Freeradius Google Secure LDAP EAP-GTC issues
Hello, I followed this tutorial (https://www.nasirhafeez.com/wp-comments-post.php) for testing purposes several times and it worked flawlessly. several month later I wanted to put it in production and it stop working. This is my setup: 2 Raspberry PIs with freeradius 3.0.12 (allready tried the Backport version 3.2.1 as well) Unifi AC HD AccessPoints and as clients macOS and iOS devices (tried macOS versions 11.7 to 13.1) for testing I tried an Ubuntu client as well. Binding to Google LDAP works without any issues (radtest results in Access-Accept) I even see that the Radius server sends an “Access-Accept” to the clients but shortly after the client starts another Access-Request an that fails with: (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x864de94f8144fc95 (9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (9) eap: Failed in handler Any idea what is happening here? Here the full output of a test with freeradius -X Ready to process requests (0) Received Access-Request Id 18 from 10.100.2.39:54686 to 10.100.1.65:1812 length 253 (0) User-Name = "klaus.mustermann" (0) NAS-IP-Address = 10.100.2.39 (0) NAS-Identifier = "8283c219e7f9" (0) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) Acct-Session-Id = "690B866461ACEC60" (0) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (0) Mobility-Domain-Id = 46476 (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027075 (0) Framed-MTU = 1400 (0) EAP-Message = 0x02670015016b6c6175732e6d75737465726d616e6e (0) Message-Authenticator = 0x8d4fe3c9b693e2d71ed16670b1d148a8 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 103 length 21 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_ttls to process data (0) eap_ttls: (TLS) Initiating new session (0) eap: Sending EAP Request (code 1) ID 104 length 6 (0) eap: EAP session adding &reply:State = 0x33754777331d52c5 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 18 from 10.100.1.65:1812 to 10.100.2.39:54686 length 64 (0) EAP-Message = 0x016800061520 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x33754777331d52c5d9592c39c6f43193 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 19 from 10.100.2.39:54686 to 10.100.1.65:1812 length 411 (1) User-Name = "klaus.mustermann" (1) NAS-IP-Address = 10.100.2.39 (1) NAS-Identifier = "8283c219e7f9" (1) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) Acct-Session-Id = "690B866461ACEC60" (1) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (1) Mobility-Domain-Id = 46476 (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027075 (1) Framed-MTU = 1400 (1) EAP-Message = 0x026800a115800000009716030100920100008e030363ce9a00af0158c4304b8191e349a5c4d7e344c71cf9ceb42fc1dc05eee1d4ea00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (1) State = 0x33754777331d52c5d9592c39c6f43193 (1) Message-Authenticator = 0xaf2835db2d901930a1abf923e81f8d4b (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 104 length 161 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x33754777331d52c5 (1) eap: Finished EAP session with state 0x33754777331d52c5 (1) eap: Previous EAP request found for state 0x33754777331d52c5, released from the list (1) eap: Peer sent packet with method EAP TTLS (21) (1) eap: Calling submodule eap_ttls to process data (1) eap_ttls: Authenticate (1) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes (1) eap_ttls: (TLS) EAP Got all data (151 bytes) (1) eap_ttls: (TLS) Handshake state - before SSL initialization (1) eap_ttls: (TLS) Handshake state - Server before SSL initialization (1) eap_ttls: (TLS) Handshake state - Server before SSL initialization (1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello (1) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done (1) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (1) eap_ttls: (TLS) In Handshake Phase (1) eap: Sending EAP Request (code 1) ID 105 length 1004 (1) eap: EAP session adding &reply:State = 0x33754777321c52c5 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) Sent Access-Challenge Id 19 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068 (1) EAP-Message = 0x016903ec15c000001151160303003d02000039030333251bb0257a7e942419ced1c14e2115f3355723303c682158f6d50e662be4da00c030000011ff01000100000b000403000102001700001603030eaf0b000eab000ea800071930820715308204fda0030201020208651e057cf4b3407c300d06092a864886f70d01010b05003081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3233303130323030303030305a170d3235303430353233353935395a3081bb310b3009060355040613024445310f300d0603 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x33754777321c52c5d9592c39c6f43193 (1) Finished request Waking up in 4.8 seconds. (2) Received Access-Request Id 20 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256 (2) User-Name = "klaus.mustermann" (2) NAS-IP-Address = 10.100.2.39 (2) NAS-Identifier = "8283c219e7f9" (2) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (2) Connect-Info = "CONNECT 0Mbps 802.11b" (2) Acct-Session-Id = "690B866461ACEC60" (2) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (2) Mobility-Domain-Id = 46476 (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027076 (2) WLAN-AKM-Suite = 1027075 (2) Framed-MTU = 1400 (2) EAP-Message = 0x026900061500 (2) State = 0x33754777321c52c5d9592c39c6f43193 (2) Message-Authenticator = 0x61c34e69e7f5f253a9fdf8868c0f8826 (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 105 length 6 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x33754777321c52c5 (2) eap: Finished EAP session with state 0x33754777321c52c5 (2) eap: Previous EAP request found for state 0x33754777321c52c5, released from the list (2) eap: Peer sent packet with method EAP TTLS (21) (2) eap: Calling submodule eap_ttls to process data (2) eap_ttls: Authenticate (2) eap_ttls: (TLS) Peer ACKed our handshake fragment (2) eap: Sending EAP Request (code 1) ID 106 length 1004 (2) eap: EAP session adding &reply:State = 0x33754777311f52c5 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) Sent Access-Challenge Id 20 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068 (2) EAP-Message = 0x016a03ec15c000001151634a5ca32fca591c963a10e1e4fc909ecc4cf2f3259d2cc70fde28bea17fe514687c8e2ceb902a9d47fde53d01733845bba3e9d6a95f90195118e26a7a98ef957393cd519e06e02ec652ceb9fef0ef8e67a1dc250203010001a382011730820113300c0603551d130101ff04023000301d0603551d0e041604140d3fc210b4abae8368f6656c2f4182ded3cba973301f0603551d23041830168014bb50e659b6554824eb10703f59de33b5ab10d343300e0603551d0f0101ff0404030203e830130603551d25040c300a06082b0601050507030130260603551d11041f301d821b6265723072616430342e696e742e62756464796272616e642e646530430603551d1f0101ff043930373035a033a031862f687474703a2f2f63726c2e62756464796272616e642e64653a383038302f696e746572636130345f63726c2e70656d301106096086480186f8420101040403020640301e06096086480186f842010d0411160f7863612063657274 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x33754777311f52c5d9592c39c6f43193 (2) Finished request Waking up in 4.8 seconds. (3) Received Access-Request Id 21 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256 (3) User-Name = "klaus.mustermann" (3) NAS-IP-Address = 10.100.2.39 (3) NAS-Identifier = "8283c219e7f9" (3) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) Acct-Session-Id = "690B866461ACEC60" (3) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (3) Mobility-Domain-Id = 46476 (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027076 (3) WLAN-AKM-Suite = 1027075 (3) Framed-MTU = 1400 (3) EAP-Message = 0x026a00061500 (3) State = 0x33754777311f52c5d9592c39c6f43193 (3) Message-Authenticator = 0xc8e04779851766a986a21ceea4790d00 (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 106 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x33754777311f52c5 (3) eap: Finished EAP session with state 0x33754777311f52c5 (3) eap: Previous EAP request found for state 0x33754777311f52c5, released from the list (3) eap: Peer sent packet with method EAP TTLS (21) (3) eap: Calling submodule eap_ttls to process data (3) eap_ttls: Authenticate (3) eap_ttls: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 107 length 1004 (3) eap: EAP session adding &reply:State = 0x33754777301e52c5 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) Sent Access-Challenge Id 21 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068 (3) EAP-Message = 0x016b03ec15c0000011516e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3231303432333131353030305a170d3331303432333131353030305a3081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e646530820222300d06092a (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x33754777301e52c5d9592c39c6f43193 (3) Finished request Waking up in 4.8 seconds. (4) Received Access-Request Id 22 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256 (4) User-Name = "klaus.mustermann" (4) NAS-IP-Address = 10.100.2.39 (4) NAS-Identifier = "8283c219e7f9" (4) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (4) Connect-Info = "CONNECT 0Mbps 802.11b" (4) Acct-Session-Id = "690B866461ACEC60" (4) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (4) Mobility-Domain-Id = 46476 (4) WLAN-Pairwise-Cipher = 1027076 (4) WLAN-Group-Cipher = 1027076 (4) WLAN-AKM-Suite = 1027075 (4) Framed-MTU = 1400 (4) EAP-Message = 0x026b00061500 (4) State = 0x33754777301e52c5d9592c39c6f43193 (4) Message-Authenticator = 0x8ebe69d74f104b81490506fbfd4fcc22 (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 107 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x33754777301e52c5 (4) eap: Finished EAP session with state 0x33754777301e52c5 (4) eap: Previous EAP request found for state 0x33754777301e52c5, released from the list (4) eap: Peer sent packet with method EAP TTLS (21) (4) eap: Calling submodule eap_ttls to process data (4) eap_ttls: Authenticate (4) eap_ttls: (TLS) Peer ACKed our handshake fragment (4) eap: Sending EAP Request (code 1) ID 108 length 1004 (4) eap: EAP session adding &reply:State = 0x33754777371952c5 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) Sent Access-Challenge Id 22 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068 (4) EAP-Message = 0x016c03ec15c00000115155040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e64658209009ce5d9f001129991300e0603551d0f0101ff04040302018630400603551d1f0101ff043630343032a030a02e862c687474703a2f2f63726c2e62756464796272616e642e64653a383038302f726f6f7463615f63726c2e70656d301106096086480186f8420101040403020007301e06096086480186f842010d0411160f786361206365727469666963617465300d06092a864886f70d01010b0500038202010014ba00b7b369be8d469dc9fe7cb4ea2b8b69f5ddf664529e7cfa7e5c23 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x33754777371952c5d9592c39c6f43193 (4) Finished request Waking up in 4.7 seconds. (5) Received Access-Request Id 23 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256 (5) User-Name = "klaus.mustermann" (5) NAS-IP-Address = 10.100.2.39 (5) NAS-Identifier = "8283c219e7f9" (5) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (5) Connect-Info = "CONNECT 0Mbps 802.11b" (5) Acct-Session-Id = "690B866461ACEC60" (5) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (5) Mobility-Domain-Id = 46476 (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027076 (5) WLAN-AKM-Suite = 1027075 (5) Framed-MTU = 1400 (5) EAP-Message = 0x026c00061500 (5) State = 0x33754777371952c5d9592c39c6f43193 (5) Message-Authenticator = 0x2954664567eb90b58df983559fafc7ef (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 108 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x33754777371952c5 (5) eap: Finished EAP session with state 0x33754777371952c5 (5) eap: Previous EAP request found for state 0x33754777371952c5, released from the list (5) eap: Peer sent packet with method EAP TTLS (21) (5) eap: Calling submodule eap_ttls to process data (5) eap_ttls: Authenticate (5) eap_ttls: (TLS) Peer ACKed our handshake fragment (5) eap: Sending EAP Request (code 1) ID 109 length 467 (5) eap: EAP session adding &reply:State = 0x33754777361852c5 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) Framed-MTU = 994 (5) Sent Access-Challenge Id 23 from 10.100.1.65:1812 to 10.100.2.39:54686 length 527 (5) EAP-Message = 0x016d01d3158000001151c7ae0d9a4018dc0ce7aab22f77890b68228d8c81607a7cd59e58e5b314f938dfe8d81ca660735e53afd3f6eb0939e78859296a954ea1d3046dbcf4333aa72aaad39f3f152ab2b3a2ed59dc1bfdbc773787acbba803d0201cda94c46c440afa65d844464271d2a2dcb7e409ff9c9c30a411ea245b8c2424110ac5191f2c594afe070d15b670dd08c238fd3b672b5bbed9bc7141c3b6e95b61bb78889da5182b33b0883e08339b927b4fd0ef118175f30d3e232be2fc5c92ef1eae2a30a21ba88a0477b8a0a89b903ea37327d4b41dc15ac604f4c057eff9a454748056d6b919f4756ee70de3878196b23441f9252252e5ee8bebe2519a11cb9967ff91ce3d43a9f3e3e39e82277f7bc39200d0e9d8178afdf2b479684b66ee8b2c6b6d258d172684d801780ede278d3c6bbce36875649bc181dcecd10a2ecc83bc920f0b97cf3f2b51a234b69f88e884f5c248fb1062aba73cb402765bf2005825f8379389178cafae7ad9723c0f9e3f63b375c2 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x33754777361852c5d9592c39c6f43193 (5) Finished request Waking up in 4.7 seconds. (6) Received Access-Request Id 24 from 10.100.2.39:54686 to 10.100.1.65:1812 length 386 (6) User-Name = "klaus.mustermann" (6) NAS-IP-Address = 10.100.2.39 (6) NAS-Identifier = "8283c219e7f9" (6) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (6) Connect-Info = "CONNECT 0Mbps 802.11b" (6) Acct-Session-Id = "690B866461ACEC60" (6) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (6) Mobility-Domain-Id = 46476 (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027076 (6) WLAN-AKM-Suite = 1027075 (6) Framed-MTU = 1400 (6) EAP-Message = 0x026d008815800000007e16030300461000004241041bdfa74e961e11ce04aae11e59adff899c7e45c93c23a868913c8e6dbc6b61c8c93027484c43331a120609e34bb63d4a01335611c152662eda522aa015747d24140303000101160303002896671043239b41663014b73a88eb2b056a398cc8c31e8c6f1940273f2cc64b884907fe10b3c697de (6) State = 0x33754777361852c5d9592c39c6f43193 (6) Message-Authenticator = 0x02f8f3ac8779506b6dc11ac581eb8a01 (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 109 length 136 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x33754777361852c5 (6) eap: Finished EAP session with state 0x33754777361852c5 (6) eap: Previous EAP request found for state 0x33754777361852c5, released from the list (6) eap: Peer sent packet with method EAP TTLS (21) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: Authenticate (6) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes (6) eap_ttls: (TLS) EAP Got all data (126 bytes) (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done (6) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (6) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished (6) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (6) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished (6) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully (6) eap_ttls: (TLS) Connection Established (6) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) eap_ttls: TLS-Session-Version = "TLS 1.2" (6) eap: Sending EAP Request (code 1) ID 110 length 61 (6) eap: EAP session adding &reply:State = 0x33754777351b52c5 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) Framed-MTU = 994 (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 24 from 10.100.1.65:1812 to 10.100.2.39:54686 length 119 (6) EAP-Message = 0x016e003d1580000000331403030001011603030028c5e315035630988a3b83c13d63026f7f68b51fc4cae498e85bec63a7b3beba6177951acbd7c9e48e (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x33754777351b52c5d9592c39c6f43193 (6) Finished request Waking up in 4.7 seconds. (7) Received Access-Request Id 25 from 10.100.2.39:54686 to 10.100.1.65:1812 length 321 (7) User-Name = "klaus.mustermann" (7) NAS-IP-Address = 10.100.2.39 (7) NAS-Identifier = "8283c219e7f9" (7) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (7) Connect-Info = "CONNECT 0Mbps 802.11b" (7) Acct-Session-Id = "690B866461ACEC60" (7) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (7) Mobility-Domain-Id = 46476 (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027075 (7) Framed-MTU = 1400 (7) EAP-Message = 0x026e004715800000003d170303003896671043239b4167e00afbeca8b555b120c23769698d81a6b5a879ecc3c8fd3cd740dc135bdef5fcadd7fda6a166609e4d7957502348d9f3 (7) State = 0x33754777351b52c5d9592c39c6f43193 (7) Message-Authenticator = 0xa8b841519028def71e27cfef249be756 (7) Restoring &session-state (7) &session-state:Framed-MTU = 994 (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 110 length 71 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x33754777351b52c5 (7) eap: Finished EAP session with state 0x33754777351b52c5 (7) eap: Previous EAP request found for state 0x33754777351b52c5, released from the list (7) eap: Peer sent packet with method EAP TTLS (21) (7) eap: Calling submodule eap_ttls to process data (7) eap_ttls: Authenticate (7) eap_ttls: (TLS) EAP Peer says that the final record size will be 61 bytes (7) eap_ttls: (TLS) EAP Got all data (61 bytes) (7) eap_ttls: Session established. Proceeding to decode tunneled attributes (7) eap_ttls: Got tunneled request (7) eap_ttls: EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e (7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_ttls: Got tunneled identity of klaus.mustermann (7) eap_ttls: Setting default EAP type for tunneled EAP session (7) eap_ttls: Sending tunneled request (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "klaus.mustermann" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 0 length 21 (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent packet with method EAP Identity (1) (7) eap: Calling submodule eap_gtc to process data (7) eap_gtc: EXPAND Password: (7) eap_gtc: --> Password: (7) eap: Sending EAP Request (code 1) ID 1 length 15 (7) eap: EAP session adding &reply:State = 0xb4a2b867b4a3bebf (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x0101000f0650617373776f72643a20 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xb4a2b867b4a3bebfd5edaac839855c28 (7) eap_ttls: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 111 length 63 (7) eap: EAP session adding &reply:State = 0x33754777341a52c5 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) Framed-MTU = 994 (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 25 from 10.100.1.65:1812 to 10.100.2.39:54686 length 121 (7) EAP-Message = 0x016f003f1580000000351703030030c5e315035630988b4ad830befda4dba2a51fa8f9388f8da63a7ea11b76e432bbb988ecf99f49e2ebe5cd501621aec81b (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x33754777341a52c5d9592c39c6f43193 (7) Finished request Waking up in 4.6 seconds. (8) Received Access-Request Id 26 from 10.100.2.39:54686 to 10.100.1.65:1812 length 317 (8) User-Name = "klaus.mustermann" (8) NAS-IP-Address = 10.100.2.39 (8) NAS-Identifier = "8283c219e7f9" (8) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (8) Connect-Info = "CONNECT 0Mbps 802.11b" (8) Acct-Session-Id = "690B866461ACEC60" (8) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (8) Mobility-Domain-Id = 46476 (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027075 (8) Framed-MTU = 1400 (8) EAP-Message = 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7 (8) State = 0x33754777341a52c5d9592c39c6f43193 (8) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a (8) Restoring &session-state (8) &session-state:Framed-MTU = 994 (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 111 length 67 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf (8) eap: Finished EAP session with state 0x33754777341a52c5 (8) eap: Previous EAP request found for state 0x33754777341a52c5, released from the list (8) eap: Peer sent packet with method EAP TTLS (21) (8) eap: Calling submodule eap_ttls to process data (8) eap_ttls: Authenticate (8) eap_ttls: (TLS) EAP Peer says that the final record size will be 57 bytes (8) eap_ttls: (TLS) EAP Got all data (57 bytes) (8) eap_ttls: Session established. Proceeding to decode tunneled attributes (8) eap_ttls: Got tunneled request (8) eap_ttls: EAP-Message = 0x0201001306736167616e382e53697a61626c65 (8) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_ttls: Sending tunneled request (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0201001306736167616e382e53697a61626c65 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "klaus.mustermann" (8) State = 0xb4a2b867b4a3bebfd5edaac839855c28 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 1 length 19 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (0) (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=klaus.mustermann) (8) ldap: Performing search in "dc=pretendco,dc=de" with filter "(uid=klaus.mustermann)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "uid=klaus.mustermann,ou=Standard Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de" (8) ldap: Processing user attributes (8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) Need more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed, errno=11. rlm_ldap (ldap): Bind successful (8) [ldap] = ok (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) if (User-Password) { (8) if (User-Password) -> FALSE (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf (8) eap: Finished EAP session with state 0xb4a2b867b4a3bebf (8) eap: Previous EAP request found for state 0xb4a2b867b4a3bebf, released from the list (8) eap: Peer sent packet with method EAP GTC (6) (8) eap: Calling submodule eap_gtc to process data (8) eap_gtc: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) eap_gtc: Auth-Type PAP { rlm_ldap (ldap): Reserved connection (1) (8) ldap: Login attempt by "klaus.mustermann" (8) ldap: Using user DN from request "uid=klaus.mustermann,ou=Standard Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de" (8) ldap: Waiting for bind result... (8) ldap: Bind successful (8) ldap: Bind as user "uid=klaus.mustermann,ou=Standard Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de" was successful rlm_ldap (ldap): Released connection (1) Need more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636 rlm_ldap (ldap): Waiting for bind result... ber_get_next failed, errno=11. rlm_ldap (ldap): Bind successful (8) eap_gtc: [ldap] = ok (8) eap_gtc: } # Auth-Type PAP = ok (8) eap: Sending EAP Success (code 3) ID 1 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (8) post-auth { (8) if (0) { (8) if (0) -> FALSE (8) } # post-auth = noop (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x03010004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "klaus.mustermann" (8) eap_ttls: Got tunneled Access-Accept (8) eap: Sending EAP Success (code 3) ID 111 length 4 (8) eap: Freeing handler (8) [eap] = ok (8) } # authenticate = ok (8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (8) post-auth { (8) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (8) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (8) update { (8) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994 (8) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (8) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (8) } # update = noop (8) [exec] = noop (8) policy remove_reply_message_if_eap { (8) if (&reply:EAP-Message && &reply:Reply-Message) { (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (8) else { (8) [noop] = noop (8) } # else = noop (8) } # policy remove_reply_message_if_eap = noop (8) } # post-auth = noop (8) Sent Access-Accept Id 26 from 10.100.1.65:1812 to 10.100.2.39:54686 length 184 (8) MS-MPPE-Recv-Key = 0xeb472d316fdc874c9b4fab09804dffb9627d034a793910ca0f276473f2db3e62 (8) MS-MPPE-Send-Key = 0x3cde6513ea1f92c64ee3d938a85980091ecccdeb288c640f958a8f0d4324af64 (8) EAP-Message = 0x036f0004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) User-Name = "klaus.mustermann" (8) Framed-MTU += 994 (8) Finished request Waking up in 1.1 seconds. (9) Received Access-Request Id 26 from 10.100.2.39:38737 to 10.100.1.65:1812 length 317 (9) User-Name = "klaus.mustermann" (9) NAS-IP-Address = 10.100.2.39 (9) NAS-Identifier = "8283c219e7f9" (9) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (9) Connect-Info = "CONNECT 0Mbps 802.11b" (9) Acct-Session-Id = "690B866461ACEC60" (9) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (9) Mobility-Domain-Id = 46476 (9) WLAN-Pairwise-Cipher = 1027076 (9) WLAN-Group-Cipher = 1027076 (9) WLAN-AKM-Suite = 1027075 (9) Framed-MTU = 1400 (9) EAP-Message = 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7 (9) State = 0x33754777341a52c5d9592c39c6f43193 (9) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 111 length 67 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) authenticate { (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5 (9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (9) eap: Failed in handler (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> klaus.mustermann (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5 (9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (9) eap: Failed to get handler, probably already removed, not inserting EAP-Failure (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (10) Received Access-Request Id 26 from 10.100.2.39:45497 to 10.100.1.65:1812 length 317 (10) User-Name = "klaus.mustermann" (10) NAS-IP-Address = 10.100.2.39 (10) NAS-Identifier = "8283c219e7f9" (10) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int" (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Calling-Station-Id = "F8-4D-89-6D-CB-AE" (10) Connect-Info = "CONNECT 0Mbps 802.11b" (10) Acct-Session-Id = "690B866461ACEC60" (10) Acct-Multi-Session-Id = "3EA4011978DCDC0A" (10) Mobility-Domain-Id = 46476 (10) WLAN-Pairwise-Cipher = 1027076 (10) WLAN-Group-Cipher = 1027076 (10) WLAN-AKM-Suite = 1027075 (10) Framed-MTU = 1400 (10) EAP-Message = 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7 (10) State = 0x33754777341a52c5d9592c39c6f43193 (10) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a (10) session-state: No cached attributes (10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent EAP Response (code 2) ID 111 length 67 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (10) authenticate { (10) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5 (10) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (10) eap: Failed in handler (10) [eap] = invalid (10) } # authenticate = invalid (10) Failed to authenticate the user (10) Using Post-Auth-Type Reject (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (10) Post-Auth-Type REJECT { (10) attr_filter.access_reject: EXPAND %{User-Name} (10) attr_filter.access_reject: --> klaus.mustermann (10) attr_filter.access_reject: Matched entry DEFAULT at line 11 (10) [attr_filter.access_reject] = updated (10) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5 (10) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (10) eap: Failed to get handler, probably already removed, not inserting EAP-Failure (10) [eap] = noop (10) policy remove_reply_message_if_eap { (10) if (&reply:EAP-Message && &reply:Reply-Message) { (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (10) else { (10) [noop] = noop (10) } # else = noop (10) } # policy remove_reply_message_if_eap = noop (10) } # Post-Auth-Type REJECT = updated (10) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.2 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:38737 length 20 Waking up in 0.1 seconds. (0) Cleaning up request packet ID 18 with timestamp +35 due to cleanup_delay was reached Waking up in 0.1 seconds. (1) Cleaning up request packet ID 19 with timestamp +35 due to cleanup_delay was reached (2) Cleaning up request packet ID 20 with timestamp +35 due to cleanup_delay was reached (3) Cleaning up request packet ID 21 with timestamp +35 due to cleanup_delay was reached (4) Cleaning up request packet ID 22 with timestamp +35 due to cleanup_delay was reached (5) Cleaning up request packet ID 23 with timestamp +35 due to cleanup_delay was reached (6) Cleaning up request packet ID 24 with timestamp +35 due to cleanup_delay was reached (7) Cleaning up request packet ID 25 with timestamp +35 due to cleanup_delay was reached (10) Sending delayed response (10) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:45497 length 20 Any Idea what I am doing wrong here? Regards Henning
On Jan 23, 2023, at 9:38 AM, Henning Kessler <maillist@henningkessler.de> wrote:
I followed this tutorial (https://www.nasirhafeez.com/wp-comments-post.php) for testing purposes several times and it worked flawlessly. several month later I wanted to put it in production and it stop working.
There's nothing at that site. But if it suddenly stops working and you haven't changed the server, the problem is an external system,
This is my setup: 2 Raspberry PIs with freeradius 3.0.12 (allready tried the Backport version 3.2.1 as well) Unifi AC HD AccessPoints and as clients macOS and iOS devices (tried macOS versions 11.7 to 13.1) for testing I tried an Ubuntu client as well.
You shouldn't be running 3.0.12. It's very old.
Binding to Google LDAP works without any issues (radtest results in Access-Accept) I even see that the Radius server sends an “Access-Accept” to the clients but shortly after the client starts another Access-Request an that fails with:
(9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x864de94f8144fc95 (9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (9) eap: Failed in handler
Any idea what is happening here?
The error message above is technical, but it describes the problem accurately. EAP involves many packet exchanges between the end user system and FreeRADIUS. Those packets are tracked, and both systems have to finish the packet exchange. If something goes wrong, the packets are dropped, or come too late. Then the above message is printed.
Here the full output of a test with freeradius -X
This shows request 7 getting a reply with a particular State attribute. Then that state is sent in request 8, as is supposed to happen. That request gets an Access-Accept reply. Instead of using the Access-Accept, something retransmits request 7 twice, which shows up as request 9 and request 10. That shouldn't happen.
Any Idea what I am doing wrong here?
Nothing. Something other than FreeRADIUS is broken. The AP should believe the Access-Accept in request 8, and let the user on the network. It shouldn't retransmit packet 7 over and over again. I don't think there's anything you can do to FreeRADIUS which will help. Maybe try a different AP. Alan DeKok.
PNG IHDRŽŽ=Í2 pHYsÄÄ+ IDATxí}}p]Õuïï{¯Ÿ-˶,ÛØ²ìðá`ì4ä^yŽòtJ22i2RihI&i:IÓiiIé)3ù"Ì+6Ädq×ö8àÆ6±±dK²%Y_÷ë÷|û®»ÖÚû\ÉFhÍhtï>ëã·ö^{µÏœÒñÂ0A(Cx¿¿wäMÕŠ>S# ÉÆ¯áw¯Tßdõr:š®$ºéºkÀsöª³o*Èdö<Ï9ž©è= îHÎ^G`MY*g£$éªãÑÆ\tTÉŠuÑÁËTÑtÄì T¢|*2ND4sÇÉNt Ûæª$3Hc\öÐdmx€Eå$LÜ:Q}<Ýžõ°ñLwÌ^ͶÅãÊ«cÌTE×@Ö6nó³²m$2IÚÂÉŽbÕ9n9*-RŠr-œZ£ïi-ÃkrRÔH²o³-éäŽVÐ|Íé<IÙ³1ûŠ0LRÔz[²¢]3Ít<Is±CñJAÉMŒýž ×4û\)ÉSÈ.[V;æžåp%×`u @µqÕw%z€$L%4¡RÌÀäZ«w3{ÃÌF¶ì¥]7Kù£:''Ù±H:6UmWîLöC7ü¢eAG*ݧ»0û°®@r±IIë¥ÉréïmAÛ\N/«PRu²a6K²Ž¶ÌÄ'K5`ö mB6ri=èŠàQ>ÊÏmªÉ`v-C§³D®]æ³Y-}®áÒjHZ\ÀŠŒV~ŽJ€ãp&i;\ÛjÓ3[N×d0Kgs]8{ŸjÁ²g³µ"~iÙ²9gKÚ(\oæŽLV)fº8®óìÙÅ×÷æ4]|3cS€rêº3My €Î'ÝfÎ/Î.D YãÁ<õÓÒ®]sD3®K£xŽ,AqS¶~ÃÍùa«d³fGâI¶YÕÙ 4µûnQÌ0]hó !Kl9Ì×Ò.å²/%ª+zM¯Iï]Êk6Mr^Hê7]*W%¹~Rã0j|L5`.»- J¿6еÙ&òj=6Îáríç¹9 íM^"nQ8Z¹ÖZ=ΟÖëj~UæD}»f8TªŽÌ'épIÙÕŸÙÅ^¥+õQÂ@qü.`ö¹f˲Úv,ͬItPùJh²:+±TËJé[i&«CRþwsâÍ)1¯K=QÒ>YêÝNžy²¶mòç³&£u\å«s%Ô3iýÔ§j:µqÍ1I¿DfÉ_Í>·¡9lZÏIípg[kÇißfkZc'š¢i[X[m±é,iGÚÈIzËÉ`ŠÎU9úÞ³ W%Yuºcöé]µÚŒNÁqÁíJN_;Ò{Û@ËÈÜÜD:µ "ÙŽÙp»ÈpãÑüsóGûU¯0û.@L¥.m6¶ ÐìЬ`n"×öóŶxtLJÇÄ(Ù±ùlò»lÉ7.ÙÐqSGµb.û,ÐÈe3Ød\²H.žÚÙ¬6\æ¶ùÊeè}Ž.%Ã,œ×üsYjÀ\vÛNÇ\eèuªêª€¥,Ò+±tšÐä€ Mj(fS9\ÀPì.É'UZ×÷æïrü.vXqååd4=S +ÅLOz·0޶]j¥ü®ÙÕ?>nzÝÖ:|\ûbë³]|«³Ëúp]6í{sY Fè¡3ÊÉÛÚH·I$µ tÌnÍoÊÏ]çliµÃŠæ§~sý,µÃÉŒ0³-ëÂLªd#hz.ßSeks)¥MåQÔ» ö7(ñq×mcô:µi+{®ÄõÅZ9£¶9|¿fM[I+nWÓ5Ý1ûô¢öÍ1×EAØZž`NR&ÍvA+Ž¥2å5_&É6moL»\KEqr²}ÉjÅÿ®·å²A%CR³¯e2$%É-ë»øWüæ€s¡ñ¿W1ûf¥¹ ,·8gŽF³!ÝÙ¶ŽJز«MÖRq26-Qh>sE[Hóº fÊjÃ\öÑ·V^¹Cù\³'éÈeµjÀÉÛJɵ åFª6[MÉojßÜŠ.ÚT+fõÿCkÁÀÕÊ·&£Ùç&2IÙJÙæC%ŸqAm{íbK.6;Ñ5ª³ÏMžMÐ5#KY2UÀ%%l®Ùß,{2³©{mÃoÃ`bŠŒ6®jÅ\òßGµe{_ ZL®º5âÊ&Ç#õo&fo;÷^¯ñIeã¡¶+Y³jÅÌÞåà (ÏâÒaHÊöZÛ`såFÂáR²Ž1òsò%iŽ1Š©ž^ÍÓRðrÁ©{ÄkË®Ç5ëÙŸôZÑ6 õOÒçÒçKÙúlêF" 3ç§m~« 3û8Ç%²€@~dèuŒTœž3·ž¹§~ºf5f@©&Ì%w9(* Î$<¬Ñ³Kc[ÜJ²[R̶¶L«<3 /ø»ôQ¶ÒÊ-;×]z&Ï+R4&ÉQ%_µ,dÚ¥9_LÛŠ¬IR°p99ÌÑ{ißËëæšZ©¡c6^sÜÖ"ž¶62Í[L3Ø)~*ëš=ÍWÒ<sk_mçþbeÞÛTößG9r)ÑM+I. nûÍéI¢ÏF®¥©æÕì'±3Ý0}}#©/¥cIúi{Z?¬ÙäúiíPHõqDÍ®ÔvH×9>VIòÁ&/sÓOílQMÚš ÷Úu»®õÝÑžípb^wÉŽR?ÍelÓŸ4W¶ÊâBÒyEzM7;OK$Ósâ'ɺÕJ.·ðfv[¹t)wq¬®`²UËöÜüJ#ÜS¥0;gh3#j%Ê,ñT&v¢f³I'ft³4¹èÆš}Î7î=}mkel¹ËVò]ÚéÙ9 M#ZI2Qê_]möèž-89®œ_~Rw ~®HµŸ«"6ŒÜ|º[Š+æZ Ê7U¥šüàêÚP[SÝRM޲Lþ`ÿncf^/)MBtgVrhರ+>-K- Õã2'R0×5LÉTÞ9ìINó±0§ÙQWîµÝ"]çÀKÀ€C:@Hž¹€Ù3å¹× NEè¹ãçpq©J%œÚq<UùB=ŒÞ|¯ÉiËMÎd0sÖÚæôOÌÆé:Ïsüü%%ÔuVé²Ó€ÉÓ²ŠKÏgËèFj¢m¯+f;µg#[¶³éJ:ÏÓ³¡ÍRê·ífÛ·q£Ùâ®'é¹*©&mΊ ³ o:cfïrp»B TŽŸÅmÎyQz_ fI/ÅÈéä$L6¿&Y²ó»YÍÐÓkÙ^KZÃ";Ååá]6k6q¹Ný¬éýï*æªx}5ÒtõÇ¥enTVžÃFI .|ëCÃâÁµs Ëy#©&©RàRúµù*«w3{:Ci¥%É$ÙÆlAHe¢q)0mm7~a"Ã<B àÁC
Òðœ4üxêÝæ;×Dd+áÜ5iŸwÙØÓ ³z(tw¥$NªKÿ®aætÙ9&ª+@Ùb?Îa€pcArÁ aAGÐ^)Ô"ã7¡ÎÆÔ"4¥¢!µ)¯öõKÚP\Ű%Ê[IÍvÍÓ.AÀÖJ¹È.å^k€Àå|1}`ŽØþÜKÈÆxÐx'kôQãÍÂìÌ Ì¹Íévø^ <#sK&)éP?µyáüt9Er¶*w¡1[{hmUB®ÕUÎÖWdË \éÄÂÎä£'»Ã ·¢ÈÚö0ŒÒo<ÔùXP»5köâÀvM$R Q?¥~Vk\2ŠdçBa.û€P+Ã] I- m·ºè®']x{l+Ç1ÑF€.Ûõçà¢ÚkÑZ»i¯6Ö€UÍÉD®×/æÿb¥\flšeN-ÆññgÑ{9n+ž Ö³ï9[ðJxl»)u1.®ÿÓíð<¿¿VM\{Õ$ë$eQ ã À\vÚŽ,íªg²:€L¬9]çä©®0,âtþÞû%²ÁiC>º^±¹°4HUþðVäR)¯Õþ,¬ÛŽWÇújú¥ÍÿÌõè5µÃá<o£#ißC'UÄ9¢õŒ¶ÃŽó9f¹5 Qó81Ÿ 'Æ·#Dþ̹ 3Øùë»=WßËÀG !arÂ<B£eÈó&6A€sNæ2,oøßÈøÍeœµäé¿k_¬ÉR-ãR9)qL%æ*æÜV€ÒÏ9êÒ''é×€âðÒI2Š `GÇ~ÞÜR])å#úTÓhJ/Aߎ×ßKÁC @EÃqOc€xC ×1R<b8Vî·aÃÜ4©EXÙøPç·&ªšIûR[[àºV®ë4UÙv¡$mÁTèu ZIK+3¡s"_}ýùᎯ!Wãµ µöYúT|/EžYk±Í\03 CèÍîÁHñ¢{Ön9ëüV\ÒøQ^üÃÞmå]ËT."©ò¹¶&ìLL1æ²6U;ÙE.©Ìù¥Å0×GGþ·VîZ¿k¯Åü å5ë+?ð(` ß ãÛ0\<íšuþ|\ÚôYÔ§ZËìN¿¹µÓTa r·²ÒK}9ïT%©Å~aÇÆEÏøN@ío}ŽÕ~ê®GÆšìÛ1(9ôf÷áíñçØVÄÐYév¬lü?Èø Ør»>YŸ$ñájK»n}Ö·V4ÀZïJÇ5»/Ó)Ú!äòáYëaÍ.+þ§S±} c(#ÎF54¯ Ÿ§þišG@0kº\ÎaS m9"rwŸ)éWS©ìŸ4ϧße ¢äð§j5íuR²üÜZíJÀR]ðï%^INóG:Hkµ0<Ù &úͰä='Ï68^I·ôZÒ)]ç&Ï%\ÏæûèÇ31œÓ·ËþIï¹ùÓ°JëB_kíC5aV$«°e])+I iÖ%žøAù8{v¶°eAë&IPNGµ`.{$'èbå21Á-[æDQlRÖв5Í,_¿€ÓáPRUãlÙ®Kv¬6ÌâS°L%¶ÃÝÜÎr?YÒìžfäóe¿l\ÒZ®wÖªIi)"©<ždn/1::çA0q{¬±±ëÖC*5ñ [¡PÀ/Œ±±1xµk×¢¹¹¹ÄàÔ©S±ÞÕ«WcÞŒye6 ^ýuìÝ»ÇGcc#VZ µk×¢©©)Ö¹wï^
®žâ ޶¶âÄ8|øp/LóæÍÃÒ¥KÑÐÐPv=Œøâ¬Zµ ,mår9<ÿüóÈårð<W_}5JäûÛßâÌ3ñØ?øÁoD]]]8~üžžðþ÷¿---عs§º °víZaÏ=ñÚp4gάY³xñÅUœõõõX¿~}Œ¶Z\HÙ\:ÉþS·c8£©õxóÍ7që·bllâCºº:üä'?ÁW^ Ïó022Ûn» oŸù&Òé4yä¬Y³&/žùæñæoÆzÿò/ÿ_üâKlâÁÄ~ô#ÄøÓé4Ö[ï~÷»hooüÑýöïßß÷ñ/ÿò/žéŠðÈ#àoÿöoË&ßó<ÔÖÖâK.Áœ÷Þk®¹ŸïǶ³Ù,>ÿùÏc×®]ð}ÿôOÿüãð}a¢¯¯üä'ÑÛÛL&Í7cÙ²e±þþ~ÜqÇ8vìXŒÐÿ÷;dÿîïþ?üpÙztÿý÷cýúõžîºëËåXÏó°jÕ*üüç?ÇÑ£Gqûí·c||\äݰa~øÃb÷îÝøÜç>|¿Wîy.]§~uuu%ãIíKLq:<Ï{ç.µ7!w+¢×Üî:ÊS,! Àèè(~ðLx±XD ¬çzùåÑÕÕUÂóÌ3ÏÄ$âÛŽixà ®®ëÖCkk+ vïÞo}ë[±Í b}=sÈÌŸï£X,bddûöíÃ׿þu<y²lþ"¹ÈOºæuº8{÷îÅÑ£GKðlÚŽ BéwEŸAÏóÉdJ~Òé4|ßy£ùN§Óe|Q5±AÀê4³-§+5çÆùÆvá®Ókéè ÔNÐì¬ô5>4=÷Üsعs'nžá'ÒõØcÁ÷}øŸ9sæ ¿¿ÆÁ±víZx|>gy&Ï~ö³øÚן#GàÎ;ïÄÀÀvíÚ ®®.ŒÿýïWmzøÃøÆ7Ÿ °k×.|ç;ßA±XıcÇpøða\tÑE1> ·Kï^(ðôÓO#ÃÿöíÛ£GbÅqŠ7éSú>ÿùÏé[žp!²Ùl¡©© ÿþïÿ¶¶¶ÿjjjPSSS2ÖØØÇ{¬LgÔf]yåxâ'J°D< ä|ä#Èd2%zÍ×41rßÖ ÓØJR0rí%)p5þT* 0Q(ðÀôÒàÙg޵µáÎ;ïÄ?ÿó?#ËaóæÍžêª«ày {Ô0ñꫯ¢¿¿+V¬À÷Ÿ÷œž?;w®hË€ÆÆFtttÀó<Ž··ãþûïÇéÓ§ã,eúÊQ5 Ã===صk`É%øÄ'>üàAgg':::عliiÁ+XœQ@{ß÷±téR,^ŒØê³ïû¢NÏóÐÐÐ_ÃoŸù&î¿ÿþØÏßÿýßÇ=÷ÜWóþÖ Ü{Ò\ÚæJÔŒk»ÆÜ \ ·ŽŽ`ÕªUØŸ};öíÛgyÿøÇY aâùçÇ'àû>Ö[}ìcxè¡0<<-[¶à+_ù fϬ_¿>mÛ¶áÿðñ{¿÷{øÐ>k¯œóçÏ/lÂ0Äàà öíÛgèèÀwÙeá²Ë.++óý-[pìØ±xlll£££ìâîܹ}}}믿7Þx#|ðAAÍ7ãOÿôOQ___&·}ûöøPÑ%Kp÷Ýwã{ßûK0ÞtÓMžþúëKÆÆÆÆð7ó7e¶n»í6¬_¿Ÿ÷Ì3žïŸûâCêûÞ÷>|ç;ß³9wÂ/zÝ%šM]%öÆZOM ]òù<Ÿô¥/aÏ=ÅøC\sÍ5l_U,±qãÆžœækÐÒÒeËáÀxë·°wï^Üpà ð<ùÌgpøðalÙ² B'NÀc=Ç/ÆW¿úÕø°f£Ý»wãÓþt\MànÀ_ýÕ_±wWLzòÉ'úLºyóæžÝX·n-Z¶¶6ôôôàÕW_Å¡Cð| LöW^Á+¯ŒR2¶fÍ|á_ßGwX6nÜXÂ!/^\ÐÀÄÚüìg?+³µzõêÃ?üÃ?`÷îÝ&ªÞ?þã?bá jÅÒÞsÁ«µs&¥¥VCÔv`sü+®À-·ÜG}]]]ø¯ÿú¯2Q__vìØoûï¿>ø úûûc]O=õ®»î:€R)Ì7ßÿþ÷±cÇlÚŽ {÷îEOOÅ"?¿þë¿F{{;®žâ I©T µµµ( q@={MMM%|Ü¶ŽŽò @___I!=ýû÷Ç<ßýîwÉdpúôÄß2FmÕ5kÊ쎶¶bá %cQdbó}+W®,ékÃ0ÄüùóËpûŸU«VÏ3'~](ððÃÇœvMM ŸýíocÕªUê,²+tÃÔ!e÷ÈÑR¹€ÐÖ3ÛŸïã_ø¶lÙþþ~üô§?ezÇèëë³woooÏÿ÷£¯¯---qŒfÍ|ä#Áðð0vîÜûî»Fgg§Ó¡pà øö·¿³gÏâk_û8^x?ýéOqÏ=÷šwß}÷á£ýhÌsúôiÜyçqkÑÖ[KÚè>»IøÊWŸR¶n¿ýv|õ«_-³mRhllÄüÇõÐ\ËØÔÔ'xõ @|wéßþíßP,áû>Ÿüå/ãæofm¯]ÈTÎÆÅYÚtUäšåËãÎ;ïÄ<Ó§O9ÏçñÔSOÅ oœõV\rÉ%&nýüç?GOON: ]»vaÙ²eøÌg>l6ææf<þøãXºt)nºé&<úè£Ø¶mÂ0Äðð°0q¯< »îº÷Þ{/|ßÇÞœ{ËåâÌùZWWÙ³gÇþDUÓ¿±±1üò¿0±Áÿàþ Ÿ7!zè! áØ±cØ·o®œöÚ2;T§tÝÆGe8 ÃÀ·Ÿõøvé·Þ·8\£ò!-^/èÃë5GþäOþO?ý4=ZŠã·ÞÂ={âñ¯ýëX°`A¬spp?ü0<ÏÃÆñýï^z)öïßüñÿ1n¹åô÷÷cûöíqúáØyq#_£C`èîîÆøø8êêêIZâСC&zÐ{î¹'öøTð©§BxòÉ'±aÃÕV€ÒÐÐ>õ©OæÌýèG%Î=ËÚYŒx1þó?ÿÿú¯ÿ·{ÀDu€·]çÍüä'ñ'œÑsk<J·'ýðz®6h ÌM1þ||îsc7Í-[pöìYa5kÖ`á ñœhß÷qã7Æ·÷îÝŸŸ>|ãßÀòåËãÛa=ôxâ €ÓiÜu×]žîºëX<ÚØ²eË0{öl@ww7^{íµ2)³yófd³Ya«®º ,}ó<7ÝtS,³mÛ¶ø.ŧMNÜ:<uêzzzJ~N<YÖÓAPÆ×ÓÓÞÞÞøpl¶ýýýeŒ§NboWº`æø]nTŽRÔsèARºNAÌ=wß}7òù<jkkã~Ùó<ÜvÛm[T* ùóçcþüùø³?û3ßk N¬Y³ñÑÑQ-ÊW^ýìgèììÄo~óôõõ!JaÅžùæ±víZd2aÛo¿úÐày:::L|§ãË_þ2ÛP544àÞ{ïEww7|páyR©n»í¶øC+WøßÐлîºÃÃÃH¥R5kÚÛÛñ¥/} ÀÄí:z»sà øó?ÿóøcæ\{íµñw@®ŸújñÖi}}=ŸøÅ/}*I1544`ÞŒyžûî»Ë>4©¥¥555žå[pùå|ÀÄý{ó@ÌäèÁtãgyxœK <tQr:AùmÓhÜü6J|÷BÃã2n^ãîÕs÷âµC³tÇI»³Dmp÷umär÷AÂì¢×Ör:ޱÐ6£¶@Š2IN·Ò€¹ÜÛê1y\*¯ôÓ)ÙàüÑx%ÌÙtžŠ3æDÿðÜ ÖÀÍÐ%É\w{_)zÔC¡4.ÍyÄýžÜ!hxx B!þxhhÝÝÝÈf³Aww7z{{Q,1::l6\.ó¢§§'>žô÷÷Çfär9äóyØo¢»»ù|>>H:u*>8qãããÃ#âùL³·p£»»;þ°'¢ññq<y²€ÕÃ;9Ñ!+ò©¿¿A ÏcxxÙl BAàäÉ% ²Ù,ÅbIßßÛÛîîn#C Ï#'îtDë} ÔÝݳgÏ*QS®±BcÀ£ãZ;úæ7¿ùÍè×\oÛeæ-+®?äz¬M6¡¿¿]]]èèèÀ-[Íf1wî\d³Y<ýôÓhiiÁ9sÐÙÙ#G```Â%K°yófx®®.,]º6mÂ[oœ ææfpEöIDATtwwãàÁèëëÃ%Kày |òIbá ؜{7N: ®®.,Y²7nDcc#ÚÚÚÐÙÙ ÏópèÐ!Ž··ãW¿ú-[ŸŸ>üøÇ?Æ5kÍfñüóÏ£œœAà©§Â¥^mÛ¶áøñãÈd2šÅsÏ= pÑEÅwi:;;Íf1kÖ¬ø@500[·bxxét§OÆK/œcÇ¡ŠŠgÏÅüc@:Foo/öìÙ±±1޵µaëÖšÅk¯œ8pK,Axã7ðë_ÿš««ÃO<\. bãÆèííÅÁÑÑÑ'Nà¹çÃòåËKþà@ º¶¶ëe<¯ük\ëÚv£dfc:ÎñÀšì¬Y³ÐßßßÊf³G:ÆÜ¹sÑÖÖöövÔÔÔÄyôèQÌ;cccH§ÓžüòËã¬:::Ì5 BÛ¶mÃ+JüXºt)úúúP,Ëå022åËøà#:Tâ+®?ÞªÀK/œt:߯3okEw'.]ÑÑQ¡©© /Æ+â¢Ãpâû*ùnÆ3g°`Áø¯wº»»qÉ%`ùòåqŸøâñÒK/!øNDôÉc.C±XÇÑ]ÏóÐÞÞ µµÄË/¿`âC¡¡¡!9sŸïcÙ²ehkk¿~jH3Ì®qbòIÞL¯¯7ÆñhÎp×9à&µ¶¶býúõñÝè@£££ðŒ{ÖÑ×LÛÛÛ±xñb477£££³gÏÆ¬Y³°k×.¬^œŸïcõêÕñ_m477ã;îÀáÃK6Õðð0áû>.\믿]vR©T\Â0ÄÊ+ñë_ÿ:þfÙüùó!êêêðéO:ÞxøÍo~b±QçìÙ³hll7bxæ|455aîܹXºti<ŸhÑ"9s;vì@±XĪU«pèÐ!=zhhhÿܪ±±ãããH¥Rš¯¯G:ƬY³pøðattt ¶¶œœœxá P,ã[£ÀÄfœùæñŸ÷œÅbmmmžúê«Édày·$ÍïRkñA×Xj?€@§¯¥,]Üÿ¶Š{Û©ŸæÓÇé pM¯çyñ_L€Óiëèzô×%étºO£OØòù|ŒÈRéúâH&º}°Cqslêâ3oCrþEvÌùî»þÐyÖGké|q¯©¬Ž¶²ÊShSLº8/ÉHc&XJíÛd¢×4ÃpUÅŽäðkúÊœ&. @³§Lê'õÙŽç:§Z¢³Ù¿P}] å7å€,T7-EFjÛŽW fÂ0Ä#GÐÙÙÝ»w#'úäg}/Ÿø"`ÿþý[·nÅsÏ=Wrú/ Ø¿É_oa'ObDZüŠM044'Nà¿ø:B¡ÎÎNlÙ²ÅbÄO>×^{MõSOSi^MY-s:€y>ãþŠ€òj+çNÝ€IáôsºÌëöžèêsôË-C8xð >úÑÆ=çÛo¿0øRô£<yÏ<óã±\.íÛ·Ç ~ñÅ#J!Ëá7Þ@ss3öìÙÁÁAE !ÍâòË/G&Á¢EX¿è\~IþSZy$Yži?_}ÓWn©2Çë"gM«ž Šrµµµ8tè8oªW_}]]]%Éd0{öì/â ¥¥¥äËóÃÃÚ««COO ÀŸ}û!±páB=z/ïP!JáØ±chmm¿»¡aIq ñºØ×ñ|`Ò×s;òc4cÛôMæ 9Le³Yôôô uuuñû.º555C}}=0::ÖÖVÔÖÖ88ær¹²F}èR__ŸŸ>äóùøNÉ©S§ÐÖÖL&jÎ9ÿM7wŠÏ¶9åæÎëÜJ|.ØÎfëGßZpØ'Ñ)ñJc\jê&§«ä«Û<ÙÿæãliôÃëÑ·^ m¹kæÙ°$^ W¥Ótжðfóîê TÚDÑÉ¡&a4Ç¢ÒF1sßþïµ</Eµ×bVz9èñ·m. /-ñÙàÞß\0 bIûMXVÿ¿Pã7óL1Ð9å6?Õ!áŠ>Dml8}çsÙ﹊{Ê/M¶ ¬dß ã³MdDŸÂŒÌèËîC.,1i0ÿæ×\ EuסÖ'Úâ0.búrûðöد¬|dÐÑx;2Þ¬ý϶,Ç^6§p4ÁL9f®å ¹]4v«É¶Ž"ŒÖ¿E=Tx ]# N|¡(Ïœãw@Êk@kæJ̯ý RÏ=Ò¯?a¢âLþôdwaŽØýa÷«ÚëoE[ízÐÇ%S;IÖ©R9ת~>lS¹× à WqdäÑ8š9žlÙZ95£9œuþ\€ŒzD_ñ<À4 |0â ä_Å`þUä¡X«ÏFôA{Ã'ÐVóAxü_Š\ýu!.qB»n«ÚS ¹ì?øK¬×Hý³Ô/kòÒ£ø©,ç'oòàÈÈÿ+)ýÆ çÛC¿5^jýÙHùuðFÅ0B0l8|0B÷9è(ã5¢œáVÌͬ.ËÌÒüÒ¹p]í#é¡ãÒ<OÌoÛÙú$%FÓ>°h NN-vãÑ'1\|ÀDŠžöNÖ53·>4çG_¥úRayý'Ñ^&ö¯¬U²Ñ¥Àr9ð¹® §;I;1ÌìÃë9`æX¡¯$žL¬ÆëÙŧsWFðöøVÊ>9àÜ2Ÿ·0jí%i̯Y%õ7"ãÏZoúbkm»Ìke$:2çóÌÃëýZ00X8cc)Ÿ ³×Õš$'(çò5AÆÔ"\\ÿ?1;œò\Q~WÀµßLÚjåçlH8Ï'fõÁp)£Ùvå¥<IJæØTm mÃ0D<Nç^ÂñíN!,ÁÒM3qNÅ9õ~.ªÛy5kò2%€sHtL9Êo l«ºç³Ð®;RÒ ÑZúÚE¯+%YÄÒë!aCù.ôæöašðzÉÝ@î§µ>;åÕ£9œókÖavf%|dÊæ×ÅOé0Té<ÛdŠsâ×G|\&u <×@MR\ðF<ŒRÞûÖùð,Îb0#Å· Î «Ï÷àÃ÷jQë· 1µ³3+1+Õ_d®ÏdÚeµ kÃ0Ug^/ØOJa"D 0|0\0B8"²Ãç øšAÚ«Gß6R^|/åPiûnhÓV¶áBaÔÃëUÅÞg*ÀS× ÕôLæ© ©ÀÌOÆ^ØpÑs>0ÇÏXÑkã¶LÌÉIåH*Y>jWãç²8Õ9~iÃ,)^mlØ5?5ÿ)f®ýâ(I5}·1ûæEÎ:ÎEƹÅ3Ç#¹H§{oÛ±vÙŒ&&*o³7Y|¯ybó ÓiÚå°T+æ×[0Hœjhgilsäê§I¶ò®ÉV#æIýÅ 52 Î\û@Év(Ú*ϵ~®q#Í_ë:.m\5böÍTOK.MïféØJ? ì:8'¹òÆ=Í¡ùÄÉåÓ%ø¥\ÂZS»&Í¡üÕ}$ ¹ Ò"Ký2uŸ²¶#©CZéá&A+y&¯ÔãiÈVž A/ùÇm~.óIÃl«NïÕ¹ä±ndÔŒNÁKÂ9eÚ JuIò6]$çbãI*ËáIéKs®ÍµaV^o r-&Ø(WÚ5³ŠÃ©¿GÃ!QÎHgô#Ù0ñHØL]¯Z«À]¯VÌN 2ÁÒ>oŸçÊ$Cw"uÃÅõ¬ŠÃæä»NÔ*Ñ1׿åç67Òé³_«Õ¹ü 3ÛÚ2I\v€gþNÚgIÁ¬aŠöl¥1ú[PN7Ý`Zå2}áæÚVõžõÒžÚ1ûtQ¹4®e6nAi¥¥É£ò¶ bb¢rêÊ%×ÅŠž$ynsr§KÂ¥e2ÊcÚ3çÅ6ÏÕ¹äS¹*€mIc.»Ú×28×ð¹ÒTc6ßk2Ñ dP5bö©rÀ·S€leSóœŽk¥lGõk6LŒI&KÚŒZ4ÌTε¡ŽöfEÓ¶f¿Ú0Çÿ:É.I& ¥r§œÌ¹`v©ÄæTb>2|¥€Ùg¿=C3TtA^Ç$_Ó'd8yé7§'>Ùøžt*x5ûIìL7ÌïÚÃë)Õcþp:¥¢×Ì^#:.ñk拾œŠÙw+®Äºôµt}:bÿá¹ÖsãZ p1éIwšÆÇ9`; ¿¥É¥;f\3²¿O,8ÅæRÕ€ó×^OwÌôáõ%2Žl'Á,µ¯ëb¹`®dŸ*áw Wª&ÌjË¡e-.0m2ÑuÇeÃHãÓðrò.'n³¹Yj߀lh%iež¶MÊŸÝjÂÌŽŽðÔ(wËf¶C-ÎIjã¡ã.AdA9ÌŠ×~TzäpEu$±'ñTæiùðz{ÜŠÒ®lv¥ÕæÈu#»l ÛFä0sv5ÛIÖ`ºbfÿHË.w€KêC¥ÞTjüµkŽÄKÁfÛd\;Eå¢÷抱٥sbòV:϶rOù€MN}Ö6ùtÇÌ~ÛÎdâ2yŽàz(Ûä¹,$ŠÓR€Œ€œ2ºÁlÙÃÉOŽêÆÍ§mþ%[Ü|Wfé£ï$Dã®SYŸ©&×É=*!®?u©~R>ßó|¡1<xÛmæiŸ¶9@Kr\eಫÃ*aæ&+qF KRÌIôjdÎT58]æ|¿0ûb®G5U€kRI¡²³\ÆøJ0s="wó ãÑ6·Ž(fniÌe~8¿ªsÛZJœ²€î2î$åIj*ÅLßKeÏEŽy&9²É§UÞé¹€6AqJ€ÅM²[¥ÌISÒoËÀ®-õÙUNÒcÓ/QÌ}n*Á,Ñ{sU|}T éLæ÷?Óf^Ï`Ò|ìÚ®ÛpÚôÚìpã.X€5rÛéÙúÑwÒòKßkýôZÛNz0{=ŽÁŽËéàz<ma5ÌTò'YM$é³s5a.û€PZ@N! $NârÉñKcæÆ¡ž¹Ià®Q¿8"Ûô=0S,Z4qR\ÚF1íQ쳩÷œ¹,Ck 9`4HLÒ.Š2ŠMÉ6( §õ54_€ëtr]°HI²Ë-š€Ç;Ål£ªÄZžhÆ€`\ÓáÚ3i#©ŒK_gÃl³ÇÙN:W&¹ö¶Sa»R¹éyæáõï<ÀD]¯kïâu¡jÂRš9Áí³Žhl€ÓÔMuI¥öl¿€bà°Jò&ÑùJ®4/\£ï¹90Ûìqm}_Um-ÞµTWBIKT,Ze©€ â׿KRŽõÑìÙ°2^W§3æ/'qµq3{GD³€ùCuRù$ý°É+eX®Êp×mXéfZ¹4Ûôµ4·Ô/É?ZþiƵUjÅŠÜ"iýÉõ4À)8jO§€ídS^Ò¡£ŽékÎ?qÙÛ¬tŸlYN ¿+UfcâMê©Lº«ž^sÛDÿd²ºt]ÂEI*}6Ò2_{Ïe<ŒÉgëI«óÌÃë-ú¥^PÒÄ~%m2e×díW"3K>XqiØM><Hä"$ºN¹£]ýôºútþ\y(f$õŸRµ`. hsñ€pÝ=Z©tp¶lqÀÉI®ßv±UÉuÏf;DEr¯Š¬D®S-ÙŸ9`b \#ÛáN@¥eÇE¶²y>øqW>×Jd;ŽIº`¹g^ÏH)¿4Æa6€WÃ+µ-R¿dÝ€óKÒWMg^ŸÒHmJðE8LŒæuÝÖÎq:\æWójÀ<óðú ztm~žëT4¶9rõÓ$©=p©ÕyæáõÆuLrCå%~jS#Í_ë:.m\5byxœC6æÊåÓ%ø¥\ÂZS»&Í¡üÕyæáõàÊÒëÚs@õÐ9¶ùÍ]³U ³:iŸWæ×+< '©,'I€s,͹6ÿÕyæáõõòh8€2Êùé~$& ©óUkžëÕyæáõNÉÉ'oÛÜHc&TŠÏ~RVæ×}m«tÞlÃ,¶mU[/-«óÌÃër]lKç6'תqº$\Z&£<Š=s^ló\mg^гù^.l%óªóÌÃë-$m^ f*CçZËPZûD³¢i[³_mg^? äÙEŠSù|Èpòf¿*þûèÍ+ýä\gÅ@IEND®B`
Hi Alan, I just want to confirm you advice. I have now tested my setup with a TP-LINK AP (EAP650) and it works flawlessly. Regards Henning
Am 23.01.2023 um 16:34 schrieb Alan DeKok <aland@deployingradius.com>:
On Jan 23, 2023, at 9:38 AM, Henning Kessler <maillist@henningkessler.de> wrote:
I followed this tutorial (https://www.nasirhafeez.com/wp-comments-post.php) for testing purposes several times and it worked flawlessly. several month later I wanted to put it in production and it stop working.
There's nothing at that site.
But if it suddenly stops working and you haven't changed the server, the problem is an external system,
This is my setup: 2 Raspberry PIs with freeradius 3.0.12 (allready tried the Backport version 3.2.1 as well) Unifi AC HD AccessPoints and as clients macOS and iOS devices (tried macOS versions 11.7 to 13.1) for testing I tried an Ubuntu client as well.
You shouldn't be running 3.0.12. It's very old.
Binding to Google LDAP works without any issues (radtest results in Access-Accept) I even see that the Radius server sends an “Access-Accept” to the clients but shortly after the client starts another Access-Request an that fails with:
(9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x864de94f8144fc95 (9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (9) eap: Failed in handler
Any idea what is happening here?
The error message above is technical, but it describes the problem accurately.
EAP involves many packet exchanges between the end user system and FreeRADIUS. Those packets are tracked, and both systems have to finish the packet exchange. If something goes wrong, the packets are dropped, or come too late. Then the above message is printed.
Here the full output of a test with freeradius -X
This shows request 7 getting a reply with a particular State attribute. Then that state is sent in request 8, as is supposed to happen. That request gets an Access-Accept reply.
Instead of using the Access-Accept, something retransmits request 7 twice, which shows up as request 9 and request 10. That shouldn't happen.
Any Idea what I am doing wrong here?
Nothing.
Something other than FreeRADIUS is broken. The AP should believe the Access-Accept in request 8, and let the user on the network. It shouldn't retransmit packet 7 over and over again.
I don't think there's anything you can do to FreeRADIUS which will help. Maybe try a different AP.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, Another detail in this issue: The problem only starts to take place if you have more then one Radius server configured in the Unifi-Controller.
Am 06.02.2023 um 14:02 schrieb Henning Kessler <maillist@henningkessler.de>:
Hi Alan,
I just want to confirm you advice. I have now tested my setup with a TP-LINK AP (EAP650) and it works flawlessly.
Regards
Henning
Am 23.01.2023 um 16:34 schrieb Alan DeKok <aland@deployingradius.com>:
On Jan 23, 2023, at 9:38 AM, Henning Kessler <maillist@henningkessler.de> wrote:
I followed this tutorial (https://www.nasirhafeez.com/wp-comments-post.php) for testing purposes several times and it worked flawlessly. several month later I wanted to put it in production and it stop working.
There's nothing at that site.
But if it suddenly stops working and you haven't changed the server, the problem is an external system,
This is my setup: 2 Raspberry PIs with freeradius 3.0.12 (allready tried the Backport version 3.2.1 as well) Unifi AC HD AccessPoints and as clients macOS and iOS devices (tried macOS versions 11.7 to 13.1) for testing I tried an Ubuntu client as well.
You shouldn't be running 3.0.12. It's very old.
Binding to Google LDAP works without any issues (radtest results in Access-Accept) I even see that the Radius server sends an “Access-Accept” to the clients but shortly after the client starts another Access-Request an that fails with:
(9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x864de94f8144fc95 (9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (9) eap: Failed in handler
Any idea what is happening here?
The error message above is technical, but it describes the problem accurately.
EAP involves many packet exchanges between the end user system and FreeRADIUS. Those packets are tracked, and both systems have to finish the packet exchange. If something goes wrong, the packets are dropped, or come too late. Then the above message is printed.
Here the full output of a test with freeradius -X
This shows request 7 getting a reply with a particular State attribute. Then that state is sent in request 8, as is supposed to happen. That request gets an Access-Accept reply.
Instead of using the Access-Accept, something retransmits request 7 twice, which shows up as request 9 and request 10. That shouldn't happen.
Any Idea what I am doing wrong here?
Nothing.
Something other than FreeRADIUS is broken. The AP should believe the Access-Accept in request 8, and let the user on the network. It shouldn't retransmit packet 7 over and over again.
I don't think there's anything you can do to FreeRADIUS which will help. Maybe try a different AP.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Henning Kessler -
maillist