPv2 MPPE keys (7) [mschap] = ok (7) } # Auth-Type MS-CHAP = ok MSCHAP Success (7) eap : New EAP session, adding 'State' attribute to reply 0x7fd644537eb95e09 (7) [eap] = handled (7) } # authenticate = handled } # server inner-tunnel (7) eap_peap : Got tunneled reply code 11 EAP-Message = 0x016f00331a036e002e533d31383634364643383531363741383643463942363038383739423942413331364333353331394638 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7fd644537eb95e0993bf77b0297ba359 (7) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x016f00331a036e002e533d31383634364643383531363741383643463942363038383739423942413331364333353331394638 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7fd644537eb95e0993bf77b0297ba359 (7) eap_peap : Got tunneled Access-Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0xa8ad7918afc26083 (7) [eap] = handled (7) } # authenticate = handled Sending Access-Challenge of id 7 from ::1 port 1812 to ::1 port 48165 EAP-Message = 0x016f008b19001703010080c56df7652dbf41fee6b4832b29090561a9fd805201afb233e16d79603cbaeb60b8a3f94a479bce399c00c3e88102df06050b5323c9a637591e8ba44a5432d66405fcb8defc54563ee88021742024f1db54b1563b7712336ac82a8e00b4ca6772e1af90cb871ce1f6c47c44abb26785bcfa666f5831f2fc182c75d9cfa4adfa6c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8ad7918afc260834e7c8f387fecd2a4 (7) Finished request 7. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host ::1 port 48165, id=8, length=268 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53583CBF-00000000' Framed-MTU = 1400 EAP-Message = 0x026f005019001703010020404ffa3d8eeb64f193cbd53ce3f076375e056bdfad2bd18e1872a531f0255d8d1703010020692b6b2267cca6f533fefe2ef002ffa43dc996478e67f0b5616525b6b42e6734 State = 0xa8ad7918afc260834e7c8f387fecd2a4 Message-Authenticator = 0x9e18d6688f17f7809fc45666b204cfae (8) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (8) authorize { (8) filter_username filter_username { (8) ? if (User-Name != "%{tolower:%{User-Name}}") (8) expand: "%{tolower:%{User-Name}}" -> 'steve' (8) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (8) ? if (User-Name =~ / /) (8) ? if (User-Name =~ / /) -> FALSE (8) ? if (User-Name =~ /@.*@/ ) (8) ? if (User-Name =~ /@.*@/ ) -> FALSE (8) ? if (User-Name =~ /\\.\\./ ) (8) ? if (User-Name =~ /\\.\\./ ) -> FALSE (8) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (8) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) ? if (User-Name =~ /\\.$/) (8) ? if (User-Name =~ /\\.$/) -> FALSE (8) ? if (User-Name =~ /@\\./) (8) ? if (User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) [preprocess] = ok (8) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423' (8) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423 (8) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014' (8) [auth_log] = ok (8) files : users: Matched entry steve at line 73 (8) [files] = ok (8) ? if (control:wifi_key != "true") (8) expand: "true" -> 'true' (8) ? if (control:wifi_key != "true") -> FALSE (8) eap : EAP packet type response id 111 length 80 (8) eap : Continuing tunnel setup. (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/wifi (8) authenticate { (8) eap : Expiring EAP session with state 0x7fd644537eb95e09 (8) eap : Finished EAP session with state 0xa8ad7918afc26083 (8) eap : Previous EAP request found for state 0xa8ad7918afc26083, released from the list (8) eap : Peer sent PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes. (8) eap_peap : Peap state phase2 (8) eap_peap : EAP type MSCHAPv2 (26) (8) eap_peap : Got tunneled request EAP-Message = 0x026f00061a03 server wifi { (8) eap_peap : Setting User-Name to steve Sending tunneled request EAP-Message = 0x026f00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'steve' State = 0x7fd644537eb95e0993bf77b0297ba359 server inner-tunnel { (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : EAP packet type response id 111 length 6 (8) eap : EAP-MSCHAPV2 success, returning short-circuit ok (8) [eap] = ok (8) } # authorize = ok [1m[33m(8) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request.[0m (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0x7fd644537eb95e09 (8) eap : Finished EAP session with state 0x7fd644537eb95e09 (8) eap : Previous EAP request found for state 0x7fd644537eb95e09, released from the list (8) eap : Peer sent MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap : Freeing handler (8) [eap] = ok (8) } # authenticate = ok [1m(8) Login OK: [steve] (from client localhost port 0 via TLS tunnel)[0m (8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (8) post-auth { (8) reply_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/reply-detail-20140423' (8) reply_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/reply-detail-20140423 (8) reply_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014' (8) [reply_log] = ok (8) } # post-auth = ok } # server inner-tunnel (8) eap_peap : Got tunneled reply code 2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x2a51646e02232b7a173294c32b02f17d MS-MPPE-Recv-Key = 0xfdfe6721674eb1149424aff2f50fc6d7 EAP-Message = 0x036f0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'steve' (8) eap_peap : Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x2a51646e02232b7a173294c32b02f17d MS-MPPE-Recv-Key = 0xfdfe6721674eb1149424aff2f50fc6d7 EAP-Message = 0x036f0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'steve' (8) eap_peap : Tunneled authentication was successful. (8) eap_peap : SUCCESS (8) eap : New EAP session, adding 'State' attribute to reply 0xa8ad7918a0dd6083 (8) [eap] = handled (8) } # authenticate = handled Sending Access-Challenge of id 8 from ::1 port 1812 to ::1 port 48165 EAP-Message = 0x0170002b19001703010020661348a387664b2e5c94ba8323f1a67114ac711a1c4e04edfb13c9f820005322 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8ad7918a0dd60834e7c8f387fecd2a4 (8) Finished request 8. Waking up in 0.2 seconds. rad_recv: Access-Request packet from host ::1 port 48165, id=9, length=268 User-Name = 'steve' NAS-IPv6-Address = ::1 Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam' NAS-Port-Type = Wireless-802.11 NAS-Port = 1 Calling-Station-Id = '30-D6-C9-6C-44-4B' Connect-Info = 'CONNECT 54Mbps 802.11g' Acct-Session-Id = '53583CBF-00000000' Framed-MTU = 1400 EAP-Message = 0x0270005019001703010020ae37a2e2decf022da362f42e0e65a167adb06bb829e50734034c82ed7f591f7c1703010020e9139a89dbb6bf66f2f6ec32d49e2be2a4359a5e31e09662e644e09cc5312b33 State = 0xa8ad7918a0dd60834e7c8f387fecd2a4 Message-Authenticator = 0xbc2e93f9e92baad2d86a265f15c2537a (9) # Executing section authorize from file /etc/raddb/sites-enabled/wifi (9) authorize { (9) filter_username filter_username { (9) ? if (User-Name != "%{tolower:%{User-Name}}") (9) expand: "%{tolower:%{User-Name}}" -> 'steve' (9) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (9) ? if (User-Name =~ / /) (9) ? if (User-Name =~ / /) -> FALSE (9) ? if (User-Name =~ /@.*@/ ) (9) ? if (User-Name =~ /@.*@/ ) -> FALSE (9) ? if (User-Name =~ /\\.\\./ ) (9) ? if (User-Name =~ /\\.\\./ ) -> FALSE (9) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (9) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) ? if (User-Name =~ /\\.$/) (9) ? if (User-Name =~ /\\.$/) -> FALSE (9) ? if (User-Name =~ /@\\./) (9) ? if (User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) auth_log : expand: "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" -> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423' (9) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423 (9) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014' (9) [auth_log] = ok (9) files : users: Matched entry steve at line 73 (9) [files] = ok (9) ? if (control:wifi_key != "true") (9) expand: "true" -> 'true' (9) ? if (control:wifi_key != "true") -> FALSE (9) eap : EAP packet type response id 112 length 80 (9) eap : Continuing tunnel setup. (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/wifi (9) authenticate { (9) eap : Expiring EAP session with state 0xa8ad7918a0dd6083 (9) eap : Finished EAP session with state 0xa8ad7918a0dd6083 (9) eap : Previous EAP request found for state 0xa8ad7918a0dd6083, released from the list (9) eap : Peer sent PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes. (9) eap_peap : Peap state send tlv success (9) eap_peap : Received EAP-TLV response. (9) eap_peap : Success [1m[33m(9) WARNING: eap_peap : No information to cache: session caching will be disabled for session 63a4c7ded1e2923518111d54f2f3b342ce1254b65d63095b6c09615c3be6a78a[0m SSL: Removing session 63a4c7ded1e2923518111d54f2f3b342ce1254b65d63095b6c09615c3be6a78a from the cache (9) eap : Freeing handler (9) [eap] = ok (9) } # authenticate = ok [1m(9) Login OK: [steve] (from client localhost port 1 cli 30-D6-C9-6C-44-4B)[0m (9) # Executing section post-auth from file /etc/raddb/sites-enabled/wifi (9) post-auth { (9) remove_reply_message_if_eap remove_reply_message_if_eap { (9) ? if (reply:EAP-Message && reply:Reply-Message) (9) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (9) else else { (9) [noop] = noop (9) } # else else = noop (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (9) } # post-auth = noop Sending Access-Accept of id 9 from ::1 port 1812 to ::1 port 48165 MS-MPPE-Recv-Key = 0xdad7c775b865f270124273715d138d7c0cc248810d14fb66c6874cf11108813c MS-MPPE-Send-Key = 0xd6f9da11a8547d1cb1da34c491e18a5ff2eb7e06a90cef54b47b2156f727ba7e EAP-Message = 0x03700004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'steve' (9) Finished request 9. Waking up in 0.2 seconds. Waking up in 4.5 seconds.
PEAP comes in two flavours for WPA (since you're using a wireless access point based on the debug): PEAPv0 (from Windows XP onwards) and PEAPv1. PEAPv0 (which Microsoft only refers to as PEAP) only works with EAP-SIM or EAP-MSCHAPv2. PEAPv1 (supported by Cisco) adds EAP-GTC as an inner mechanism, so chances are that yes, the supplicant will always select EAP-MSCHAPv2 if it only supports PEAPv0. :-) Stefan -----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Casey Daniels Sent: 23 April 2014 23:57 To: freeradius-users@lists.freeradius.org Subject: PEAP Inner Tunnel Question Sorry if this is a stupid question, but is there a way to control the Phase 2 Authentication method when doing PEAP? My aim is to only allow MSCHAPV2, however, I also get a good reply from the Server if I select None, PAP, MD5, MSCHAP, or MSCHAPv2 on the supplicant. Or is phase 2 Authentication the prerogative of the supplicant? I've attached the Debug output for When I tried to long on via no Phase 2 Authentication, though there was an interesting line that Appears in my debug output for many different modes (None, PAP, MD5, MSCHAP, MSCHAPv2) that worked. Is freeradius forcing the supplicant into a MSCHAPv2 for the 2nd Phase ignoring what was selected? (8) eap_peap : EAP type MSCHAPv2 (26) However when I tried using GTC as the Phase 2 Authentication method it fails out (as expected) and I get (7) eap_peap : EAP type NAK (3) I've tried this or two different two of Supplicants (Android Phone, and Linux PC) I've commented out any reference to pap, etc in config files and removed the link from mods-enabled. Thank You, Casey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Hi,
PEAP comes in two flavours for WPA (since you're using a wireless access point based on the debug): PEAPv0 (from Windows XP onwards) and PEAPv1. PEAPv0 (which Microsoft only refers to as PEAP) only works with EAP-SIM or EAP-MSCHAPv2. PEAPv1 (supported by Cisco) adds EAP-GTC as an inner mechanism, so chances are that yes, the supplicant will always select EAP-MSCHAPv2 if it only supports PEAPv0.
there is also PEAP-EAP-TLS - like EAP-TLS but the EAP-TLS is inside the protected tunnel. 'tis true.
My aim is to only allow MSCHAPV2, however, I also get a good reply from the Server if I select
edit eap.conf and your radius virtual servers to remove support for anything you dont want to support. alan
On 24/04/14 08:57, Stefan Paetow wrote:
PEAP comes in two flavours for WPA (since you're using a wireless access point based on the debug): PEAPv0 (from Windows XP onwards) and PEAPv1. PEAPv0 (which Microsoft only refers to as PEAP) only works with EAP-SIM or EAP-MSCHAPv2. PEAPv1 (supported by Cisco) adds EAP-GTC as an inner mechanism, so chances are that yes, the supplicant will always select EAP-MSCHAPv2 if it only supports PEAPv0.
The wording of MS-PEAP - the only "formal" spec for PEAPv0 - is a bit vague on this. "MSCHAP" is only mentioned once in the document as an example of one valid inner, and 3.1.5.6 just says: """ PEAP implementations MUST only support a single EAP authentication method per session with a type greater than or equal to 4, in addition to supporting EAP TLV Extensions Method (and optionally SoH EAP Extensions Method) in the same session. """ ...so it's a bit vague, but implies that, per protocol spec, any EAP inner is acceptable. As others have noted, PEAPv0/EAP-TLS is used and usable. Whilst Microsoft clients might not support it, I see no reason PEAPv0/EAP-anything would fail, from a protocol level.
Phil Mayers wrote:
As others have noted, PEAPv0/EAP-TLS is used and usable. Whilst Microsoft clients might not support it, I see no reason PEAPv0/EAP-anything would fail, from a protocol level.
It should... but Microsoft in their infinite wisdom decided to SAVE FOUR BYTES in the inner-tunnel data. Which means it's no longer strictly EAP, but EAP minus some stuff. ... and then you need to massage the data before using it an EAP stack. Arg. Why do some people insist on making things difficult? Alan DeKok.
...so it's a bit vague, but implies that, per protocol spec, any EAP inner is acceptable.
Not to Microsoft. MS only accepts EAP-MSCHAPv2 or EAP-TLS on the inner (as Alan B originally pointed out, Microsoft refers to this as PEAP-EAP-TLS). But since EAP-TLS was not on the list of items the original poster listed (he had PAP, MSCHAP, MD5 and GTC), I left that off because there's no point in referring to something that's not in the list he has access to. Stefan Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
This is a slightly subtle question. Peap inner methods must be, and are interpreted as, eap. So "none", pap, chap and plain mschap will never work. From your debug the client is ignoring your choice in those cases and just doing eap-mschapv2. So it's basically a ui problem on your client. Eap gtc is a valid choice because it's eap. But freeradius is naking it because I guess you've not configured gtc on your eap module. So yes, fr can influence choice of eap method, but that's not what you're seeing except for gtc. If you get into what the Microsoft spec for peap days then things get even more puzzling but everyone seems to ignore that anyway, so I won't bother cluttering up the discussion... -- Sent from my mobile device, please excuse brevity and typos.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Casey Daniels -
Phil Mayers -
Stefan Paetow