Yet another multiple SSID setup question
I've been looking through the wiki and staring at the config files and I'm...confused. I've successfully gotten our Cisco WLC to authenticate against ActiveDirectory as well as a Sun LDAP server (just one at a time) via FreeRADIUS for a single test SSID, but now I'm trying to figure out how to split that into conditional checks. Before I go chopping up the existing config files and making a horrible mess of things, I wanted to verify a few things with the wisdom of the list. Okay...let's say I have an SSID for students and an SSID for staff. Students authenticate against LDAP, which stores passwords as salted SHA1 hashes. Staff authenticate against Windows ActiveDirectory. I've found where the WLC sends the SSID to FreeRADIUS, so I can get at that. My question is, how do I set up the EAP-TTLS/PAP session for the Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID? Are these configured as different virtual servers? Or just different modules that I call from the users file like so: DEFAULT Auth-Type := student_module, Called-Station-SSID := "student" DEFAULT Auth-Type := staff_module, Called-Station-SSID := "staff" If so how do I set that up, as that would be two different eap.conf setups (wouldn't it)? Am I missing something obvious in the docs? Thanks for taking the time to help me out!
Nick Kartsioukas <lists.freeradius@change.nightwind.net> wrote:
Okay...let's say I have an SSID for students and an SSID for staff. Students authenticate against LDAP, which stores passwords as salted SHA1 hashes. Staff authenticate against Windows ActiveDirectory. I've found where the WLC sends the SSID to FreeRADIUS, so I can get at that. My question is, how do I set up the EAP-TTLS/PAP session for the Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID? Are these configured as different virtual servers? Or just different modules that I call from the users file like so: DEFAULT Auth-Type := student_module, Called-Station-SSID := "student" DEFAULT Auth-Type := staff_module, Called-Station-SSID := "staff"
Just duplicate what you see in eap.conf to look something like: ---- eap EAP_student { # set this to peap for staff default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = ${local.cert.password} private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem dh_file = ${certdir}/dh random_file = /dev/urandom cipher_list = "AES:HIGH:!aNULL:!eNULL:@STRENGTH" } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "auth" } # comment 'ttls' and uncomment following for staff #peap { # default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = yes # virtual_server = "auth" #} # #mschapv2 { # send_error = yes #} } eap EAP_staff { .... } ---- ---- authorize { ... if (Airespace-Wlan-Id == "student_ssid") { EAP_student } else { EAP_staff } ... } ---- Cheers -- Alexander Clouter .sigmonster says: Remember to say hello to your bank teller.
On Tue, 12 Jul 2011 07:17 +0100, "Alexander Clouter" <alex@digriz.org.uk> wrote:
authorize { ...
if (Airespace-Wlan-Id == "student_ssid") { EAP_student } else { EAP_staff }
... }
Thanks for the hints! I think I've got my eap.conf set up as I need it. After some errors from freeradius and further document exploration, it looks like what I need for the authorize section is this: rewrite_called_station_id if(Called-Station-Ssid == "staff") { mschap_staff } if(Called-Station-Ssid == "lab") { mschap_lab } if(Called-Station-Ssid == "student_wpa") { ldap } if(Called-Station-Ssid == "student") { ldap } with the two different mschap modules sending the staff and lab AD domain options to ntlm_auth respectively. Unfortunately, this is failing, with the mschap modules returning noop. ldap does succeed at least, it binds to the ldap directory and checks the user, but then fails on authentication... [ldap] user nicholas_kartsioukas authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 +++[ldap] returns ok [...] ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. So, I'm not sure what I'm missing here :/ I'm apparently not grasping something very basic, but I don't know what it is. I've not been very successful at navigating the wiki, so far all I've found are lists of the config files and the same comments within the config files, but nothing regarding process flow through freeradius that indicates how requests are handled so I can better understand what each config section is actually doing.
Nick Kartsioukas <lists.freeradius@change.nightwind.net> wrote:
Thanks for the hints! I think I've got my eap.conf set up as I need it. After some errors from freeradius and further document exploration, it looks like what I need for the authorize section is this: rewrite_called_station_id
if(Called-Station-Ssid == "staff") { mschap_staff } if(Called-Station-Ssid == "lab") { mschap_lab } if(Called-Station-Ssid == "student_wpa") { ldap } if(Called-Station-Ssid == "student") { ldap }
I would *strongly* recommend you run just one SSID and use VLAN assignment in post-auth to ---- post-auth { ... # defaults update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "unauthorised" Termination-Action := RADIUS-Request Session-Timeout := 300 Acct-Interim-Interval := 3600 } if (Ldap-Group == foobar) { update reply { Tunnel-Private-Group-Id := "staff" } } else { ... } } ---- The huge advantage is that *every* user at your organisation can follow the same instructions to connect to the wireless (and wired) network. It is also then trivial to put in 'eduroam'; if you use 'eduroam' from day one (*strongly* recommended to avoid pain down the road). Cheers -- Alexander Clouter .sigmonster says: Youth is the trustee of posterity.
On Wed, 13 Jul 2011 09:33 +0100, "Alexander Clouter" <alex@digriz.org.uk> wrote:
I would *strongly* recommend you run just one SSID and use VLAN assignment in post-auth to
The huge advantage is that *every* user at your organisation can follow the same instructions to connect to the wireless (and wired) network. It is also then trivial to put in 'eduroam'; if you use 'eduroam' from day one (*strongly* recommended to avoid pain down the road).
I appreciate the suggestion and may re-visit this some day, but I am replacing a Cisco ACS appliance that is going end-of-support in an existing wireless setup and I don't want to make extensive changes to anything user-facing at this time. Any ideas on my issue, or pointers to documentation that would help me out?
On 12/07/2011 02:50, Nick Kartsioukas wrote:
I've been looking through the wiki and staring at the config files and I'm...confused. I've successfully gotten our Cisco WLC to authenticate against ActiveDirectory as well as a Sun LDAP server (just one at a time) via FreeRADIUS for a single test SSID, but now I'm trying to figure out how to split that into conditional checks. Before I go chopping up the existing config files and making a horrible mess of things, I wanted to verify a few things with the wisdom of the list.
Okay...let's say I have an SSID for students and an SSID for staff. Students authenticate against LDAP, which stores passwords as salted SHA1 hashes. Staff authenticate against Windows ActiveDirectory. I've found where the WLC sends the SSID to FreeRADIUS, so I can get at that. My question is, how do I set up the EAP-TTLS/PAP session for the Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID? Are these configured as different virtual servers? Or just different modules that I call from the users file like so: DEFAULT Auth-Type := student_module, Called-Station-SSID := "student" DEFAULT Auth-Type := staff_module, Called-Station-SSID := "staff"
If so how do I set that up, as that would be two different eap.conf setups (wouldn't it)? Am I missing something obvious in the docs? Thanks for taking the time to help me out!
If they are different SSIDs on the Cisco WLC, you should be able to assign different radius servers for each SSID. Do that, e.g: ssid1 -> 192.0.2.1:1645 ssid2 -> 192.0.2.1:1812 Then use a different FreeRADIUS virtual server to handle each (i.e. on virtual server listening on port 1812 , and one listening on port 1812). This way you can keep the intricacies of each separate. -James
Maybe your setup is different, but when we get fac/staff logging in to wireless with their Domain credentials, those have the domain prepended on the username, which makes it easy to parse those with unlang and proxy those requests to the AD servers (in our case, since our AD servers are set up to speak NTLMv2 only, we proxy the inner tunnel authentication to IAS and that sends it along. proxy-inner-tunnel allows me to keep my wireless service certs on the FreeRADIUS server, and present only the one for everyone doing 802.1X, which makes everyone's lives easier). -Jacob On 11 Jul 2011, at 21:50, Nick Kartsioukas wrote:
I've been looking through the wiki and staring at the config files and I'm...confused. I've successfully gotten our Cisco WLC to authenticate against ActiveDirectory as well as a Sun LDAP server (just one at a time) via FreeRADIUS for a single test SSID, but now I'm trying to figure out how to split that into conditional checks. Before I go chopping up the existing config files and making a horrible mess of things, I wanted to verify a few things with the wisdom of the list.
Okay...let's say I have an SSID for students and an SSID for staff. Students authenticate against LDAP, which stores passwords as salted SHA1 hashes. Staff authenticate against Windows ActiveDirectory. I've found where the WLC sends the SSID to FreeRADIUS, so I can get at that. My question is, how do I set up the EAP-TTLS/PAP session for the Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID? Are these configured as different virtual servers? Or just different modules that I call from the users file like so: DEFAULT Auth-Type := student_module, Called-Station-SSID := "student" DEFAULT Auth-Type := staff_module, Called-Station-SSID := "staff"
If so how do I set that up, as that would be two different eap.conf setups (wouldn't it)? Am I missing something obvious in the docs? Thanks for taking the time to help me out! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Okay, I've gotten a bit further, but I'm still not grasping something in the process flow from authorization to authentication and EAP outer and inner methods. I'll paste relevant chunks of my authorize, authenticate, and eap config sections below. The conditional switch statement is working properly and matching my SSID (I do have other statements there, I just chopped them out here for brevity), the LDAP lookup is working properly and granting me authorization, but when it goes to EAP to perform authentication it seems like it never gets to the inner MSCHAPv2 auth and eventually fails. ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 0 via TLS tunnel) } # server [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE I've attached the full debug log. Hopefully someone can point me in the right direction? Thanks! authorize { preprocess auth_log rewrite_called_station_id switch Called-Station-Ssid { case "test" { redundant-load-balance { ldap_parrotfish ldap_prawn ldap_pike } update control { Auth-Type = CUESTA } } } files expiration logintime } authenticate { Auth-Type CUESTA { eap_cuesta mschap_cuesta } } eap eap_cuesta { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = /etc/ssl/private/webauth.cuesta.edu.key certificate_file = /etc/ssl/certs/webauth.cuesta.edu.cert CA_file = /etc/ssl/certs/thawte_ssl_webserver_intermediate_cert.crt dh_file = ${certdir}/dh random_file = /dev/urandom CA_path = /etc/ssl/certs cipher_list = "DEFAULT" cache { enable = no lifetime = 24 # hours max_entries = 255 } verify { } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 # the PEAP module also has these configuration # items, which are the same as for TTLS. copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { } }
On Fri, Jul 15, 2011 at 7:13 AM, Nick Kartsioukas <lists.freeradius@change.nightwind.net> wrote:
Okay, I've gotten a bit further, but I'm still not grasping something in the process flow from authorization to authentication and EAP outer and inner methods.
I'll paste relevant chunks of my authorize, authenticate, and eap config sections below. The conditional switch statement is working properly and matching my SSID (I do have other statements there, I just chopped them out here for brevity), the LDAP lookup is working properly and granting me authorization, but when it goes to EAP to perform authentication it seems like it never gets to the inner MSCHAPv2 auth and eventually fails.
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 0 via TLS tunnel) } # server [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE
I've attached the full debug log. Hopefully someone can point me in the right direction? Thanks!
I'd look at these lines: [ldap_parrotfish] performing search in ou=CUESTA,dc=cuesta,dc=org, with filter (sAMAccountName=nicholas_kartsioukas) [ldap_parrotfish] No default NMAS login sequence [ldap_parrotfish] looking for check items in directory... [ldap_parrotfish] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Do you have cleartex-password somewhere in your LDAP schema? If not, then MSCHAPv2 will NOT work. It MIGHT work with TTLS-PAP or PEAP-GTC, but requires special setup (to force LDAP bind). If yes, then check ldap.attrmap to ensure attribute mappings matched. -- Fajar
On Fri, 15 Jul 2011 08:15 +0700, "Fajar A. Nugraha" <list@fajar.net> wrote:
I'd look at these lines:
[ldap_parrotfish] performing search in ou=CUESTA,dc=cuesta,dc=org, with filter (sAMAccountName=nicholas_kartsioukas) [ldap_parrotfish] No default NMAS login sequence [ldap_parrotfish] looking for check items in directory... [ldap_parrotfish] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
Do you have cleartex-password somewhere in your LDAP schema?
No, but I'm only using LDAP in the authorization section, not in the authentication section. Is this incorrect for AD lookups? From looking around in the example configs and the wiki it didn't look like the mschap module or eap modules worked for authorization, just authentication.
The LDAP queries are against the AD server, btw. I forgot to paste the mschap module config, but that's pretty basic... mschap mschap_cuesta { ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=CUESTA --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" }
On Fri, Jul 15, 2011 at 9:28 AM, Nick Kartsioukas <lists.freeradius@change.nightwind.net> wrote:
The LDAP queries are against the AD server, btw. I forgot to paste the mschap module config, but that's pretty basic...
mschap mschap_cuesta { ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=CUESTA --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" }
Ah, OK. I think this will not work authenticate { Auth-Type CUESTA { eap_cuesta mschap_cuesta } } ... as it means "do eap, and AFTER THAT do mschap". That roughly means mschap will be processed if eap does not return handled/success. What you want is "do eap, and inside eap do mschap". So try changing it to authenticate { Auth-Type CUESTA { eap_cuesta } } and on the eap section, add the lines pointing to an inner tunnel, something like this eap eap_cuesta { ... peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel-cuesta" } ... } then create a NEW config file to handle the virtual server inner-tunnel-cuesta (use sites-available/inner-tunnel as a base). On this virtual server you need to configure mschap and ntlm_auth. -- Fajar
Ok, I've gotten a little bit further with setting up my multiple SSID stuff. I'm still working with just the test SSID, trying to get PEAP/MSCHAP working, but running into problems with the inner virtual server and would appreciate any further help. It's failing on the inner tunnel with an error that it has no value specified for the auth type, but shouldn't that be set by the eap module? eap.conf excerpt (left out the rest which is mostly default): eap eap_cuesta { default_eap_type = peap peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel-cuesta" } } default: authorize { preprocess auth_log rewrite_called_station_id switch Called-Station-Ssid { case "test" { eap_cuesta } } } authenticate { Auth-Type eap_cuesta { eap_cuesta } } inner tunnel: authorize { suffix eap_cuesta { ok = return } } authenticate { mschap_cuesta } debug output: rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=198, length=199 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x02010019016e6963686f6c61735f6b61727473696f756b6173 Message-Authenticator = 0x87ae80681a5d9a1624592e7a03d518a5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 1 length 25 [eap_cuesta] No EAP Start, assuming it's an on-going EAP conversation ++++[eap_cuesta] returns updated +++- case test returns updated ++- switch Called-Station-Ssid returns updated Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] EAP Identity [eap_cuesta] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap_cuesta] returns handled Sending Access-Challenge of id 198 to 10.32.33.1 port 32769 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f320b2b565e0f7fc7d47ec4907c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=199, length=297 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x0202006919800000005f160301005a0100005603014e31f9240f214a33a4bd8894295f89f2485c8de4a5fe951c8925b53d8640840300002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000 State = 0x0b294f320b2b565e0f7fc7d47ec4907c Message-Authenticator = 0xb42fd305fcad5be40bd0f9e95ee3af9c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 1: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 2 length 105 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS TLS Length 95 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0c9e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap_cuesta] returns handled Sending Access-Challenge of id 199 to 10.32.33.1 port 32769 EAP-Message = 0x0103040019c000000ef416030100310200002d03014e31f929e568bac3df95f77c2bb87c50d07a91af1d409cd407608d6426344028000039010005ff010001001603010c9e0b000c9a000c970003fa308203f6308202dea003020102021022fe7e14527a08952ff9ef9c52bf4145300d06092a864886f70d0101050500303c310b300906035504061302555331153013060355040a130c5468617774652c20496e632e311630140603550403130d5468617774652053534c204341301e170d3131303532353030303030305a170d3132303632303233353935395a30818e310b3009060355040613025553311330110603550408130a43616c69666f72 EAP-Message = 0x6e6961311830160603550407140f53616e204c756973204f626973706f31173015060355040a140e43756573746120436f6c6c656765311a3018060355040b1411436f6d7075746572205365727669636573311b301906035504031412776562617574682e6375657374612e65647530820122300d06092a864886f70d01010105000382010f003082010a02820101009f15ff8560f97eecdd587411089166fd4cb7912243e7ef749efa0042711c51a4760be3f12c8040b732c74d9fd61f98488856931be1c7a7e9dd4cde8ea880ff6c987d616f105b53364b27954b50fd0c819aea713f6c79f207f74608ea6e8dc078bf1933468da308aac820d20db5 EAP-Message = 0xbd6ec9241984e03b8b89498b7900460a68cc0fb3862c48cf373ec61bf8b00d164f8ac3a6de689e02791e6ca962f9ff240ebb1454aa5faf851adf5a8fa4165dda1dc9088dde24eece774a5b5a1378516c775a7adc9ebba4451ce521efdfc7a4a746bcf69f13fb849b1268ea08a9d4f848fea09c8f2b31254ee8539a4821b3bd80b8d0be8e038902862dc173f8a751ceadd698290203010001a381a030819d300c0603551d130101ff04023000303a0603551d1f04333031302fa02da02b8629687474703a2f2f7376722d6f762d63726c2e7468617774652e636f6d2f5468617774654f562e63726c301d0603551d250416301406082b06010505070301 EAP-Message = 0x06082b06010505070302303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300d06092a864886f70d0101050500038201010045eaf219ea3a1fa6c09d0ee57c85150014266321401baa5bd7c2d4dc9cbbcb2f2185f79aafc84002be5d69fa756a90e3c86e939a126e52264eec048b2e504766202bc98b579d9e5ea1282ba64fff433703df9f516dbd70061663c1dda87a77e2b322c7a41e92fe95230f640dd325fa507e2cfd866f0fd38c1c669f172bbd7da6f5cd68e9ec7bd4b14f1f1c84fe7eb04d53323b3363e8885ac0245a9cc10f764c08005c645236691b98cd7e EAP-Message = 0x9e5989b2aa987714d0fddc68 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f320a2a565e0f7fc7d47ec4907c Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=200, length=198 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x020300061900 State = 0x0b294f320a2a565e0f7fc7d47ec4907c Message-Authenticator = 0x2e92fa9ed958c953d95ae54113f28fdf # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 2: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 3 length 6 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap_cuesta] returns handled Sending Access-Challenge of id 200 to 10.32.33.1 port 32769 EAP-Message = 0x010403fc19401ab7c901f7cacc5dc99ee49a03ad3f7add0082f5ef21975afb68b7b500c0410af294a94801ae63e82746f1e02a752b0a58318447d1c5e8042cfa73eeaaffc6404dc4c3a435fe9859790004703082046c30820354a00302010202104d5f2c3408b24c20cd6d507e244dc9ec300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f EAP-Message = 0x72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3130303230383030303030305a170d3230303230373233353935395a303c310b300906035504061302555331153013060355040a130c5468617774652c20496e632e311630140603550403130d5468617774652053534c20434130820122300d06092a864886f70d01010105000382010f003082010a028201010099e4855b76497d2f05d8c5acc8c8a9d3dc98e6d734a62f0cf22226d8a3c9144c8f05a445e8140c5890051ab7c5c106a580afbb1d496b523488c359e7ef6bc427418c2b661dd0e0a3979819344b41d5 EAP-Message = 0x98d5c705ada2e4d7ed0cad4fc1b5b021fd3e5053b2c490d0d430676c9af10e74c4c2dc8ae897ffc992ae018a560a9832b00023ec901a60c3edbb3acb0f639f0d44c952e12596bfed5095897f5614b1b7611d1c078c3a2cf7ff80de3945d5af1ad178d8c7716aa319a7325021e9f20ea1c613034448d166a85257d711b4938be5999f5de77851e54df6b759b476b509374d0638137a1c08985cc4484acb52a0a9f8b19d8e7b79b0202f3c96a8116247bb110203010001a381fb3081f8303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d30120603551d130101ff040830 EAP-Message = 0x060101ff02010030340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e7468617774652e636f6d2f5468617774655043412e63726c300e0603551d0f0101ff04040302010630280603551d110421301fa41d301b3119301706035504031310566572695369676e4d504b492d322d39301d0603551d0e04160414a7a283bb3445403dfcd5304f12b93ea1019ff6db301f0603551d230418301680147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d01010505000382010100802280e06cc89516d7572687f37234dbc67256273ed396f62e2591a53e3397a74be52ffb257d2f0761fa6f83744c4c537220 EAP-Message = 0xa47acf5151568188 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f32092d565e0f7fc7d47ec4907c Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=201, length=198 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x020400061900 State = 0x0b294f32092d565e0f7fc7d47ec4907c Message-Authenticator = 0x7038af0d4fd451feee45202ac75de030 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 3: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 4 length 6 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap_cuesta] returns handled Sending Access-Challenge of id 201 to 10.32.33.1 port 32769 EAP-Message = 0x010503fc1940b06d1f362cc82bb18899c1fe44ab48517cd8f244642ad871a7fb1a2ff9198d34b223bfc44c551d8e44e8aa5d9add9ffd03c7ba24438d2d4744dbf6d898c8b2f9daefed295c6912fad123960fbf9c0df2794553379a562fe8571070f6ee890c49899ac123f5c22acc41cf22ab656eb794826d2f405f58deeb952ba672685219912aae759d4e92e6cade54ea18ab253ce664a6791f267d61ed7dd2e57155d893177c1438303cdf86e34cad49e39759ce1b9b2bcedc65d40b286b4e84465144f733082d589721ae0004243082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d0101050500 EAP-Message = 0x3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b13 EAP-Message = 0x1f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d EAP-Message = 0x079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d0101050500038201010079 EAP-Message = 0x11c04bb391b6fcf0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f32082c565e0f7fc7d47ec4907c Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=202, length=198 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x020500061900 State = 0x0b294f32082c565e0f7fc7d47ec4907c Message-Authenticator = 0xa5ccd7e50332c38dca61f485a9f66168 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 4: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 5 length 6 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap_cuesta] returns handled Sending Access-Challenge of id 202 to 10.32.33.1 port 32769 EAP-Message = 0x010603181900e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 EAP-Message = 0x160301020d0c0002090080a9ee3b7f4679d9a63fc5c7ae4dbfcc3388f359e11e7598ae7784d0ef1f39c9598b3eff3f3249f7be4198cf531149687b04183a2d01159f84572866d9d1e2ec0bf2b3799d9df5be606f42f8d39afbb16e6fc3848ca68b31bb76574697c42b752ba909a223db09a7cccd97105a1de3ba2a240e137549a9a6db21ef457a60e8d6e3000102008043cb33a3b1cdf98c5ab7b3c39483884af9742947f5349014ae4612e8ca8ba0ede7346cc8ea9057e2964c7c0394d66871fe8ddf19091951225dc524d1c3f9c2130430ecc8790876dbe9586d1aefabc4abe2868e21668d312752b01fb18446da25caf2ced8f132034e5c4515a318 EAP-Message = 0x1c7d0a3da1a99d2a9a2cac50d36bc5f593904401006ffdb2596d189b15e46f3f0a75563852262db7822590734ca847da281a8624dc5b13781f897f57ffe3dc81571fe13dac5f66e6a9d82197a7bde78fca4bfa1260d53293a36bab00a73ee04c916cefcb731134083364202b650718dca794508f87fd2702bb91312ac9fe107ca5b3a7bd16306484febffe8aabba817e8beff80c0ac7d202774b6d60633a090d79d10b4a5f785bf404de6f2a3ba3dad650031da95c57bc924ff9448145a2826c959aabf647cf7be3ec163d302d436a212a25e0252dd03e20d04719cf847c59d683ad3e012491ace7577fdeec54f8e55c95e1607e31f6f7487e6209e57c EAP-Message = 0x8c9aab9075f52827454acb4b1951b439e90cb50eff23a8b316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f320f2f565e0f7fc7d47ec4907c Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=203, length=400 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x020600d01980000000c6160301008610000082008005dbc3a800670febecbc396824a12d948cd3887f69a8abecfc2962525cb1db3633db4800c9c33e0998d294c0eb38d5773f2d2afa903d943b890a08a041cef8aefd8a878843662729465cb4a02ee4b3cf76407452ac601db3be4141488e9394573b7fba681af73f8f4704d75f332066a3960c92c12f6895ffbe0e5731c342f47414030100010116030100306f54f713f087e86982f8f7f3fceb803cc0bb18eaf1c99e8734236472d4125c2dcd5f5057aa4ebde24b3d99117b6204a3 State = 0x0b294f320f2f565e0f7fc7d47ec4907c Message-Authenticator = 0xd6db6f6ff4793a2a9552443d0c1018fc # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 5: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 6 length 208 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap_cuesta] returns handled Sending Access-Challenge of id 203 to 10.32.33.1 port 32769 EAP-Message = 0x0107004119001403010001011603010030a520e40b259dcc9b6416a1dc42c0454203a7ce25ac040965d79794192f8f4990a53a7e7827cff79d19f3e23d37c5f070 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f320e2e565e0f7fc7d47ec4907c Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=204, length=198 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x020700061900 State = 0x0b294f320e2e565e0f7fc7d47ec4907c Message-Authenticator = 0x3ace0154fcc3dfd6a22384253086e96c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 6: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 7 length 6 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap_cuesta] returns handled Sending Access-Challenge of id 204 to 10.32.33.1 port 32769 EAP-Message = 0x0108002b1900170301002023db883d4ddfbb778ec1c2f88473ad61f77e1faa53690b0d2aad50f8ecef0f1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f320d21565e0f7fc7d47ec4907c Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=205, length=288 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x02080060190017030100202fbc79a4613fd76d1b1c4d0fae93b5530714b3e6784db42a7a2bb2191737617c17030100308be6456e767b69e1ec34612bfe4ebc6a007760953ea2284e02808c255510149933cf2f23b45dec6bcedf8d178ed00b7f State = 0x0b294f320d21565e0f7fc7d47ec4907c Message-Authenticator = 0xde78a8e7f10ee56b76ea62acab556a34 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 7: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 8 length 96 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - nicholas_kartsioukas [peap] Got inner identity 'nicholas_kartsioukas' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02080019016e6963686f6c61735f6b61727473696f756b6173 server { PEAP: Setting User-Name to nicholas_kartsioukas Sending tunneled request EAP-Message = 0x02080019016e6963686f6c61735f6b61727473696f756b6173 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "nicholas_kartsioukas" server inner-tunnel-cuesta { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel-cuesta +- entering group authorize {...} [suffix] No '@' in User-Name = "nicholas_kartsioukas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap_cuesta] EAP packet type response id 8 length 25 [eap_cuesta] No EAP Start, assuming it's an on-going EAP conversation ++[eap_cuesta] returns updated Found Auth-Type = eap_cuesta WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel-cuesta Failed to authenticate the user. Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 0 via TLS tunnel) } # server inner-tunnel-cuesta [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap_cuesta] returns handled Sending Access-Challenge of id 205 to 10.32.33.1 port 32769 EAP-Message = 0x0109003b19001703010030eed98c4e756051a6bcfa877bc402b7a66dbcfd377539ec2525c8be1b68e81296d95bcc73b2851fa0b869992b96267a02 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0b294f320c20565e0f7fc7d47ec4907c Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.32.33.1 port 32769, id=206, length=288 User-Name = "nicholas_kartsioukas" Calling-Station-Id = "00-23-4e-ba-6b-f4" Called-Station-Id = "00-1a-a2-c1-2c-30:test" NAS-Port = 29 NAS-IP-Address = 10.32.33.1 NAS-Identifier = "slo-wlc-1" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "17" EAP-Message = 0x02090060190017030100205762d0e03fb36ee2fa0e68100aa03ea51fdd5123673a53883bab1e33589271e2170301003017185ab8d719ac8095844ae637222aa99b57146fe368f29df8c216ed92cf66f34f9942e3982106d6908a8cc74bbc5358 State = 0x0b294f320c20565e0f7fc7d47ec4907c Message-Authenticator = 0x2a41d17611a097fe5a4625d5848853cb # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.32.33.1/auth-detail-20110728 [auth_log] expand: %t -> Thu Jul 28 17:04:57 2011 ++[auth_log] returns ok ++- entering policy rewrite_called_station_id {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) -> TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 001aa2c12c30 expand: %{7} -> test ++++[request] returns ok +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 8: Preceding "if" was taken ++- policy rewrite_called_station_id returns ok ++- entering switch Called-Station-Ssid {...} +++- entering case test {...} [eap_cuesta] EAP packet type response id 9 length 96 [eap_cuesta] Continuing tunnel setup. ++++[eap_cuesta] returns ok +++- case test returns ok ++- switch Called-Station-Ssid returns ok Found Auth-Type = eap_cuesta # Executing group from file /etc/freeradius/sites-enabled/default +- entering group eap_cuesta {...} [eap_cuesta] Request found, released from the list [eap_cuesta] EAP/peap [eap_cuesta] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap_cuesta] Handler failed in EAP/peap [eap_cuesta] Failed in EAP select ++[eap_cuesta] returns invalid Failed to authenticate the user. Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 29 cli 00-23-4e-ba-6b-f4) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> nicholas_kartsioukas attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 206 to 10.32.33.1 port 32769 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000
It's failing on the inner tunnel with an error that it has no value specified for the auth type, but shouldn't that be set by the eap module?
It didn't say no value, it said unknown value. The debug output showed the value of Auth-Type as eap_cuesta: Found Auth-Type = eap_cuesta WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. The problem is that the Auth-Type (eap_cuesta) doesn't exist in your inner-tunnel-cuesta authenticate section. You are also missing mschap_cuesta in the authorize section. Try this: inner tunnel: authorize { suffix mschap_cuesta eap_cuesta { ok = return } } authenticate { mschap_cuesta eap_cuesta }
participants (6)
-
Alexander Clouter -
Fajar A. Nugraha -
Garber, Neal -
Jacob Dawson -
James J J Hooper -
Nick Kartsioukas