Windows 8 clients can not authenticate with EAP-TTLS and PAP
Hello This is my first time posting here, so sorry if something is wrong, sorry for my English too. I have configured freeradius V3.0.4 on Centos 7 for authenticating with Mac-address and a LDAP Server, using EAP-TTLS with PAP. One week ago all the clients (Windows 7, Windows 8, Ubuntu, Android) were able to authenticate without any issues; but in last day Windows 8 clients can not authenticate. In the debug (freeradius -X) i can see the server sending an Access-Challenge but the client never respond with the an Access-request. This is the Output of the freeradius -X when the Windows 8 client try to connect: Received Access-Request Id 84 from 10.66.146.10:62781 to 10.66.150.52:1812 length 184 User-Name = 'juliop' NAS-IP-Address = 10.66.146.10 NAS-Port = 0 NAS-Identifier = '10.66.146.10' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 'e0ca94e63751' Called-Station-Id = 'aca31ec60340' Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0201000b016a756c696f70 Aruba-Essid-Name = 'riguprov' Aruba-Location-Id = 'apcdoggerC60340' Aruba-AP-Group = 'WLCZOO' Message-Authenticator = 0x2ae08657e469e194ccbd4e778e519044 (230) Received Access-Request packet from host 10.66.146.10 port 62781, id=84, length=184 (230) User-Name = 'juliop' (230) NAS-IP-Address = 10.66.146.10 (230) NAS-Port = 0 (230) NAS-Identifier = '10.66.146.10' (230) NAS-Port-Type = Wireless-802.11 (230) Calling-Station-Id = 'e0ca94e63751' (230) Called-Station-Id = 'aca31ec60340' (230) Service-Type = Login-User (230) Framed-MTU = 1100 (230) EAP-Message = 0x0201000b016a756c696f70 (230) Aruba-Essid-Name = 'riguprov' (230) Aruba-Location-Id = 'apcdoggerC60340' (230) Aruba-AP-Group = 'WLCZOO' (230) Message-Authenticator = 0x2ae08657e469e194ccbd4e778e519044 (230) # Executing section authorize from file /etc/raddb/sites-enabled/default (230) authorize { (230) filter_username filter_username { (230) if (!&User-Name) (230) if (!&User-Name) -> FALSE (230) if (&User-Name =~ / /) (230) if (&User-Name =~ / /) -> FALSE (230) if (&User-Name =~ /@.*@/ ) (230) if (&User-Name =~ /@.*@/ ) -> FALSE (230) if (&User-Name =~ /\\.\\./ ) (230) if (&User-Name =~ /\\.\\./ ) -> FALSE (230) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\ \.(.+)$/)) (230) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\ \.(.+)$/)) -> FALSE (230) if (&User-Name =~ /\\.$/) (230) if (&User-Name =~ /\\.$/) -> FALSE (230) if (&User-Name =~ /@\\./) (230) if (&User-Name =~ /@\\./) -> FALSE (230) } # filter_username filter_username = notfound (230) [preprocess] = ok (230) [chap] = noop (230) [mschap] = noop (230) rewrite_calling_station_id rewrite_calling_station_id { (230) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) (230) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE (230) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (230) update request { (230) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (230) --> e0-ca-94-e6-37-51 (230) Calling-Station-Id := "e0-ca-94-e6-37-51" (230) } # update request = noop (230) [updated] = updated (230) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0- 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a- f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated (230) ... skipping else for request 230: Preceding "if" was taken (230) } # rewrite_calling_station_id rewrite_calling_station_id = updated (230) authorized_macs_rigu : EXPAND %{Calling-Station-ID} (230) authorized_macs_rigu : --> e0-ca-94-e6-37-51 (230) authorized_macs_rigu : users: Matched entry e0-ca-94- e6-37-51 at line 3 (230) [authorized_macs_rigu] = ok (230) if (!ok) (230) if (!ok) -> FALSE (230) else else { (230) eap : Peer sent code Response (2) ID 1 length 11 (230) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (230) [eap] = ok (230) } # else else = ok (230) [unix] = notfound (230) [expiration] = noop (230) [logintime] = noop (230) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (230) WARNING: pap : Authentication will fail unless a "known good" password is available (230) [pap] = noop (230) if (User-Password) (230) if (User-Password) -> FALSE (230) } # authorize = updated (230) Found Auth-Type = EAP (230) # Executing group from file /etc/raddb/sites- enabled/default (230) authenticate { (230) eap : Peer sent method Identity (1) (230) eap : Calling eap_gtc to process EAP data (230) eap_gtc : EXPAND Password: (230) eap_gtc : --> Password: (230) eap : New EAP session, adding 'State' attribute to reply 0x045d7f1e045f7973 (230) [eap] = handled (230) } # authenticate = handled (230) Sending Access-Challenge packet to host 10.66.146.10 port 62781, id=84, length=0 (230) EAP-Message = 0x0102000f0650617373776f72643a20 (230) Message-Authenticator = 0x00000000000000000000000000000000 (230) State = 0x045d7f1e045f79735c746ec40219cffa Sending Access-Challenge Id 84 from 10.66.150.52:1812 to 10.66.146.10:62781 EAP-Message = 0x0102000f0650617373776f72643a20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x045d7f1e045f79735c746ec40219cffa (230) Finished request Waking up in 0.3 seconds. Received Access-Request Id 85 from 10.66.146.10:62781 to 10.66.150.52:1812 length 197 User-Name = 'juliop' NAS-IP-Address = 10.66.146.10 NAS-Port = 0 NAS-Identifier = '10.66.146.10' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 'e0ca94e63751' Called-Station-Id = 'aca31ec60340' Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020200060315 State = 0x045d7f1e045f79735c746ec40219cffa Aruba-Essid-Name = 'riguprov' Aruba-Location-Id = 'apcdoggerC60340' Aruba-AP-Group = 'WLCZOO' Message-Authenticator = 0xd50b45437d77af44008db8418d48efe9 (231) Received Access-Request packet from host 10.66.146.10 port 62781, id=85, length=197 (231) User-Name = 'juliop' (231) NAS-IP-Address = 10.66.146.10 (231) NAS-Port = 0 (231) NAS-Identifier = '10.66.146.10' (231) NAS-Port-Type = Wireless-802.11 (231) Calling-Station-Id = 'e0ca94e63751' (231) Called-Station-Id = 'aca31ec60340' (231) Service-Type = Login-User (231) Framed-MTU = 1100 (231) EAP-Message = 0x020200060315 (231) State = 0x045d7f1e045f79735c746ec40219cffa (231) Aruba-Essid-Name = 'riguprov' (231) Aruba-Location-Id = 'apcdoggerC60340' (231) Aruba-AP-Group = 'WLCZOO' (231) Message-Authenticator = 0xd50b45437d77af44008db8418d48efe9 (231) # Executing section authorize from file /etc/raddb/sites-enabled/default (231) authorize { (231) filter_username filter_username { (231) if (!&User-Name) (231) if (!&User-Name) -> FALSE (231) if (&User-Name =~ / /) (231) if (&User-Name =~ / /) -> FALSE (231) if (&User-Name =~ /@.*@/ ) (231) if (&User-Name =~ /@.*@/ ) -> FALSE (231) if (&User-Name =~ /\\.\\./ ) (231) if (&User-Name =~ /\\.\\./ ) -> FALSE (231) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\ \.(.+)$/)) (231) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\ \.(.+)$/)) -> FALSE (231) if (&User-Name =~ /\\.$/) (231) if (&User-Name =~ /\\.$/) -> FALSE (231) if (&User-Name =~ /@\\./) (231) if (&User-Name =~ /@\\./) -> FALSE (231) } # filter_username filter_username = notfound (231) [preprocess] = ok (231) [chap] = noop (231) [mschap] = noop (231) rewrite_calling_station_id rewrite_calling_station_id { (231) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) (231) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE (231) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (231) update request { (231) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (231) --> e0-ca-94-e6-37-51 (231) Calling-Station-Id := "e0-ca-94-e6-37-51" (231) } # update request = noop (231) [updated] = updated (231) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0- 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a- f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated (231) ... skipping else for request 231: Preceding "if" was taken (231) } # rewrite_calling_station_id rewrite_calling_station_id = updated (231) authorized_macs_rigu : EXPAND %{Calling-Station-ID} (231) authorized_macs_rigu : --> e0-ca-94-e6-37-51 (231) authorized_macs_rigu : users: Matched entry e0-ca-94- e6-37-51 at line 3 (231) [authorized_macs_rigu] = ok (231) if (!ok) (231) if (!ok) -> FALSE (231) else else { (231) eap : Peer sent code Response (2) ID 2 length 6 (231) eap : No EAP Start, assuming it's an on-going EAP conversation (231) [eap] = updated (231) } # else else = updated (231) [unix] = notfound (231) [expiration] = noop (231) [logintime] = noop (231) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (231) WARNING: pap : Authentication will fail unless a "known good" password is available (231) [pap] = noop (231) if (User-Password) (231) if (User-Password) -> FALSE (231) } # authorize = updated (231) Found Auth-Type = EAP (231) # Executing group from file /etc/raddb/sites- enabled/default (231) authenticate { (231) eap : Expiring EAP session with state 0xa5b12d7ba0b63875 (231) eap : Expiring EAP session with state 0x045d7f1e045f7973 (231) eap : Finished EAP session with state 0x045d7f1e045f7973 (231) eap : Previous EAP request found for state 0x045d7f1e045f7973, released from the list (231) eap : Peer sent method NAK (3) (231) eap : Found mutually acceptable type TTLS (21) (231) eap : Calling eap_ttls to process EAP data (231) eap_ttls : Initiate (231) eap_ttls : Start returned 1 (231) eap : New EAP session, adding 'State' attribute to reply 0x045d7f1e055e6a73 (231) [eap] = handled (231) } # authenticate = handled (231) Sending Access-Challenge packet to host 10.66.146.10 port 62781, id=85, length=0 (231) EAP-Message = 0x010300061520 (231) Message-Authenticator = 0x00000000000000000000000000000000 (231) State = 0x045d7f1e055e6a735c746ec40219cffa Sending Access-Challenge Id 85 from 10.66.150.52:1812 to 10.66.146.10:62781 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x045d7f1e055e6a735c746ec40219cffa (231) Finished request Waking up in 0.3 seconds. Received Access-Request Id 86 from 10.66.146.10:62781 to 10.66.150.52:1812 length 300 User-Name = 'juliop' NAS-IP-Address = 10.66.146.10 NAS-Port = 0 NAS-Identifier = '10.66.146.10' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 'e0ca94e63751' Called-Station-Id = 'aca31ec60340' Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0203006d158000000063160301005e0100005a030155ca1e1527cd64549 1215c4d26942596749837856c75f293e184b19096f7d8e1000018002f0035 0005000ac013c014c009c00a003200380013000401000019ff01000100000 a0006000400170018000b0002010000230000 State = 0x045d7f1e055e6a735c746ec40219cffa Aruba-Essid-Name = 'riguprov' Aruba-Location-Id = 'apcdoggerC60340' Aruba-AP-Group = 'WLCZOO' Message-Authenticator = 0xe1de6209c504840cb7a94ab08a4646f2 (232) Received Access-Request packet from host 10.66.146.10 port 62781, id=86, length=300 (232) User-Name = 'juliop' (232) NAS-IP-Address = 10.66.146.10 (232) NAS-Port = 0 (232) NAS-Identifier = '10.66.146.10' (232) NAS-Port-Type = Wireless-802.11 (232) Calling-Station-Id = 'e0ca94e63751' (232) Called-Station-Id = 'aca31ec60340' (232) Service-Type = Login-User (232) Framed-MTU = 1100 (232) EAP-Message = 0x0203006d158000000063160301005e0100005a030155ca1e1527cd64549 1215c4d26942596749837856c75f293e184b19096f7d8e1000018002f0035 0005000ac013c014c009c00a003200380013000401000019ff01000100000 a0006000400170018000b0002010000230000 (232) State = 0x045d7f1e055e6a735c746ec40219cffa (232) Aruba-Essid-Name = 'riguprov' (232) Aruba-Location-Id = 'apcdoggerC60340' (232) Aruba-AP-Group = 'WLCZOO' (232) Message-Authenticator = 0xe1de6209c504840cb7a94ab08a4646f2 (232) # Executing section authorize from file /etc/raddb/sites-enabled/default (232) authorize { (232) filter_username filter_username { (232) if (!&User-Name) (232) if (!&User-Name) -> FALSE (232) if (&User-Name =~ / /) (232) if (&User-Name =~ / /) -> FALSE (232) if (&User-Name =~ /@.*@/ ) (232) if (&User-Name =~ /@.*@/ ) -> FALSE (232) if (&User-Name =~ /\\.\\./ ) (232) if (&User-Name =~ /\\.\\./ ) -> FALSE (232) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\ \.(.+)$/)) (232) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\ \.(.+)$/)) -> FALSE (232) if (&User-Name =~ /\\.$/) (232) if (&User-Name =~ /\\.$/) -> FALSE (232) if (&User-Name =~ /@\\./) (232) if (&User-Name =~ /@\\./) -> FALSE (232) } # filter_username filter_username = notfound (232) [preprocess] = ok (232) [chap] = noop (232) [mschap] = noop (232) rewrite_calling_station_id rewrite_calling_station_id { (232) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) (232) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE (232) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (232) update request { (232) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (232) --> e0-ca-94-e6-37-51 (232) Calling-Station-Id := "e0-ca-94-e6-37-51" (232) } # update request = noop (232) [updated] = updated (232) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0- 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a- f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated (232) ... skipping else for request 232: Preceding "if" was taken (232) } # rewrite_calling_station_id rewrite_calling_station_id = updated (232) authorized_macs_rigu : EXPAND %{Calling-Station-ID} (232) authorized_macs_rigu : --> e0-ca-94-e6-37-51 (232) authorized_macs_rigu : users: Matched entry e0-ca-94- e6-37-51 at line 3 (232) [authorized_macs_rigu] = ok (232) if (!ok) (232) if (!ok) -> FALSE (232) else else { (232) eap : Peer sent code Response (2) ID 3 length 109 (232) eap : Continuing tunnel setup (232) [eap] = ok (232) } # else else = ok (232) [unix] = notfound (232) [expiration] = noop (232) [logintime] = noop (232) [pap] = noop (232) if (User-Password) (232) if (User-Password) -> FALSE (232) } # authorize = updated (232) Found Auth-Type = EAP (232) # Executing group from file /etc/raddb/sites- enabled/default (232) authenticate { (232) eap : Expiring EAP session with state 0x045d7f1e055e6a73 (232) eap : Finished EAP session with state 0x045d7f1e055e6a73 (232) eap : Previous EAP request found for state 0x045d7f1e055e6a73, released from the list (232) eap : Peer sent method TTLS (21) (232) eap : EAP TTLS (21) (232) eap : Calling eap_ttls to process EAP data (232) eap_ttls : Authenticate (232) eap_ttls : processing EAP-TLS TLS Length 99 (232) eap_ttls : Length Included (232) eap_ttls : eaptls_verify returned 11 (232) eap_ttls : (other): before/accept initialization (232) eap_ttls : TLS_accept: before/accept initialization (232) eap_ttls : <<< TLS 1.0 Handshake [length 005e], ClientHello (232) eap_ttls : TLS_accept: SSLv3 read client hello A (232) eap_ttls : >>> TLS 1.0 Handshake [length 0051], ServerHello (232) eap_ttls : TLS_accept: SSLv3 write server hello A (232) eap_ttls : >>> TLS 1.0 Handshake [length 08d0], Certificate (232) eap_ttls : TLS_accept: SSLv3 write certificate A (232) eap_ttls : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (232) eap_ttls : TLS_accept: SSLv3 write server done A (232) eap_ttls : TLS_accept: SSLv3 flush data (232) eap_ttls : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (232) eap_ttls : eaptls_process returned 13 (232) eap : New EAP session, adding 'State' attribute to reply 0x045d7f1e06596a73 (232) [eap] = handled (232) } # authenticate = handled (232) Sending Access-Challenge packet to host 10.66.146.10 port 62781, id=86, length=0 (232) EAP-Message = 0x010403ec15c00000093416030100510200004d030155ca2598dd8c3b53d f8b24bf7fdcef8d8deaea8c43cce6b8ce3d002e31400bce204c2e39d34510 36f48b4baafb453941ca4904c6858af2168a40acf8a26672e307002f00000 5ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003 020102020101300d06092a864886f70d01010b0500308193310b300906035 5040613024652310f300d0603550408130652616469757331123010060355 04071309536f6d65776865726531153013060355040a130c4578616d706c6 520496e632e3120301e06092a864886f70d010901161161646d696e406578 616d706c652e636f6d312630240603550403131d4578616d706c652043657 2746966696361746520417574686f72697479301e170d3135303630333135 323831355a170d3135303830323135323831355a307c310b3009060355040 613024652310f300d0603550408130652616469757331153013060355040a 130c4578616d706c6520496e632e312330210603550403131a4578616d706 c65205365727665722043657274696669636174653120301e06092a864886 f70d010901161161646d696e406578616d706c652e636f6d30820122300d0 6092a864886f70d01010105000382010f003082010a0282010100d25092ad a62933bf922ec8bdd20f51d230edb578 (232) Message-Authenticator = 0x00000000000000000000000000000000 (232) State = 0x045d7f1e06596a735c746ec40219cffa Sending Access-Challenge Id 86 from 10.66.150.52:1812 to 10.66.146.10:62781 EAP-Message = 0x010403ec15c00000093416030100510200004d030155ca2598dd8c3b53d f8b24bf7fdcef8d8deaea8c43cce6b8ce3d002e31400bce204c2e39d34510 36f48b4baafb453941ca4904c6858af2168a40acf8a26672e307002f00000 5ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003 020102020101300d06092a864886f70d01010b0500308193310b300906035 5040613024652310f300d0603550408130652616469757331123010060355 04071309536f6d65776865726531153013060355040a130c4578616d706c6 520496e632e3120301e06092a864886f70d010901161161646d696e406578 616d706c652e636f6d312630240603550403131d4578616d706c652043657 2746966696361746520417574686f72697479301e170d3135303630333135 323831355a170d3135303830323135323831355a307c310b3009060355040 613024652310f300d0603550408130652616469757331153013060355040a 130c4578616d706c6520496e632e312330210603550403131a4578616d706 c65205365727665722043657274696669636174653120301e06092a864886 f70d010901161161646d696e406578616d706c652e636f6d30820122300d0 6092a864886f70d01010105000382010f003082010a0282010100d25092ad a62933bf922ec8bdd20f51d230edb57 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x045d7f1e06596a735c746ec40219cffa (232) Finished request Waking up in 0.2 seconds. Received Access-Request Id 87 from 10.66.146.10:62781 to 10.66.150.52:1812 length 197 User-Name = 'juliop' NAS-IP-Address = 10.66.146.10 NAS-Port = 0 NAS-Identifier = '10.66.146.10' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 'e0ca94e63751' Called-Station-Id = 'aca31ec60340' Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020400061500 State = 0x045d7f1e06596a735c746ec40219cffa Aruba-Essid-Name = 'riguprov' Aruba-Location-Id = 'apcdoggerC60340' Aruba-AP-Group = 'WLCZOO' Message-Authenticator = 0xbb89e26656fbb3e2d883d37f1f809264 (233) Received Access-Request packet from host 10.66.146.10 port 62781, id=87, length=197 (233) User-Name = 'juliop' (233) NAS-IP-Address = 10.66.146.10 (233) NAS-Port = 0 (233) NAS-Identifier = '10.66.146.10' (233) NAS-Port-Type = Wireless-802.11 (233) Calling-Station-Id = 'e0ca94e63751' (233) Called-Station-Id = 'aca31ec60340' (233) Service-Type = Login-User (233) Framed-MTU = 1100 (233) EAP-Message = 0x020400061500 (233) State = 0x045d7f1e06596a735c746ec40219cffa (233) Aruba-Essid-Name = 'riguprov' (233) Aruba-Location-Id = 'apcdoggerC60340' (233) Aruba-AP-Group = 'WLCZOO' (233) Message-Authenticator = 0xbb89e26656fbb3e2d883d37f1f809264 (233) # Executing section authorize from file /etc/raddb/sites-enabled/default (233) authorize { (233) filter_username filter_username { (233) if (!&User-Name) (233) if (!&User-Name) -> FALSE (233) if (&User-Name =~ / /) (233) if (&User-Name =~ / /) -> FALSE (233) if (&User-Name =~ /@.*@/ ) (233) if (&User-Name =~ /@.*@/ ) -> FALSE (233) if (&User-Name =~ /\\.\\./ ) (233) if (&User-Name =~ /\\.\\./ ) -> FALSE (233) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\ \.(.+)$/)) (233) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\ \.(.+)$/)) -> FALSE (233) if (&User-Name =~ /\\.$/) (233) if (&User-Name =~ /\\.$/) -> FALSE (233) if (&User-Name =~ /@\\./) (233) if (&User-Name =~ /@\\./) -> FALSE (233) } # filter_username filter_username = notfound (233) [preprocess] = ok (233) [chap] = noop (233) [mschap] = noop (233) rewrite_calling_station_id rewrite_calling_station_id { (233) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) (233) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE (233) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (233) update request { (233) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (233) --> e0-ca-94-e6-37-51 (233) Calling-Station-Id := "e0-ca-94-e6-37-51" (233) } # update request = noop (233) [updated] = updated (233) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0- 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a- f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated (233) ... skipping else for request 233: Preceding "if" was taken (233) } # rewrite_calling_station_id rewrite_calling_station_id = updated (233) authorized_macs_rigu : EXPAND %{Calling-Station-ID} (233) authorized_macs_rigu : --> e0-ca-94-e6-37-51 (233) authorized_macs_rigu : users: Matched entry e0-ca-94- e6-37-51 at line 3 (233) [authorized_macs_rigu] = ok (233) if (!ok) (233) if (!ok) -> FALSE (233) else else { (233) eap : Peer sent code Response (2) ID 4 length 6 (233) eap : Continuing tunnel setup (233) [eap] = ok (233) } # else else = ok (233) [unix] = notfound (233) [expiration] = noop (233) [logintime] = noop (233) [pap] = noop (233) if (User-Password) (233) if (User-Password) -> FALSE (233) } # authorize = updated (233) Found Auth-Type = EAP (233) # Executing group from file /etc/raddb/sites- enabled/default (233) authenticate { (233) eap : Expiring EAP session with state 0x045d7f1e06596a73 (233) eap : Finished EAP session with state 0x045d7f1e06596a73 (233) eap : Previous EAP request found for state 0x045d7f1e06596a73, released from the list (233) eap : Peer sent method TTLS (21) (233) eap : EAP TTLS (21) (233) eap : Calling eap_ttls to process EAP data (233) eap_ttls : Authenticate (233) eap_ttls : processing EAP-TLS (233) eap_ttls : Received TLS ACK (233) eap_ttls : Received TLS ACK (233) eap_ttls : ACK handshake fragment handler (233) eap_ttls : eaptls_verify returned 1 (233) eap_ttls : eaptls_process returned 13 (233) eap : New EAP session, adding 'State' attribute to reply 0x045d7f1e07586a73 (233) [eap] = handled (233) } # authenticate = handled (233) Sending Access-Challenge packet to host 10.66.146.10 port 62781, id=87, length=0 (233) EAP-Message = 0x010503ec15c0000009344cbf2bce7c2d153e57a0ae308d0085a8c641d1b d8a274505d2dff596d77bab57bb54c46518f80b78d2f3705a8a11706a2781 a6dcd17a902e2b4eaa13cd5fa68fe7a8c94257d645fc967bbde06b931ebed 475aa096ef3342df2b5ede54f115db3df0004e5308204e1308203c9a00302 01020209009552ff70bc0159d9300d06092a864886f70d010105050030819 3310b3009060355040613024652310f300d06035504081306526164697573 3112301006035504071309536f6d65776865726531153013060355040a130 c4578616d706c6520496e632e3120301e06092a864886f70d010901161161 646d696e406578616d706c652e636f6d312630240603550403131d4578616 d706c6520436572746966696361746520417574686f72697479301e170d31 35303630333135323831355a170d3135303830323135323831355a3081933 10b3009060355040613024652310f300d0603550408130652616469757331 12301006035504071309536f6d65776865726531153013060355040a130c4 578616d706c6520496e632e3120301e06092a864886f70d01090116116164 6d696e406578616d706c652e636f6d312630240603550403131d4578616d7 06c6520436572746966696361746520417574686f7269747930820122300d 06092a864886f70d0101010500038201 (233) Message-Authenticator = 0x00000000000000000000000000000000 (233) State = 0x045d7f1e07586a735c746ec40219cffa Sending Access-Challenge Id 87 from 10.66.150.52:1812 to 10.66.146.10:62781 EAP-Message = 0x010503ec15c0000009344cbf2bce7c2d153e57a0ae308d0085a8c641d1b d8a274505d2dff596d77bab57bb54c46518f80b78d2f3705a8a11706a2781 a6dcd17a902e2b4eaa13cd5fa68fe7a8c94257d645fc967bbde06b931ebed 475aa096ef3342df2b5ede54f115db3df0004e5308204e1308203c9a00302 01020209009552ff70bc0159d9300d06092a864886f70d010105050030819 3310b3009060355040613024652310f300d06035504081306526164697573 3112301006035504071309536f6d65776865726531153013060355040a130 c4578616d706c6520496e632e3120301e06092a864886f70d010901161161 646d696e406578616d706c652e636f6d312630240603550403131d4578616 d706c6520436572746966696361746520417574686f72697479301e170d31 35303630333135323831355a170d3135303830323135323831355a3081933 10b3009060355040613024652310f300d0603550408130652616469757331 12301006035504071309536f6d65776865726531153013060355040a130c4 578616d706c6520496e632e3120301e06092a864886f70d01090116116164 6d696e406578616d706c652e636f6d312630240603550403131d4578616d7 06c6520436572746966696361746520417574686f7269747930820122300d 06092a864886f70d010101050003820 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x045d7f1e07586a735c746ec40219cffa (233) Finished request Waking up in 0.1 seconds. Received Access-Request Id 88 from 10.66.146.10:62781 to 10.66.150.52:1812 length 197 User-Name = 'juliop' NAS-IP-Address = 10.66.146.10 NAS-Port = 0 NAS-Identifier = '10.66.146.10' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 'e0ca94e63751' Called-Station-Id = 'aca31ec60340' Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020500061500 State = 0x045d7f1e07586a735c746ec40219cffa Aruba-Essid-Name = 'riguprov' Aruba-Location-Id = 'apcdoggerC60340' Aruba-AP-Group = 'WLCZOO' Message-Authenticator = 0x2167af66b4077bc2ada6d8cc82632788 (234) Received Access-Request packet from host 10.66.146.10 port 62781, id=88, length=197 (234) User-Name = 'juliop' (234) NAS-IP-Address = 10.66.146.10 (234) NAS-Port = 0 (234) NAS-Identifier = '10.66.146.10' (234) NAS-Port-Type = Wireless-802.11 (234) Calling-Station-Id = 'e0ca94e63751' (234) Called-Station-Id = 'aca31ec60340' (234) Service-Type = Login-User (234) Framed-MTU = 1100 (234) EAP-Message = 0x020500061500 (234) State = 0x045d7f1e07586a735c746ec40219cffa (234) Aruba-Essid-Name = 'riguprov' (234) Aruba-Location-Id = 'apcdoggerC60340' (234) Aruba-AP-Group = 'WLCZOO' (234) Message-Authenticator = 0x2167af66b4077bc2ada6d8cc82632788 (234) # Executing section authorize from file /etc/raddb/sites-enabled/default (234) authorize { (234) filter_username filter_username { (234) if (!&User-Name) (234) if (!&User-Name) -> FALSE (234) if (&User-Name =~ / /) (234) if (&User-Name =~ / /) -> FALSE (234) if (&User-Name =~ /@.*@/ ) (234) if (&User-Name =~ /@.*@/ ) -> FALSE (234) if (&User-Name =~ /\\.\\./ ) (234) if (&User-Name =~ /\\.\\./ ) -> FALSE (234) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\ \.(.+)$/)) (234) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\ \.(.+)$/)) -> FALSE (234) if (&User-Name =~ /\\.$/) (234) if (&User-Name =~ /\\.$/) -> FALSE (234) if (&User-Name =~ /@\\./) (234) if (&User-Name =~ /@\\./) -> FALSE (234) } # filter_username filter_username = notfound (234) [preprocess] = ok (234) [chap] = noop (234) [mschap] = noop (234) rewrite_calling_station_id rewrite_calling_station_id { (234) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) (234) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE (234) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (234) update request { (234) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (234) --> e0-ca-94-e6-37-51 (234) Calling-Station-Id := "e0-ca-94-e6-37-51" (234) } # update request = noop (234) [updated] = updated (234) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0- 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a- f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated (234) ... skipping else for request 234: Preceding "if" was taken (234) } # rewrite_calling_station_id rewrite_calling_station_id = updated (234) authorized_macs_rigu : EXPAND %{Calling-Station-ID} (234) authorized_macs_rigu : --> e0-ca-94-e6-37-51 (234) authorized_macs_rigu : users: Matched entry e0-ca-94- e6-37-51 at line 3 (234) [authorized_macs_rigu] = ok (234) if (!ok) (234) if (!ok) -> FALSE (234) else else { (234) eap : Peer sent code Response (2) ID 5 length 6 (234) eap : Continuing tunnel setup (234) [eap] = ok (234) } # else else = ok (234) [unix] = notfound (234) [expiration] = noop (234) [logintime] = noop (234) [pap] = noop (234) if (User-Password) (234) if (User-Password) -> FALSE (234) } # authorize = updated (234) Found Auth-Type = EAP (234) # Executing group from file /etc/raddb/sites- enabled/default (234) authenticate { (234) eap : Expiring EAP session with state 0x045d7f1e07586a73 (234) eap : Finished EAP session with state 0x045d7f1e07586a73 (234) eap : Previous EAP request found for state 0x045d7f1e07586a73, released from the list (234) eap : Peer sent method TTLS (21) (234) eap : EAP TTLS (21) (234) eap : Calling eap_ttls to process EAP data (234) eap_ttls : Authenticate (234) eap_ttls : processing EAP-TLS (234) eap_ttls : Received TLS ACK (234) eap_ttls : Received TLS ACK (234) eap_ttls : ACK handshake fragment handler (234) eap_ttls : eaptls_verify returned 1 (234) eap_ttls : eaptls_process returned 13 (234) eap : New EAP session, adding 'State' attribute to reply 0x045d7f1e005b6a73 (234) [eap] = handled (234) } # authenticate = handled (234) Sending Access-Challenge packet to host 10.66.146.10 port 62781, id=88, length=0 (234) EAP-Message = 0x0106017a15800000093474798209009552ff70bc0159d9300c0603551d1 3040530030101ff30360603551d1f042f302d302ba029a027862568747470 3a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e6 3726c300d06092a864886f70d0101050500038201010017b5b9c2cb8ddbd3 35e4580acb8d0d84c69239921370dc5da9ccd6a3876942c071f1f0e6ebda4 1cf972acc79fe6d2185259060ff1f3d4389df26179837357db62e8e69faf9 8aa9cf9504110d389aafc6d21c23cdc83e952b958b92eab43fc55e622f1c0 fd468e3ef2a9750e502d3148c44b7d3f4ae959592de1a2c96d9ae6a4fe68c de5a96ae933de7fcc77bcb3f591a2a74cb3331199334067d682cd4bf0190c 571c1d4e290aa945e3d69a58da89eaa7fd993981db116333ba66a1df2b9ca 30b8c6cca5c3ab9b2b9f756be3a2de9426450fdaa2363b16f32982e48d8f4 5009bbe7fb217585fc69a5b0540d0fd279a0737a4f87323e36213f5ffa8e3 3f1472ad16030100040e000000 (234) Message-Authenticator = 0x00000000000000000000000000000000 (234) State = 0x045d7f1e005b6a735c746ec40219cffa Sending Access-Challenge Id 88 from 10.66.150.52:1812 to 10.66.146.10:62781 EAP-Message = 0x0106017a15800000093474798209009552ff70bc0159d9300c0603551d1 3040530030101ff30360603551d1f042f302d302ba029a027862568747470 3a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e6 3726c300d06092a864886f70d0101050500038201010017b5b9c2cb8ddbd3 35e4580acb8d0d84c69239921370dc5da9ccd6a3876942c071f1f0e6ebda4 1cf972acc79fe6d2185259060ff1f3d4389df26179837357db62e8e69faf9 8aa9cf9504110d389aafc6d21c23cdc83e952b958b92eab43fc55e622f1c0 fd468e3ef2a9750e502d3148c44b7d3f4ae959592de1a2c96d9ae6a4fe68c de5a96ae933de7fcc77bcb3f591a2a74cb3331199334067d682cd4bf0190c 571c1d4e290aa945e3d69a58da89eaa7fd993981db116333ba66a1df2b9ca 30b8c6cca5c3ab9b2b9f756be3a2de9426450fdaa2363b16f32982e48d8f4 5009bbe7fb217585fc69a5b0540d0fd279a0737a4f87323e36213f5ffa8e3 3f1472ad16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x045d7f1e005b6a735c746ec40219cffa (234) Finished request Received Access-Request Id 89 from 10.66.146.10:62781 to 10.66.150.52:1812 length 529 User-Name = 'juliop' NAS-IP-Address = 10.66.146.10 NAS-Port = 0 NAS-Identifier = '10.66.146.10' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 'e0ca94e63751' Called-Station-Id = 'aca31ec60340' Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0206015015800000014616030101061000010201006c9734bf98617e57a b336a9d59387e12409cdad2e5bfeaaaf0812f8a833959718d95e404b1c66b c1ac158cc842455fb0a9d372bfc66b9999fe43846d272fe2fc937eeb8fdb4 0f43401765ad3738e2b85b6d30046bfb9393df1bfdc28bca11813b7ec357e e12d13cbaa40e50cf3ba71b192f5388a302c1ec8d81e85818bcdaab72e635 ca1b3628976700cd08dd3260ca9a122222cef2a02e81c9a5c580d01904ba2 931a9612aace62f032c266a79dff97a32209d5d533d9df10791b577b1d6be 50ce7028424f4e798a3320bb4704bec54ecf9ad4b8f3bf2d8267f28da3e54 01c297c0f9e75851eaed8c1fbe6be017ae2ae1ab72a4be278a3a6976a0a22 a06eaa01403010001011603010030ff73e273aa3d537ab4e6a47049ac6761 52dfe2d2f524602e360b0eac392a1ec6faad956c0ed816a71e552178e740f 706 State = 0x045d7f1e005b6a735c746ec40219cffa Aruba-Essid-Name = 'riguprov' Aruba-Location-Id = 'apcdoggerC60340' Aruba-AP-Group = 'WLCZOO' Message-Authenticator = 0xb3ee38765ea4f5290b0ec7501bf5c911 (235) Received Access-Request packet from host 10.66.146.10 port 62781, id=89, length=529 (235) User-Name = 'juliop' (235) NAS-IP-Address = 10.66.146.10 (235) NAS-Port = 0 (235) NAS-Identifier = '10.66.146.10' (235) NAS-Port-Type = Wireless-802.11 (235) Calling-Station-Id = 'e0ca94e63751' (235) Called-Station-Id = 'aca31ec60340' (235) Service-Type = Login-User (235) Framed-MTU = 1100 (235) EAP-Message = 0x0206015015800000014616030101061000010201006c9734bf98617e57a b336a9d59387e12409cdad2e5bfeaaaf0812f8a833959718d95e404b1c66b c1ac158cc842455fb0a9d372bfc66b9999fe43846d272fe2fc937eeb8fdb4 0f43401765ad3738e2b85b6d30046bfb9393df1bfdc28bca11813b7ec357e e12d13cbaa40e50cf3ba71b192f5388a302c1ec8d81e85818bcdaab72e635 ca1b3628976700cd08dd3260ca9a122222cef2a02e81c9a5c580d01904ba2 931a9612aace62f032c266a79dff97a32209d5d533d9df10791b577b1d6be 50ce7028424f4e798a3320bb4704bec54ecf9ad4b8f3bf2d8267f28da3e54 01c297c0f9e75851eaed8c1fbe6be017ae2ae1ab72a4be278a3a6976a0a22 a06eaa01403010001011603010030ff73e273aa3d537ab4e6a47049ac6761 52dfe2d2f524602e360b0eac392a1ec6faad956c0ed816a71e552178e740f 706 (235) State = 0x045d7f1e005b6a735c746ec40219cffa (235) Aruba-Essid-Name = 'riguprov' (235) Aruba-Location-Id = 'apcdoggerC60340' (235) Aruba-AP-Group = 'WLCZOO' (235) Message-Authenticator = 0xb3ee38765ea4f5290b0ec7501bf5c911 (235) # Executing section authorize from file /etc/raddb/sites-enabled/default (235) authorize { (235) filter_username filter_username { (235) if (!&User-Name) (235) if (!&User-Name) -> FALSE (235) if (&User-Name =~ / /) (235) if (&User-Name =~ / /) -> FALSE (235) if (&User-Name =~ /@.*@/ ) (235) if (&User-Name =~ /@.*@/ ) -> FALSE (235) if (&User-Name =~ /\\.\\./ ) (235) if (&User-Name =~ /\\.\\./ ) -> FALSE (235) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\ \.(.+)$/)) (235) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\ \.(.+)$/)) -> FALSE (235) if (&User-Name =~ /\\.$/) (235) if (&User-Name =~ /\\.$/) -> FALSE (235) if (&User-Name =~ /@\\./) (235) if (&User-Name =~ /@\\./) -> FALSE (235) } # filter_username filter_username = notfound (235) [preprocess] = ok (235) [chap] = noop (235) [mschap] = noop (235) rewrite_calling_station_id rewrite_calling_station_id { (235) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) (235) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE (235) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a- f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f] {2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) { (235) update request { (235) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (235) --> e0-ca-94-e6-37-51 (235) Calling-Station-Id := "e0-ca-94-e6-37-51" (235) } # update request = noop (235) [updated] = updated (235) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0- 9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a- f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated (235) ... skipping else for request 235: Preceding "if" was taken (235) } # rewrite_calling_station_id rewrite_calling_station_id = updated (235) authorized_macs_rigu : EXPAND %{Calling-Station-ID} (235) authorized_macs_rigu : --> e0-ca-94-e6-37-51 (235) authorized_macs_rigu : users: Matched entry e0-ca-94- e6-37-51 at line 3 (235) [authorized_macs_rigu] = ok (235) if (!ok) (235) if (!ok) -> FALSE (235) else else { (235) eap : Peer sent code Response (2) ID 6 length 336 (235) eap : Continuing tunnel setup (235) [eap] = ok (235) } # else else = ok (235) [unix] = notfound (235) [expiration] = noop (235) [logintime] = noop (235) [pap] = noop (235) if (User-Password) (235) if (User-Password) -> FALSE (235) } # authorize = updated (235) Found Auth-Type = EAP (235) # Executing group from file /etc/raddb/sites- enabled/default (235) authenticate { (235) eap : Expiring EAP session with state 0x045d7f1e005b6a73 (235) eap : Finished EAP session with state 0x045d7f1e005b6a73 (235) eap : Previous EAP request found for state 0x045d7f1e005b6a73, released from the list (235) eap : Peer sent method TTLS (21) (235) eap : EAP TTLS (21) (235) eap : Calling eap_ttls to process EAP data (235) eap_ttls : Authenticate (235) eap_ttls : processing EAP-TLS TLS Length 326 (235) eap_ttls : Length Included (235) eap_ttls : eaptls_verify returned 11 (235) eap_ttls : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange (235) eap_ttls : TLS_accept: SSLv3 read client key exchange A (235) eap_ttls : <<< TLS 1.0 ChangeCipherSpec [length 0001] (235) eap_ttls : <<< TLS 1.0 Handshake [length 0010], Finished (235) eap_ttls : TLS_accept: SSLv3 read finished A (235) eap_ttls : >>> TLS 1.0 ChangeCipherSpec [length 0001] (235) eap_ttls : TLS_accept: SSLv3 write change cipher spec A (235) eap_ttls : >>> TLS 1.0 Handshake [length 0010], Finished (235) eap_ttls : TLS_accept: SSLv3 write finished A (235) eap_ttls : TLS_accept: SSLv3 flush data SSL: adding session 4c2e39d3451036f48b4baafb453941ca4904c6858af2168a40acf8a26672e 307 to cache (235) eap_ttls : (other): SSL negotiation finished successfully SSL Connection Established (235) eap_ttls : eaptls_process returned 13 (235) eap : New EAP session, adding 'State' attribute to reply 0x045d7f1e015a6a73 (235) [eap] = handled (235) } # authenticate = handled (235) Sending Access-Challenge packet to host 10.66.146.10 port 62781, id=89, length=0 (235) EAP-Message = 0x0107004515800000003b14030100010116030100308e3794c96fb4750fe 302664ac575681fd3da4d4dc79e608e9b41c79bee203833cadba138fc0cec 70aed233037220d0a1 (235) Message-Authenticator = 0x00000000000000000000000000000000 (235) State = 0x045d7f1e015a6a735c746ec40219cffa Sending Access-Challenge Id 89 from 10.66.150.52:1812 to 10.66.146.10:62781 EAP-Message = 0x0107004515800000003b14030100010116030100308e3794c96fb4750fe 302664ac575681fd3da4d4dc79e608e9b41c79bee203833cadba138fc0cec 70aed233037220d0a1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x045d7f1e015a6a735c746ec40219cffa (235) Finished request Waking up in 0.1 seconds. Waking up in 4.3 seconds. (230) Cleaning up request packet ID 84 with timestamp +8048 (231) Cleaning up request packet ID 85 with timestamp +8048 (232) Cleaning up request packet ID 86 with timestamp +8048 Waking up in 0.1 seconds. (233) Cleaning up request packet ID 87 with timestamp +8049 (234) Cleaning up request packet ID 88 with timestamp +8049 (235) Cleaning up request packet ID 89 with timestamp +8049 Waking up in 3994804.7 seconds. I'll be very grateful if anyone can help me. if a configuration file is required, just ask me Thanks Again. Cristian M.
So. ..what has changed? Freeradius config change? Clients patched? Server patched? LDAP server adjusted? alan
Thanks for your answer Alan. That is the issue, nothing has changed. I suppose it's possible the client has received a windows update. What I really want to know is why the Windows 8 clients are not responding to the server’s challenge.
Hi,
Thanks for your answer Alan.
That is the issue, nothing has changed. I suppose it's possible the client has received a windows update. What I really want to know is why the Windows 8 clients are not responding to the server’s challenge.
you might be able to turn on further debugging on the Windows side... you might also want to check the Windows system to check its settings and ensure that your RADIUS servers CA is still known to the system. you might also want to use a standard tool such as eapol_test (part of WPA supplicant package) to verify correct EAP-TTLS/PAP behaviour. you say nothing has changed - I challenge that - have you kept your config in some form of revision repository or have a known working configuration to compare it to? if anything has occurred on the server - like an SELinux update or OpenSSL update then that would also affect things (look in the YUM log to see whats gone on?) alan
On Tue, Aug 11, 2015 at 04:23:52PM +0000, Cristian Munera wrote:
This is my first time posting here, so sorry if something is wrong, sorry for my English too.
Your English is good.
authenticate. In the debug (freeradius -X) i can see the server sending an Access-Challenge but the client never respond with the an Access-request.
You need to look at the logs on the client to see why it gave up responding. As Alan has said, *something* has obviously changed, as it was working before. So the problem is to find out what, and fix that. Windows issues are usually the server certificate missing the TLS Server oid, but I'm assuming that is present if it is working with Win7 now, and was working with Win8 before. Please also fix your e-mail client so that it doesn't mangle text at 60 columns. The debug output you posted is _really_ hard to read. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Cristian Munera -
Matthew Newton