"WARNING: !! EAP session for state ... did not finish!", And Other Warnings
Hi All, FreeRADIUS v2.2.9 So I successfully upgraded to 2.2.9, via the Launchpad. (Thanks, Fajar!) Now the test MS-Win7 Pro laptop complains that it can't connect, but does, anyway. Windows. Go figure. Running the service with -X, I see: WARNING: !! EAP session for state ... did not finish! Now the Wiki claims this is because of certificate problems. But if that's so: Why have I never experienced this with the exact same clients with FreeRADIUS 1.1.1 and certs generated the exact same way? Found this: http://lists.freeradius.org/pipermail/freeradius-users/2011-October/056497.h... But no clue what "the cause was an MTU issue." The only mention on the Wiki page is a cryptic "Consider to decreasing the tunnel MTU" with no clue as to how that might be accomplished. Searching on the question results in "You don't." Saw a suggestion from Alan DeKok to set the fragment size in eap.conf. Uncommented "fragment_size = 1024". Didn't change anything. I'm also seeing... Twice: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this . Once: WARNING: Empty post-auth section. Using default return values. Wasn't able to find anything helpful for those, either. Thanks, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Hi,
WARNING: !! EAP session for state ... did not finish!
Now the Wiki claims this is because of certificate problems. But if that's so: Why have I never experienced this with the exact same clients with FreeRADIUS 1.1.1 and certs generated the exact same way?
...just during startup? If so, there may have been old connections continuing when you stopped the process....clients half-way through a conversation
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this .
if calling pap module, the server cant find what it needs in any of your authentication stores to satisfy requirements. you need to see who that was...
Once:
WARNING: Empty post-auth section. Using default return values.
just a WARNING. you have an empty post-auth seciton (!) :-) alan
On Fri, Oct 02, 2015 at 04:16:10PM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this .
if calling pap module, the server cant find what it needs in any of your authentication stores to satisfy requirements. you need to see who that was...
...but if doing, say, peap/mschapv2, then there won't be a cleartext password and so this can be ignored. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
(Splitting this one off into a re-titled sub-tread...) On Fri, 2 Oct 2015 17:24:29 +0100 Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Oct 02, 2015 at 04:16:10PM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this .
if calling pap module, the server cant find what it needs in any of your authentication stores to satisfy requirements. you need to see who that was...
...but if doing, say, peap/mschapv2, then there won't be a cleartext password and so this can be ignored.
PEAP/MS-CHAPv2 is what we're doing, but here's the thing: Years ago I used to write a fair bit of code. I learned *the hard way* not to blithely disregard "warning:"s. So when I see them, I want to know what they're about. I want to make them Go Away if I can. Since we're not using PAP, can I simply comment-out the calls to it in default and inner-tunnel? Thanks, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.
On Oct 2, 2015, at 12:37 PM, Jim Seymour <jseymour@LinxNet.com> wrote:
Since we're not using PAP, can I simply comment-out the calls to it in default and inner-tunnel?
Yes. Alan DeKok.
On Fri, 2 Oct 2015 16:16:10 +0000 A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
WARNING: !! EAP session for state ... did not finish!
Now the Wiki claims this is because of certificate problems. But if that's so: Why have I never experienced this with the exact same clients with FreeRADIUS 1.1.1 and certs generated the exact same way?
...just during startup? If so, there may have been old connections continuing when you stopped the process....clients half-way through a conversation
No. There's only one (1) AP and one (1) client. Nevertheless: I connected with that client, disco'd, and re-connected. Same behaviour (client claims it cannot connect, but does, anyway) and same message in the debug output. Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.
On Fri, Oct 02, 2015 at 02:41:26PM -0400, Jim Seymour wrote:
WARNING: !! EAP session for state ... did not finish!
Now the Wiki claims this is because of certificate problems. But if that's so: Why have I never experienced this with the exact same clients with FreeRADIUS 1.1.1 and certs generated the exact same way?
...just during startup? If so, there may have been old connections continuing when you stopped the process....clients half-way through a conversation
No. There's only one (1) AP and one (1) client. Nevertheless: I connected with that client, disco'd, and re-connected. Same behaviour (client claims it cannot connect, but does, anyway) and same message in the debug output.
Can you run radiusd -X | tee logfile then connect the laptop to the network, and then post the logfile to the list? Otherwise we've got nothing really to go on. Long shot, have you got the default EAP type (eap.conf) configured to the same on that you're using? Shouldn't cause this, but all I can think of without seeing any debug output. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Fri, 2 Oct 2015 21:35:17 +0100 Matthew Newton <mcn4@leicester.ac.uk> wrote: [snip]
Can you run
radiusd -X | tee logfile
then connect the laptop to the network, and then post the logfile to the list? Otherwise we've got nothing really to go on.
Wellll... Okay. It's gigantic, tho. Included below.
Long shot, have you got the default EAP type (eap.conf) configured to the same on that you're using? Shouldn't cause this, but all I can think of without seeing any debug output.
Set to "peap" in eap.conf and set to "Microsoft: Protected EAP (PEAP)" in the config on the laptop. Here's the debug output... freeradius: FreeRADIUS Version 2.2.9, for host i686-pc-linux-gnu, built on Oct 2 2015 at 07:12:08 Copyright (C) 1999-2015 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/dhcp_sqlippool including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/cache including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/radrelay including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 172.24.0.0/16 { ipaddr = 172.24.0.0 netmask = 16 require_message_authenticator = no secret = "xxxxxxxxxxxxxxxxxxxx" shortname = "localhost" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/ssl/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/skynet-n_wtccorp_com.key" certificate_file = "/etc/ssl/certs/skynet-n_wtccorp_com.crt" CA_file = "/etc/ssl/certs/skynet-n_wtccorp_com_ca.pem" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/ssl/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/freeradius/huntgroups reading pairlist file /etc/freeradius/hints Module: Linked to module rlm_detail Module: Instantiating module "auth_log" from file /etc/freeradius/modules/detail.log detail auth_log { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /etc/freeradius/users reading pairlist file /etc/freeradius/acct_users reading pairlist file /etc/freeradius/preproxy_users Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/freeradius/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "localhost" port = 389 password = "slurp2~maybe" expect_password = yes identity = "uid=radius,ou=People,dc=wtccorp,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = yes cacertfile = "/etc/ssl/certs/skynet-n_wtccorp_com_ca.pem" require_cert = "allow" } basedn = "ou=People,dc=wtccorp,dc=com" filter = "(uid=%{mschap:User-Name})" base_filter = "(objectclass=radiusprofile)" password_attribute = "userPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x87ce2f8 Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 56664 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=0, length=203 Message-Authenticator = 0xf3fee44722450f2f835bda228c2d88a6 Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020000140177696e303035345c6a656666726579 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:26 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 0 length 20 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 172.24.0.48 port 1509 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x98bd762098bc6f3a092a404097a6cf8c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=1, length=340 Message-Authenticator = 0x179741121daee4790499573ef410e994 Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x98bd762098bc6f3a092a404097a6cf8c Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201008b198000000081160301007c010000780301560ef3ca1db6af18753547212e86a4c29231188ea25d38e9fc506a22d24e4ded204bac48082d3304551bb3dc2591a3abb1481a4b9e1f411604b120384460512c0d0018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:26 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 1 length 139 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 129 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 007c], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0899], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to 172.24.0.48 port 1509 EAP-Message = 0x0102040019c000000a351603010039020000350301e3d36991a480cff0a07864e77a040402f7c8ffb3fa033663de15ee5670a7e1b600c01400000dff01000100000b00040300010216030108990b000895000892000469308204653082034da003020102020900db98278c91c043a9300d06092a864886f70d01010b05003081a5310b30090603550406130255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a30 EAP-Message = 0x2806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d301e170d3135303933303133323735335a170d3136303932393133323735335a3081c0310b30090603550406130255533111300f06035504080c084d6963686967616e3119301706035504070c104661726d696e67746f6e2048696c6c733121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077 EAP-Message = 0x656c6474656368636f72702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d2d1c7948966ed1341d267fc4f9cbb7296b538e6c723798db5cf417e57e0620f717df13563fa3ee95d91c6cbd0f2919d7cc0574e3525b145ce67bd29b491b13c0521b0d0790a9e1e153f8f5120ec29c3ef45e90eac80eceb1a72e4092484908d485fa92fa5707513fd6af7f510b56d1d0faaadb9e7cd299346fefef85bc2ea77fa161428c0c5282c5c55eff7e3eea1eb2174f802bf43d03232ada75c5e05ab926885f6f67667fab1d529a55db4bb05e1b96eb29372385b57e3b3a7adf39e856aff11f754675e831d57d5fdbacc EAP-Message = 0x6c871053262f2b628752fb8fe5f810342b04f8a001177ebd1722fb02c1fe13ba9d97a5fbfe928d7b4e5ec19a8158f75d44d1c90203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604143fd748d1e67b96f55218a8d3506b1520021ead6f301f0603551d230418301680143edcdf7a0e78b6c903868bf018eb6df83782ab9d300d06092a864886f70d01010b05000382010100499ce5c07f4f002837484b1de16566030fd0a519c6f66b6600ddecacbb55c50be98fc448739e30aef582ac786a65a70b38f0a53c EAP-Message = 0x205bb219d9d0950173a6e052 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x98bd762099bf6f3a092a404097a6cf8c Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=2, length=207 Message-Authenticator = 0xbd29cd2a85b34482305e73ddbeb9fc70 Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x98bd762099bf6f3a092a404097a6cf8c Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:26 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to 172.24.0.48 port 1509 EAP-Message = 0x010303fc1940b6da580861b855560215e1bcddc7cf7827141faabad978a814118c0396af66bb9de3c68f723e7daa398182692569baf4e2286c6ce5036cfc997577ecebc2727ff1ecbf4f7310651cf9ea2752d40b0ffa8f3d93d4e344fede5db5104358bd0361b15d3a673789d36d86caa0800071c88c6f149459efd07b25be0dd75ca2b2aa276c22bd6c8f7481af26b84dda57b527c3ed8889a96b232aba9105d1750cfd3fcf97c1ee8a9339d19ab87264461497c80c8adf4010e1a03fe4048cd611b4fdb0330004233082041f30820307a003020102020900db98278c91c043a8300d06092a864886f70d01010b05003081a5310b3009060355040613 EAP-Message = 0x0255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d301e170d3135303933303133323732315a170d3230303932383133323732315a3081a5310b30090603550406130255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f67792043 EAP-Message = 0x6f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c944842f637fef492dcb8b64ea061235ea559291b19a5ae5edc0ed30743c49f613d8e02b4f1c550e2a10a2949470e97d1bfa77fd2d72cf5705e203ab73384d91885043238a0a28aba3da3852a88569281c07f2625df0c9fc44bd7e2b74e1bd17b30e13a34ce06642eb8ea20eab0ac013b1e0295106d8 EAP-Message = 0xdebfec3c001b3f97c99db881f0bc8175bc2f8a06a57dd173f43d092f406832fa4d379b4e3d139fcd2b17ffc3d462ee2d1bb7f4170af942c0d04e00a7d9735378bca2b39c5442683a6a0311a8c0c24d4782e969362ea68480960546166f7683dde3e32638fb36b04b302198f997e2afb50880b63ffdff863a7812b4e9c0cc7ccda4424c344f3f7f180bf70203010001a350304e301d0603551d0e041604143edcdf7a0e78b6c903868bf018eb6df83782ab9d301f0603551d230418301680143edcdf7a0e78b6c903868bf018eb6df83782ab9d300c0603551d13040530030101ff300d06092a864886f70d01010b0500038201010059c531727c748cb0 EAP-Message = 0xa73687495c5cba6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x98bd76209abe6f3a092a404097a6cf8c Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=3, length=207 Message-Authenticator = 0xff40c27f0968df6b3d4a998482366677 Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x98bd76209abe6f3a092a404097a6cf8c Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300061900 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:26 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 3 to 172.24.0.48 port 1509 EAP-Message = 0x0104024f1900e7d5270f188a0f21028c17db0c4d3a4838d86a59ff3eec796b43f0c60983ea0d40fd86610f59e6575677f9700434ca9aaea69f8849614008fd93ade3852afb2eef925278f3b28c615233ec17b84f3299944dcb6c776ef66cbb07c8a503ca018747ef169ce512d4b2f1a102b7f941d62239c3cd554545cc8a0662221db9c71caa130d342979bbe0b1ae33d10737740e92a776c525965e97d1f9ab305c7226f8f26c03063af5d76628eba9e851ae0f807182cd582cf834384de1df8b513aff09dcb8409ca58449b5c987a8f574139352b15b5b73e56114eac58602765d28ea98181c344c48f313d5a29a2f2accfb06d4b7160301014b0c00 EAP-Message = 0x0147030017410458221b4f9563c367cd6345bd1983dd5a0a1d2d9c0c3f3a688675135a2a3dd158eb7ce2a321395da49acebf6d58bb7bc638b6ac01ea1f1dacbbb3f1891effafa701002df95433bd6b5e8b9e54b46658f83af70565a8bacc68904416919cc68c38c00bb8d03e56d7b9825bcbc107f05a8505c371fe58f730e929a777ac59b5f8d8c3ffdb6c1cd8f18f3964224390d311b9d52e76817b0c33d34c42756e9726eb789ecc12975de7b3754bb382aee43ed892b392da09e278fd7b1c1b2a087fdd4ff4a3a9b68abec44550f6fbbedfc24c43eb889c23f921690d5005c4c0d6f09532e9c5fd19bd9f0fad6ec02b28579cdb08e69345d4cabd93 EAP-Message = 0x988e23bbfd7da569b3228fce00255d14115514e296d1cdcabfc471f6a93865e4727403723468dd50253baec481920b34f9bbd4b31d488db221f224bb73a98de198ce3c3bbaea63a73de0640d16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x98bd76209bb96f3a092a404097a6cf8c Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=4, length=207 Message-Authenticator = 0x6c8a80ed0cc51c66ebf5cb6850444872 Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x98bd76209bb96f3a092a404097a6cf8c Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400061900 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:26 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to 172.24.0.48 port 1509 EAP-Message = 0x010500061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x98bd76209cb86f3a092a404097a6cf8c Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=0, length=203 Message-Authenticator = 0x121295a68b11c245e8e2f9154fbba8de Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020000140177696e303035345c6a656666726579 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:28 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 0 length 20 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 172.24.0.48 port 1510 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4465ca6b4464d3fe9d648e243ee182ad Finished request 5. Going to the next request Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=1, length=308 Message-Authenticator = 0xed6907899fefd56815ebca6b3afae42d Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x4465ca6b4464d3fe9d648e243ee182ad Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201006b198000000061160301005c010000580301560ef3ccbf5284b3d32a2f4774af9d62f43b2ee8527a8caeff6653df745e5cef000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:28 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 1 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 97 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005c], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0899], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to 172.24.0.48 port 1510 EAP-Message = 0x0102040019c000000a351603010039020000350301563f8767bca18f9ef80d326eb862a320de9154c43e762c9317971aa689858f3600c01400000dff01000100000b00040300010216030108990b000895000892000469308204653082034da003020102020900db98278c91c043a9300d06092a864886f70d01010b05003081a5310b30090603550406130255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a30 EAP-Message = 0x2806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d301e170d3135303933303133323735335a170d3136303932393133323735335a3081c0310b30090603550406130255533111300f06035504080c084d6963686967616e3119301706035504070c104661726d696e67746f6e2048696c6c733121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077 EAP-Message = 0x656c6474656368636f72702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d2d1c7948966ed1341d267fc4f9cbb7296b538e6c723798db5cf417e57e0620f717df13563fa3ee95d91c6cbd0f2919d7cc0574e3525b145ce67bd29b491b13c0521b0d0790a9e1e153f8f5120ec29c3ef45e90eac80eceb1a72e4092484908d485fa92fa5707513fd6af7f510b56d1d0faaadb9e7cd299346fefef85bc2ea77fa161428c0c5282c5c55eff7e3eea1eb2174f802bf43d03232ada75c5e05ab926885f6f67667fab1d529a55db4bb05e1b96eb29372385b57e3b3a7adf39e856aff11f754675e831d57d5fdbacc EAP-Message = 0x6c871053262f2b628752fb8fe5f810342b04f8a001177ebd1722fb02c1fe13ba9d97a5fbfe928d7b4e5ec19a8158f75d44d1c90203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604143fd748d1e67b96f55218a8d3506b1520021ead6f301f0603551d230418301680143edcdf7a0e78b6c903868bf018eb6df83782ab9d300d06092a864886f70d01010b05000382010100499ce5c07f4f002837484b1de16566030fd0a519c6f66b6600ddecacbb55c50be98fc448739e30aef582ac786a65a70b38f0a53c EAP-Message = 0x205bb219d9d0950173a6e052 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4465ca6b4567d3fe9d648e243ee182ad Finished request 6. Going to the next request Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=2, length=207 Message-Authenticator = 0xe82b5064a4f1a842ea017d1df9ed2249 Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x4465ca6b4567d3fe9d648e243ee182ad Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:28 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to 172.24.0.48 port 1510 EAP-Message = 0x010303fc1940b6da580861b855560215e1bcddc7cf7827141faabad978a814118c0396af66bb9de3c68f723e7daa398182692569baf4e2286c6ce5036cfc997577ecebc2727ff1ecbf4f7310651cf9ea2752d40b0ffa8f3d93d4e344fede5db5104358bd0361b15d3a673789d36d86caa0800071c88c6f149459efd07b25be0dd75ca2b2aa276c22bd6c8f7481af26b84dda57b527c3ed8889a96b232aba9105d1750cfd3fcf97c1ee8a9339d19ab87264461497c80c8adf4010e1a03fe4048cd611b4fdb0330004233082041f30820307a003020102020900db98278c91c043a8300d06092a864886f70d01010b05003081a5310b3009060355040613 EAP-Message = 0x0255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d301e170d3135303933303133323732315a170d3230303932383133323732315a3081a5310b30090603550406130255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f67792043 EAP-Message = 0x6f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c944842f637fef492dcb8b64ea061235ea559291b19a5ae5edc0ed30743c49f613d8e02b4f1c550e2a10a2949470e97d1bfa77fd2d72cf5705e203ab73384d91885043238a0a28aba3da3852a88569281c07f2625df0c9fc44bd7e2b74e1bd17b30e13a34ce06642eb8ea20eab0ac013b1e0295106d8 EAP-Message = 0xdebfec3c001b3f97c99db881f0bc8175bc2f8a06a57dd173f43d092f406832fa4d379b4e3d139fcd2b17ffc3d462ee2d1bb7f4170af942c0d04e00a7d9735378bca2b39c5442683a6a0311a8c0c24d4782e969362ea68480960546166f7683dde3e32638fb36b04b302198f997e2afb50880b63ffdff863a7812b4e9c0cc7ccda4424c344f3f7f180bf70203010001a350304e301d0603551d0e041604143edcdf7a0e78b6c903868bf018eb6df83782ab9d301f0603551d230418301680143edcdf7a0e78b6c903868bf018eb6df83782ab9d300c0603551d13040530030101ff300d06092a864886f70d01010b0500038201010059c531727c748cb0 EAP-Message = 0xa73687495c5cba6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4465ca6b4666d3fe9d648e243ee182ad Finished request 7. Going to the next request Waking up in 2.8 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=3, length=207 Message-Authenticator = 0xa1bb90d986293276b7e1daa26bbb9422 Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x4465ca6b4666d3fe9d648e243ee182ad Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300061900 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:28 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 3 to 172.24.0.48 port 1510 EAP-Message = 0x0104024f1900e7d5270f188a0f21028c17db0c4d3a4838d86a59ff3eec796b43f0c60983ea0d40fd86610f59e6575677f9700434ca9aaea69f8849614008fd93ade3852afb2eef925278f3b28c615233ec17b84f3299944dcb6c776ef66cbb07c8a503ca018747ef169ce512d4b2f1a102b7f941d62239c3cd554545cc8a0662221db9c71caa130d342979bbe0b1ae33d10737740e92a776c525965e97d1f9ab305c7226f8f26c03063af5d76628eba9e851ae0f807182cd582cf834384de1df8b513aff09dcb8409ca58449b5c987a8f574139352b15b5b73e56114eac58602765d28ea98181c344c48f313d5a29a2f2accfb06d4b7160301014b0c00 EAP-Message = 0x01470300174104f94f27db84c936ece3f8f2dabd1578d95d6ac7a27dfb6daa83d62030d7be1f8298f1889a729c7ed1475895e8f796516031e5bb67c5779570fe2e3baa4fc59f980100656917d6493b86f841676412f995ab7e1ba7c1e28e39d94c08325c836b0887772396b6b04f6db1bcbc09f143184d3d37677a484de33a58e0b182788527dede27c5345dba9bd4e06dd487cb32c55e95efeab1cf8b4b5726b5950c473d5264c03ec379147429d3492e4695a1153ba005598749f4a9f13e3847148f3455cffc4121180cdc839bc84dccf2758f4d624583bf051e94fcaecded9834a0e7c632087051a0cada0de572368894b07c019e3e85a379e8df26 EAP-Message = 0x3c7a29973798e12add22ade92b3511a131fb4d81bfcdec1d7106d6c70b89fed598f1aca96b1ce9d45de544b8f2d96c2bde80f76ae69041e752e6ddbfcbafca70df67258cdeff72cc52f1958616030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4465ca6b4761d3fe9d648e243ee182ad Finished request 8. Going to the next request Waking up in 2.8 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=4, length=345 Message-Authenticator = 0x8bc28ce67ea7ac4969fbf9ae2e9e208f Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x4465ca6b4761d3fe9d648e243ee182ad Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0204009019800000008616030100461000004241043c809efc0e0a2ca176b2606111d62bf84fc511208a5bf64b3017688baf469126994847f9f55b6a4a9a14f69a5cc2d9093ca45977068034173e49aa8c6567ef231403010001011603010030cfd781c88abc2f1f2308318db52c884dc33bb5034282e0be3ae40b6265ee2d415484e772c9889a03bfd6d113e8b7b925 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:28 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to 172.24.0.48 port 1510 EAP-Message = 0x010500411900140301000101160301003013153c9bcbbbc61fdf54f31d9dc1f6e0f0688aed91c84831ea12d943c445d4bc36982989b0a1c12ffff77e06438851c7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4465ca6b4060d3fe9d648e243ee182ad Finished request 9. Going to the next request Waking up in 2.8 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=5, length=207 Message-Authenticator = 0xe672cfd12303a02af4cd8bf93844cc0a Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x4465ca6b4060d3fe9d648e243ee182ad Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020500061900 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:28 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 5 to 172.24.0.48 port 1510 EAP-Message = 0x0106002b190017030100206e4c28c25fa0be9b294a675f54f4795ab01b00a6d1c9b7001d7da69b3807e510 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4465ca6b4163d3fe9d648e243ee182ad Finished request 10. Going to the next request Waking up in 2.8 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=6, length=260 Message-Authenticator = 0xdbd26e3f6b395640e552601e0c30b267 Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x4465ca6b4163d3fe9d648e243ee182ad Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206003b19001703010030ace4d439a4ad129c9a846d74d6695ccaea39e77e2c524cf5065c69ae97d02d1c7dc9ec9c5a4e7d530ef19a7485a6d6f0 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:28 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 59 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - win0054\jeffrey [peap] Got inner identity 'win0054\jeffrey' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020600140177696e303035345c6a656666726579 server { [peap] Setting User-Name to win0054\jeffrey Sending tunneled request EAP-Message = 0x020600140177696e303035345c6a656666726579 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "win0054\\jeffrey" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 6 length 20 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for win0054\jeffrey [ldap] expand: (uid=%{mschap:User-Name}) -> (uid=jeffrey) [ldap] expand: ou=People,dc=wtccorp,dc=com -> ou=People,dc=wtccorp,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to localhost:389, authentication 0 [ldap] setting TLS CACert File to /etc/ssl/certs/skynet-n_wtccorp_com_ca.pem [ldap] starting TLS [ldap] bind as uid=radius,ou=People,dc=wtccorp,dc=com/slurp2~maybe to localhost:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=People,dc=wtccorp,dc=com, with filter (uid=jeffrey) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] sambaAcctFlags -> SMB-Account-CTRL-TEXT == "[U]" [ldap] sambaNTPassword -> NT-Password == 0x4338374239333639433331343843433241314331363738344134363645463435 [ldap] sambaLMPassword -> LM-Password == 0x3936393736373035453543463432463941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700291a01070024109974050545ffc02dfc8e72d8f44f439b77696e303035345c6a656666726579 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05a66f0605a1753bbd5d795e1c248c9d [peap] Got tunneled reply RADIUS code Access-Challenge EAP-Message = 0x010700291a01070024109974050545ffc02dfc8e72d8f44f439b77696e303035345c6a656666726579 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05a66f0605a1753bbd5d795e1c248c9d [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 6 to 172.24.0.48 port 1510 EAP-Message = 0x0107004b19001703010040a9546f8399001b6a8bd342e619ae8162f76fc837888a09fa384a010c9e2dee9268df149f6f8055970ae10d2cc4a47f0cac733dd468db1838054de093bc3dec3f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4465ca6b4262d3fe9d648e243ee182ad Finished request 11. Going to the next request Waking up in 2.7 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=7, length=308 Message-Authenticator = 0x0ca2718b291fbbe28082bcdb84c545b7 Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x4465ca6b4262d3fe9d648e243ee182ad Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0207006b190017030100609050f71be529e8a4298db7da8502b8faeadcba74fc99e9ddfe0960259c3f195a921fa28d69ba8df233282f6a29547be7c11310bccfed272c506a790337ba47b73fdd5ff2760bd67eb09d62a5a385bbf54ed00eb3066e8955bdf5f48dc46b93f3 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:28 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700421a0207003d31f613ab6b1e8f20d69b72000370a616000000000000000000a0ae9b346e3a9f3f939556588b676a35929c01f270327e77006a656666726579 server { [peap] Setting User-Name to win0054\jeffrey Sending tunneled request EAP-Message = 0x020700421a0207003d31f613ab6b1e8f20d69b72000370a616000000000000000000a0ae9b346e3a9f3f939556588b676a35929c01f270327e77006a656666726579 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "win0054\\jeffrey" State = 0x05a66f0605a1753bbd5d795e1c248c9d server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 7 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for win0054\jeffrey [ldap] expand: (uid=%{mschap:User-Name}) -> (uid=jeffrey) [ldap] expand: ou=People,dc=wtccorp,dc=com -> ou=People,dc=wtccorp,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=People,dc=wtccorp,dc=com, with filter (uid=jeffrey) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] sambaAcctFlags -> SMB-Account-CTRL-TEXT == "[U]" [ldap] sambaNTPassword -> NT-Password == 0x4338374239333639433331343843433241314331363738344134363645463435 [ldap] sambaLMPassword -> LM-Password == 0x3936393736373035453543463432463941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Found LM-Password [mschap] Found NT-Password [mschap] WARNING: User-Name (win0054\jeffrey) is not the same as MS-CHAP Name (jeffrey) from EAP-MSCHAPv2 [mschap] Creating challenge hash with username: jeffrey [mschap] Client is using MS-CHAPv2 for jeffrey, we need NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010800331a0307002e533d41343938333341454445323745364436324232423838464442363141453031334334344641353133 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05a66f0604ae753bbd5d795e1c248c9d [peap] Got tunneled reply RADIUS code Access-Challenge EAP-Message = 0x010800331a0307002e533d41343938333341454445323745364436324232423838464442363141453031334334344641353133 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x05a66f0604ae753bbd5d795e1c248c9d [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 7 to 172.24.0.48 port 1510 EAP-Message = 0x0108005b19001703010050e447287e8c32c97b3bba2d5ddcebbb2a7a5072606bb3985055cb0d1e42f19cab85b5e3ba2c1c3d5911d6088e96ba61543cb4a2730c2de449aca8322d707acff85d1c89e4719868c37ece12a7858d0ce0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4465ca6b436dd3fe9d648e243ee182ad Finished request 12. Going to the next request Waking up in 2.7 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=8, length=244 Message-Authenticator = 0x1e3e0ca33e12a9b4057830f377b82244 Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x4465ca6b436dd3fe9d648e243ee182ad Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0208002b1900170301002058ac08dc09598152957686e0d9ec0bfb4af9ed80b8e98be8b21c0d7ba2a73c78 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:28 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800061a03 server { [peap] Setting User-Name to win0054\jeffrey Sending tunneled request EAP-Message = 0x020800061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "win0054\\jeffrey" State = 0x05a66f0604ae753bbd5d795e1c248c9d server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for win0054\jeffrey [ldap] expand: (uid=%{mschap:User-Name}) -> (uid=jeffrey) [ldap] expand: ou=People,dc=wtccorp,dc=com -> ou=People,dc=wtccorp,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=People,dc=wtccorp,dc=com, with filter (uid=jeffrey) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] sambaAcctFlags -> SMB-Account-CTRL-TEXT == "[U]" [ldap] sambaNTPassword -> NT-Password == 0x4338374239333639433331343843433241314331363738344134363645463435 [ldap] sambaLMPassword -> LM-Password == 0x3936393736373035453543463432463941414433423433354235313430344545 [ldap] looking for reply items in directory... [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x14cdaa5dd80a97d68f9a273925682cff MS-MPPE-Recv-Key = 0x0d3dced83362f21239048b9280abfc62 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "win0054\\jeffrey" [peap] Got tunneled reply RADIUS code Access-Accept MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x14cdaa5dd80a97d68f9a273925682cff MS-MPPE-Recv-Key = 0x0d3dced83362f21239048b9280abfc62 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "win0054\\jeffrey" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 8 to 172.24.0.48 port 1510 EAP-Message = 0x0109002b19001703010020789df7189a45a0b33091349b5e386e2fc1ff4a2f09623998d30272a775b4cb92 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4465ca6b4c6cd3fe9d648e243ee182ad Finished request 13. Going to the next request Waking up in 2.7 seconds. rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=9, length=244 Message-Authenticator = 0xc85bfd7428baa565719f188f4e6077f2 Service-Type = Framed-User User-Name = "win0054\\jeffrey" Framed-MTU = 1488 State = 0x4465ca6b4c6cd3fe9d648e243ee182ad Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap" Calling-Station-Id = "00-1F-3C-B2-AD-72" NAS-Identifier = "FWAG114" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0209002b190017030100201f684809b50701513be173c26cfb7cb773d3d2ff3af2d82a04e5aa5203930ec2 NAS-IP-Address = 0.0.0.0 NAS-Port = 1 NAS-Port-Id = "STA port # 1" # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002 [auth_log] expand: %t -> Fri Oct 2 17:14:28 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 9 to 172.24.0.48 port 1510 MS-MPPE-Recv-Key = 0xb6366ecd1300654a450cf0f52f17764ceef21afb49657ae5569ac80e7ac85529 MS-MPPE-Send-Key = 0xfe041f1c30415092e2a826a51a0ff7eff3d0fceac33d78f95f08a36ad310fec0 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "win0054\\jeffrey" Finished request 14. Going to the next request Waking up in 2.7 seconds. Cleaning up request 0 ID 0 with timestamp +32 Cleaning up request 1 ID 1 with timestamp +32 Cleaning up request 2 ID 2 with timestamp +32 Cleaning up request 3 ID 3 with timestamp +32 Cleaning up request 4 ID 4 with timestamp +32 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x98bd76209cb86f3a did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Waking up in 2.0 seconds. Cleaning up request 5 ID 0 with timestamp +34 Cleaning up request 6 ID 1 with timestamp +34 Cleaning up request 7 ID 2 with timestamp +34 Cleaning up request 8 ID 3 with timestamp +34 Cleaning up request 9 ID 4 with timestamp +34 Cleaning up request 10 ID 5 with timestamp +34 Cleaning up request 11 ID 6 with timestamp +34 Cleaning up request 12 ID 7 with timestamp +34 Cleaning up request 13 ID 8 with timestamp +34 Cleaning up request 14 ID 9 with timestamp +34 Ready to process requests. Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.
On Fri, Oct 02, 2015 at 05:24:17PM -0400, Jim Seymour wrote:
radiusd -X | tee logfile
then connect the laptop to the network, and then post the logfile to the list? Otherwise we've got nothing really to go on.
Wellll... Okay. It's gigantic, tho. Included below.
Nope, that's fine.
rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=0, length=203 EAP-Message = 0x020000140177696e303035345c6a656666726579
response - EAP identity win0054\jeffrey
Sending Access-Challenge of id 0 to 172.24.0.48 port 1509 EAP-Message = 0x010100061920
server request - asks for PEAP
rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=1, length=340 EAP-Message = 0x0201008b198000000081160301007c010000780301560ef3ca1db6af18753547212e86a4c29231188ea25d38e9fc506a22d24e4ded204bac48082d3304551bb3dc2591a3abb1481a4b9e1f411604b120384460512c0d0018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
client initiates PEAP
Sending Access-Challenge of id 1 to 172.24.0.48 port 1509 EAP-Message = 0x0102040019c000000a351603010039020000350301e3d36991a480cff0a07864e77a040402f7c8ffb3fa033663de15ee5670a7e1b600c01400000dff01000100000b00040300010216030108990b000895000892000469308204653082034da003020102020900db98278c91c043a9300d06092a864886f70d01010b05003081a5310b30090603550406130255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a30 EAP-Message = 0x2806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d301e170d3135303933303133323735335a170d3136303932393133323735335a3081c0310b30090603550406130255533111300f06035504080c084d6963686967616e3119301706035504070c104661726d696e67746f6e2048696c6c733121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077 EAP-Message = 0x656c6474656368636f72702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d2d1c7948966ed1341d267fc4f9cbb7296b538e6c723798db5cf417e57e0620f717df13563fa3ee95d91c6cbd0f2919d7cc0574e3525b145ce67bd29b491b13c0521b0d0790a9e1e153f8f5120ec29c3ef45e90eac80eceb1a72e4092484908d485fa92fa5707513fd6af7f510b56d1d0faaadb9e7cd299346fefef85bc2ea77fa161428c0c5282c5c55eff7e3eea1eb2174f802bf43d03232ada75c5e05ab926885f6f67667fab1d529a55db4bb05e1b96eb29372385b57e3b3a7adf39e856aff11f754675e831d57d5fdbacc EAP-Message = 0x6c871053262f2b628752fb8fe5f810342b04f8a001177ebd1722fb02c1fe13ba9d97a5fbfe928d7b4e5ec19a8158f75d44d1c90203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604143fd748d1e67b96f55218a8d3506b1520021ead6f301f0603551d230418301680143edcdf7a0e78b6c903868bf018eb6df83782ab9d300d06092a864886f70d01010b05000382010100499ce5c07f4f002837484b1de16566030fd0a519c6f66b6600ddecacbb55c50be98fc448739e30aef582ac786a65a70b38f0a53c EAP-Message = 0x205bb219d9d0950173a6e052 State = 0x98bd762099bf6f3a092a404097a6cf8c
server sends cert part 1
rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=2, length=207 EAP-Message = 0x020200061900
client ack
Sending Access-Challenge of id 2 to 172.24.0.48 port 1509 EAP-Message = 0x010303fc1940b6da580861b855560215e1bcddc7cf7827141faabad978a814118c0396af66bb9de3c68f723e7daa398182692569baf4e2286c6ce5036cfc997577ecebc2727ff1ecbf4f7310651cf9ea2752d40b0ffa8f3d93d4e344fede5db5104358bd0361b15d3a673789d36d86caa0800071c88c6f149459efd07b25be0dd75ca2b2aa276c22bd6c8f7481af26b84dda57b527c3ed8889a96b232aba9105d1750cfd3fcf97c1ee8a9339d19ab87264461497c80c8adf4010e1a03fe4048cd611b4fdb0330004233082041f30820307a003020102020900db98278c91c043a8300d06092a864886f70d01010b05003081a5310b3009060355040613 EAP-Message = 0x0255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d301e170d3135303933303133323732315a170d3230303932383133323732315a3081a5310b30090603550406130255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f67792043 EAP-Message = 0x6f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c944842f637fef492dcb8b64ea061235ea559291b19a5ae5edc0ed30743c49f613d8e02b4f1c550e2a10a2949470e97d1bfa77fd2d72cf5705e203ab73384d91885043238a0a28aba3da3852a88569281c07f2625df0c9fc44bd7e2b74e1bd17b30e13a34ce06642eb8ea20eab0ac013b1e0295106d8 EAP-Message = 0xdebfec3c001b3f97c99db881f0bc8175bc2f8a06a57dd173f43d092f406832fa4d379b4e3d139fcd2b17ffc3d462ee2d1bb7f4170af942c0d04e00a7d9735378bca2b39c5442683a6a0311a8c0c24d4782e969362ea68480960546166f7683dde3e32638fb36b04b302198f997e2afb50880b63ffdff863a7812b4e9c0cc7ccda4424c344f3f7f180bf70203010001a350304e301d0603551d0e041604143edcdf7a0e78b6c903868bf018eb6df83782ab9d301f0603551d230418301680143edcdf7a0e78b6c903868bf018eb6df83782ab9d300c0603551d13040530030101ff300d06092a864886f70d01010b0500038201010059c531727c748cb0 EAP-Message = 0xa73687495c5cba6d State = 0x98bd76209abe6f3a092a404097a6cf8c
server sends cert part 2
rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=3, length=207 EAP-Message = 0x020300061900
client ack
Sending Access-Challenge of id 3 to 172.24.0.48 port 1509 EAP-Message = 0x0104024f1900e7d5270f188a0f21028c17db0c4d3a4838d86a59ff3eec796b43f0c60983ea0d40fd86610f59e6575677f9700434ca9aaea69f8849614008fd93ade3852afb2eef925278f3b28c615233ec17b84f3299944dcb6c776ef66cbb07c8a503ca018747ef169ce512d4b2f1a102b7f941d62239c3cd554545cc8a0662221db9c71caa130d342979bbe0b1ae33d10737740e92a776c525965e97d1f9ab305c7226f8f26c03063af5d76628eba9e851ae0f807182cd582cf834384de1df8b513aff09dcb8409ca58449b5c987a8f574139352b15b5b73e56114eac58602765d28ea98181c344c48f313d5a29a2f2accfb06d4b7160301014b0c00 EAP-Message = 0x0147030017410458221b4f9563c367cd6345bd1983dd5a0a1d2d9c0c3f3a688675135a2a3dd158eb7ce2a321395da49acebf6d58bb7bc638b6ac01ea1f1dacbbb3f1891effafa701002df95433bd6b5e8b9e54b46658f83af70565a8bacc68904416919cc68c38c00bb8d03e56d7b9825bcbc107f05a8505c371fe58f730e929a777ac59b5f8d8c3ffdb6c1cd8f18f3964224390d311b9d52e76817b0c33d34c42756e9726eb789ecc12975de7b3754bb382aee43ed892b392da09e278fd7b1c1b2a087fdd4ff4a3a9b68abec44550f6fbbedfc24c43eb889c23f921690d5005c4c0d6f09532e9c5fd19bd9f0fad6ec02b28579cdb08e69345d4cabd93 EAP-Message = 0x988e23bbfd7da569b3228fce00255d14115514e296d1cdcabfc471f6a93865e4727403723468dd50253baec481920b34f9bbd4b31d488db221f224bb73a98de198ce3c3bbaea63a73de0640d16030100040e000000 State = 0x98bd76209bb96f3a092a404097a6cf8c
server sends last part of cert
rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=4, length=207 EAP-Message = 0x020400061900
client sends ack
Sending Access-Challenge of id 4 to 172.24.0.48 port 1509 EAP-Message = 0x010500061900 State = 0x98bd76209cb86f3a092a404097a6cf8c
server sends ack. Note the state here.
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=0, length=203 EAP-Message = 0x020000140177696e303035345c6a656666726579
client sends identity again - win0054\jeffrey huh? The client didn't like something, bombed out and started again.
Sending Access-Challenge of id 0 to 172.24.0.48 port 1510 EAP-Message = 0x010100061920 State = 0x4465ca6b4464d3fe9d648e243ee182ad
server requests peap
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=1, length=308 EAP-Message = 0x0201006b198000000061160301005c010000580301560ef3ccbf5284b3d32a2f4774af9d62f43b2ee8527a8caeff6653df745e5cef000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
client starts PEAP again
Sending Access-Challenge of id 1 to 172.24.0.48 port 1510 EAP-Message = 0x0102040019c000000a351603010039020000350301563f8767bca18f9ef80d326eb862a320de9154c43e762c9317971aa689858f3600c01400000dff01000100000b00040300010216030108990b000895000892000469308204653082034da003020102020900db98278c91c043a9300d06092a864886f70d01010b05003081a5310b30090603550406130255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a30 EAP-Message = 0x2806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d301e170d3135303933303133323735335a170d3136303932393133323735335a3081c0310b30090603550406130255533111300f06035504080c084d6963686967616e3119301706035504070c104661726d696e67746f6e2048696c6c733121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077 EAP-Message = 0x656c6474656368636f72702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d2d1c7948966ed1341d267fc4f9cbb7296b538e6c723798db5cf417e57e0620f717df13563fa3ee95d91c6cbd0f2919d7cc0574e3525b145ce67bd29b491b13c0521b0d0790a9e1e153f8f5120ec29c3ef45e90eac80eceb1a72e4092484908d485fa92fa5707513fd6af7f510b56d1d0faaadb9e7cd299346fefef85bc2ea77fa161428c0c5282c5c55eff7e3eea1eb2174f802bf43d03232ada75c5e05ab926885f6f67667fab1d529a55db4bb05e1b96eb29372385b57e3b3a7adf39e856aff11f754675e831d57d5fdbacc EAP-Message = 0x6c871053262f2b628752fb8fe5f810342b04f8a001177ebd1722fb02c1fe13ba9d97a5fbfe928d7b4e5ec19a8158f75d44d1c90203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604143fd748d1e67b96f55218a8d3506b1520021ead6f301f0603551d230418301680143edcdf7a0e78b6c903868bf018eb6df83782ab9d300d06092a864886f70d01010b05000382010100499ce5c07f4f002837484b1de16566030fd0a519c6f66b6600ddecacbb55c50be98fc448739e30aef582ac786a65a70b38f0a53c EAP-Message = 0x205bb219d9d0950173a6e052
server sends cert part 1
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=2, length=207 EAP-Message = 0x020200061900
client ack
Sending Access-Challenge of id 2 to 172.24.0.48 port 1510 EAP-Message = 0x010303fc1940b6da580861b855560215e1bcddc7cf7827141faabad978a814118c0396af66bb9de3c68f723e7daa398182692569baf4e2286c6ce5036cfc997577ecebc2727ff1ecbf4f7310651cf9ea2752d40b0ffa8f3d93d4e344fede5db5104358bd0361b15d3a673789d36d86caa0800071c88c6f149459efd07b25be0dd75ca2b2aa276c22bd6c8f7481af26b84dda57b527c3ed8889a96b232aba9105d1750cfd3fcf97c1ee8a9339d19ab87264461497c80c8adf4010e1a03fe4048cd611b4fdb0330004233082041f30820307a003020102020900db98278c91c043a8300d06092a864886f70d01010b05003081a5310b3009060355040613 EAP-Message = 0x0255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d301e170d3135303933303133323732315a170d3230303932383133323732315a3081a5310b30090603550406130255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f67792043 EAP-Message = 0x6f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c944842f637fef492dcb8b64ea061235ea559291b19a5ae5edc0ed30743c49f613d8e02b4f1c550e2a10a2949470e97d1bfa77fd2d72cf5705e203ab73384d91885043238a0a28aba3da3852a88569281c07f2625df0c9fc44bd7e2b74e1bd17b30e13a34ce06642eb8ea20eab0ac013b1e0295106d8 EAP-Message = 0xdebfec3c001b3f97c99db881f0bc8175bc2f8a06a57dd173f43d092f406832fa4d379b4e3d139fcd2b17ffc3d462ee2d1bb7f4170af942c0d04e00a7d9735378bca2b39c5442683a6a0311a8c0c24d4782e969362ea68480960546166f7683dde3e32638fb36b04b302198f997e2afb50880b63ffdff863a7812b4e9c0cc7ccda4424c344f3f7f180bf70203010001a350304e301d0603551d0e041604143edcdf7a0e78b6c903868bf018eb6df83782ab9d301f0603551d230418301680143edcdf7a0e78b6c903868bf018eb6df83782ab9d300c0603551d13040530030101ff300d06092a864886f70d01010b0500038201010059c531727c748cb0 EAP-Message = 0xa73687495c5cba6d
server certs part 2
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=3, length=207 EAP-Message = 0x020300061900
client ack
Sending Access-Challenge of id 3 to 172.24.0.48 port 1510 EAP-Message = 0x0104024f1900e7d5270f188a0f21028c17db0c4d3a4838d86a59ff3eec796b43f0c60983ea0d40fd86610f59e6575677f9700434ca9aaea69f8849614008fd93ade3852afb2eef925278f3b28c615233ec17b84f3299944dcb6c776ef66cbb07c8a503ca018747ef169ce512d4b2f1a102b7f941d62239c3cd554545cc8a0662221db9c71caa130d342979bbe0b1ae33d10737740e92a776c525965e97d1f9ab305c7226f8f26c03063af5d76628eba9e851ae0f807182cd582cf834384de1df8b513aff09dcb8409ca58449b5c987a8f574139352b15b5b73e56114eac58602765d28ea98181c344c48f313d5a29a2f2accfb06d4b7160301014b0c00 EAP-Message = 0x01470300174104f94f27db84c936ece3f8f2dabd1578d95d6ac7a27dfb6daa83d62030d7be1f8298f1889a729c7ed1475895e8f796516031e5bb67c5779570fe2e3baa4fc59f980100656917d6493b86f841676412f995ab7e1ba7c1e28e39d94c08325c836b0887772396b6b04f6db1bcbc09f143184d3d37677a484de33a58e0b182788527dede27c5345dba9bd4e06dd487cb32c55e95efeab1cf8b4b5726b5950c473d5264c03ec379147429d3492e4695a1153ba005598749f4a9f13e3847148f3455cffc4121180cdc839bc84dccf2758f4d624583bf051e94fcaecded9834a0e7c632087051a0cada0de572368894b07c019e3e85a379e8df26 EAP-Message = 0x3c7a29973798e12add22ade92b3511a131fb4d81bfcdec1d7106d6c70b89fed598f1aca96b1ce9d45de544b8f2d96c2bde80f76ae69041e752e6ddbfcbafca70df67258cdeff72cc52f1958616030100040e000000
server certs part 3
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=4, length=345 EAP-Message = 0x0204009019800000008616030100461000004241043c809efc0e0a2ca176b2606111d62bf84fc511208a5bf64b3017688baf469126994847f9f55b6a4a9a14f69a5cc2d9093ca45977068034173e49aa8c6567ef231403010001011603010030cfd781c88abc2f1f2308318db52c884dc33bb5034282e0be3ae40b6265ee2d415484e772c9889a03bfd6d113e8b7b925
client contines PEAP...
Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established
gotcha.
Sending Access-Challenge of id 4 to 172.24.0.48 port 1510 EAP-Message = 0x010500411900140301000101160301003013153c9bcbbbc61fdf54f31d9dc1f6e0f0688aed91c84831ea12d943c445d4bc36982989b0a1c12ffff77e06438851c7
...
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=6, length=260 EAP-Message = 0x0206003b19001703010030ace4d439a4ad129c9a846d74d6695ccaea39e77e2c524cf5065c69ae97d02d1c7dc9ec9c5a4e7d530ef19a7485a6d6f0
into the inner tunnel
[peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - win0054\jeffrey [peap] Got inner identity 'win0054\jeffrey' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020600140177696e303035345c6a656666726579 server { [peap] Setting User-Name to win0054\jeffrey Sending tunneled request EAP-Message = 0x020600140177696e303035345c6a656666726579
inner tunnel identity win0054\jeffrey and we're away.... completes with
Sending Access-Accept of id 9 to 172.24.0.48 port 1510 MS-MPPE-Recv-Key = 0xb6366ecd1300654a450cf0f52f17764ceef21afb49657ae5569ac80e7ac85529 MS-MPPE-Send-Key = 0xfe041f1c30415092e2a826a51a0ff7eff3d0fceac33d78f95f08a36ad310fec0 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "win0054\\jeffrey"
So this is why you get on. The *second* auth request succeeds.
Cleaning up request 4 ID 4 with timestamp +32 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x98bd76209cb86f3a did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Note state 0x98bd76209cb86f3a above - this is the *first* request. So the question is... why did the client reject the first auth, but then immediately re-try and accept the certificate the second time. I'd look at the client and see if you can get logs off it (hard on Windows I know, have to enable eap tracing, it's a right pig to read compared to -X on the server side...) to see why it rejected the first time - if you can get anything from it. I'm assuming the TLS Server OID is in the cert because it works the second time, but worth checking anyway. Check the certificate chain to make sure that it all verifies OK and has nothing that looks odd about it. Has the client got the root CA installed properly? Try removing the entire client config and setting it up again. I've seen Win7 get itself confused and removing and adding the wireless settings has sorted it. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
So the question is... why did the client reject the first auth, but then immediately re-try and accept the certificate the second time.
I'd look at the client and see if you can get logs off it (hard on Windows I know, have to enable eap tracing, it's a right pig to read compared to -X on the server side...) to see why it rejected the first time - if you can get anything from it. I'm assuming the TLS Server OID is in the cert because it works the second time, but worth checking anyway.
I just extracted your cert from the EAP-Message, and you've not got the TLS Server Auth OID (1.3.6.1.5.5.7.3.1) in it. On that basis, could you please explain to us all how the heck you managed to get it to work at all the second time... :-) Re-generate the server certificate according to http://wiki.freeradius.org/guide/Certificate_Compatibility (as the original message said) and you should be good. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Sat, 3 Oct 2015 00:30:31 +0100 Matthew Newton <mcn4@leicester.ac.uk> wrote: [snip]
I just extracted your cert from the EAP-Message, and you've not got the TLS Server Auth OID (1.3.6.1.5.5.7.3.1) in it.
On that basis, could you please explain to us all how the heck you managed to get it to work at all the second time... :-)
*You* are asking *me*? :)
Re-generate the server certificate according to http://wiki.freeradius.org/guide/Certificate_Compatibility (as the original message said) and you should be good.
I saw that page. Several times. Nothing I saw there appeared to lead me to any... well, anything, really. But, based on your re-urging, I looked at it again, went "Hmmm... I wonder...?", took a guess and tried (on the server where FreeRADIUS is installed)... $ locate xpextensions /usr/share/doc/freeradius/examples/certs/xpextensions Ohhh kay. (I won't ask why that wasn't just put on the Wiki page--I suppose there's a good reason.) Looked... Now I *know* I never had to do that before. In fact: The certs on my existing server expired just a month ago or so and I had to generate new ones... Just double-checked: The FreeRADIUS on current production server is using the same self-signed certs as everything else on that server. My confusion increases. How is it I've been running everything from MS-Win95 through MS-Win7 on my existing network, using FreeRadius 1.1.1, and plain old self-signed server certs, w/o any special OIDs, all these years? And never installing CA certs (which eventually expire) on all the PCs? Help me to understand, please? Is this a result of some change between 1.1.x and 2.x.x? Is this how you add those OIDs: http://fincelfamily.com/tutorial_radiusserver.html ??? Thanks, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.
On Oct 2, 2015, at 8:58 PM, Jim Seymour <jseymour@LinxNet.com> wrote:
Now I *know* I never had to do that before. In fact: The certs on my existing server expired just a month ago or so and I had to generate new ones... Just double-checked: The FreeRADIUS on current production server is using the same self-signed certs as everything else on that server.
And... how did you create the self-signed certs?
My confusion increases. How is it I've been running everything from MS-Win95 through MS-Win7 on my existing network, using FreeRadius 1.1.1, and plain old self-signed server certs, w/o any special OIDs, all these years? And never installing CA certs (which eventually expire) on all the PCs?
No idea. It's Windows.
Help me to understand, please? Is this a result of some change between 1.1.x and 2.x.x?
No. The OIDs are required by Windows, not by FreeRADIUS.
Is this how you add those OIDs:
No, no, no, and no. I have *zero* clue how people find random third-party web sites from nearly a decade ago, and cannot find the documentation that ships with the server. The method to create certs is documented in raddb/certs/ . It's been there since before that crappy page was written. PLEASE read the documentation that we've written. Pretty much everything else is old, broken, crappy, and lying to you. Alan DeKok.
On Fri, 2 Oct 2015 21:38:58 -0400 Alan DeKok <aland@deployingradius.com> wrote: [snip]
And... how did you create the self-signed certs?
By editing /etc/ssl/openssl.cnf and running CA.pl. That's all I've *ever* done. (Well, CA.sh, before. But similar results.)
[snip]
I have *zero* clue how people find random third-party web sites from nearly a decade ago, and cannot find the documentation that ships with the server.
Probably because...
The method to create certs is documented in raddb/certs/ . It's been there since before that crappy page was written.
*sigh* Except Debian, Ubuntu or whomever decided it would be a Good Idea to move it. The locate command I ran, earlier, to find xpextensions? $ ls -1 /usr/share/doc/freeradius/examples/certs bootstrap ca.cnf client.cnf Makefile README server.cnf xpextensions
PLEASE read the documentation that we've written. Pretty much everything else is old, broken, crappy, and lying to you.
Now that I found it: I just did. I really wish people wouldn't move stuff around. Thanks for the help, Alan, and everybody else. Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.
There's a good link here too: https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+consideratio... On Sat, Oct 3, 2015 at 4:31 AM, Jim Seymour <jseymour@linxnet.com> wrote:
On Fri, 2 Oct 2015 21:38:58 -0400 Alan DeKok <aland@deployingradius.com> wrote:
[snip]
And... how did you create the self-signed certs?
By editing /etc/ssl/openssl.cnf and running CA.pl. That's all I've *ever* done. (Well, CA.sh, before. But similar results.)
[snip]
I have *zero* clue how people find random third-party web sites from nearly a decade ago, and cannot find the documentation that ships with the server.
Probably because...
The method to create certs is documented in raddb/certs/ . It's been there since before that crappy page was written.
*sigh* Except Debian, Ubuntu or whomever decided it would be a Good Idea to move it.
The locate command I ran, earlier, to find xpextensions?
$ ls -1 /usr/share/doc/freeradius/examples/certs bootstrap ca.cnf client.cnf Makefile README server.cnf xpextensions
PLEASE read the documentation that we've written. Pretty much everything else is old, broken, crappy, and lying to you.
Now that I found it: I just did.
I really wish people wouldn't move stuff around.
Thanks for the help, Alan, and everybody else.
Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sat, 3 Oct 2015 17:03:55 +0100 Nick Lowe <nick.lowe@gmail.com> wrote:
There's a good link here too:
https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+consideratio...
Thanks, Nick. I'd already covered all the bases mentioned there, except for AltName, which does not appear necessary for my purposes. I tried everything recommended here, including wiping everything out and reinstalling from scratch. Two or three times. And including using all the "official" docs, guides and directions I could find. Side note: Attempting to use the certs created by the FreeRADIUS Makefile would not allow OpenLDAP to run. Nor could I persuade "openssl verify ..." to validate the certificate chain, no matter what I did. Altering /etc/ssl/openssl.cnf to include the appropriate attributes and using CA.pl with -newca/-newcert-nodes/-sign produced certificates indistinguishable from those produced by the FreeRADIUS certs Makefile (examining them with "openssl x509 -noout -text -in <file>"), except both OpenLDAP and "openssl verify ..." were happy with those certs. However they made no difference in the behaviour of FreeRADIUS or the MS-Win7 PC. Enough, already. 1.1.1 has been working on the server being replaced, so I downloaded source tarballs of everything from 1.1.1 thru 1.1.8 (the link for 1.1.8 on the download page is broken, btw), and started building, (re-)installing and testing. Note: Had to add "#define lt__PROGRAM__LTX_preloaded_symbols lt_libltdl_LTX_preloaded_symbols" (note line wrap) to the top of src/main/modules.c to work around a bug in libltdl. Results: 1.1.3 worked right out of the gate, using the config files from the currently-running server, with slight adjustment, and the new certs 1.1.8 did not work on the first attempt 1.1.4 worked, with slight config file changes 1.1.6 same as above 1.1.8 same as above I don't understand why I've been unable to get 2.x.x going, but I've beat my head against it long enough. There's a boat-load of other stuff to install, configure and test on this server, and a ton of projects backed-up behind this project. I must move on, so 1.1.8 is what we'll be using. Thanks, everybody, for your kind and patient assistance! Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.
On Oct 7, 2015, at 10:13 AM, Jim Seymour <jseymour@LinxNet.com> wrote:
I tried everything recommended here, including wiping everything out and reinstalling from scratch. Two or three times. And including using all the "official" docs, guides and directions I could find.
Side note: Attempting to use the certs created by the FreeRADIUS Makefile would not allow OpenLDAP to run.
What does that mean?
Nor could I persuade "openssl verify ..." to validate the certificate chain, no matter what I did.
What errors did you get? What did you do? There is some magic here.. SSL magic. But the scripts and Makefile rules in raddb/certs *work*.
Altering /etc/ssl/openssl.cnf to include the appropriate attributes and using CA.pl with -newca/-newcert-nodes/-sign produced certificates indistinguishable from those produced by the FreeRADIUS certs Makefile (examining them with "openssl x509 -noout -text -in <file>"), except both OpenLDAP and "openssl verify ..." were happy with those certs.
What does that mean? You're describing problems in vague ways. WHAT went wrong? WHY would the certificates not verify? The only thing I can think of is that you're using version 1... and the default SSL configuration there is to use deprecated hashing functions. Which newer code will refuse to use as insecure. The solution is to use a version of FreeRADIUS which was released in the last 5 years.
1.1.1 has been working on the server being replaced, so I downloaded source tarballs of everything from 1.1.1 thru 1.1.8 (the link for 1.1.8 on the download page is broken, btw), and started building,
I've fixed that link. But... if you're using version 1, you will get *zero* support from this list. That version is old, unsupported, and there are no good reasons to use it. Install version 2.2.9, and go from there.
I don't understand why I've been unable to get 2.x.x going, but I've beat my head against it long enough. There's a boat-load of other stuff to install, configure and test on this server, and a ton of projects backed-up behind this project. I must move on, so 1.1.8 is what we'll be using.
Thanks, everybody, for your kind and patient assistance!
You should really use 2.2.9. If it doesn't work, explain what's going wrong, and we can help you. 1.1.8 is the entirely wrong choice. Alan DeKok.
You really should have a SAN present. Some clients reject X.509 certificates that miss this. Google, for example, have plans to stop supporting CNs at all in very short order - they'll just ignore them completely, relying only on SANs. If there's no match against them, they will consider the certificate invalid. Cheers, Nick
On 07/10/15 15:41, Nick Lowe wrote:
You really should have a SAN present. Some clients reject X.509 certificates that miss this.
Google, for example, have plans to stop supporting CNs at all in very
By "Google" I assume you mean the Chrome browser? Or the web crawler? Either way, interesting - any link to this plan?
Hi,
err. *how* did you come across that page? I've never seen that page ever.....and its from 2007.... its the first time that I'm aware than anyone mentioned it... is it a top hit in Bing or yahoo search or something? ;-) follow the official guides/docs from the actual server documentation pages/wiki - or in the config directories. there is no need to go to any random 3rd party page. in fact, such 3rd party pages may actually be malicious and getting you to do bad/wrong things - noone can vouch for a random 3rd party page...its not verified/checked etc alan
On Sat, 3 Oct 2015 00:01:14 +0100 Matthew Newton <mcn4@leicester.ac.uk> wrote: [snip]
So this is why you get on. The *second* auth request succeeds.
I wondered about that. Thanks for the analysis, Matthew!
Cleaning up request 4 ID 4 with timestamp +32 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x98bd76209cb86f3a did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Note state 0x98bd76209cb86f3a above - this is the *first* request.
Ah hah. I would've tried to make that association (no pun intended), but "for state <long-hex-string>" looked like some kind of, well, *state*. That's more like a... I dunno... session or sequence i.d., is it not?
So the question is... why did the client reject the first auth, but then immediately re-try and accept the certificate the second time.
I'd look at the client and see if you can get logs off it (hard on Windows I know, have to enable eap tracing, it's a right pig to read compared to -X on the server side...)
Ei yi yi :(
to see why it rejected the first time - if you can get anything from it. I'm assuming the TLS Server OID is in the cert because it works the second time, but worth checking anyway.
How do I check that?
Check the certificate chain to make sure that it all verifies OK and has nothing that looks odd about it.
It verifies. What to look for that would be "odd" about it?
Has the client got the root CA installed properly?
The client does not have the root CA installed at all. That was never necessary in the past. Note: The exact same user account with the exact same username and password exists on the production (live) network, and one of the APs is the exact same hardware and firmware, and the client authenticates just fine. So does every one of the other 26 or so wireless clients.
Try removing the entire client config and setting it up again. I've seen Win7 get itself confused and removing and adding the wireless settings has sorted it.
Well... okay. I'll give it a try on Monday. Thanks, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Jim Seymour -
Matthew Newton -
Nick Lowe -
Phil Mayers