Aruba-User-Vlan, how to configure RADIUS to send the that aruba VSA to the controller
have freeradius 2.1, and the configuration of my users file is like the following: ... DEFAULT Auth-Type = LDAP Aruba-User-Vlan = 20, Fall-Through : = 1 .... once I do radiusd -X, I see only the first access-challenge with the Aruba-User-Vlan Attirbute, and no more access-challenges have this attribute. So, it is not working , May be i am close to the solution but I don't know what to do, and also I don't know what happen. Aruba does not put me in that Vlan ID.Of course RADIUS has its Aruba propietary dictionary included. I don't the steps to get it work successfully. I send to you a capture of wireshark: http://www.nabble.com/file/p25716490/radiusWireshark radiusWireshark Somebody can help me please? Any ideas please? http://www.nabble.com/file/p25716490/radiuswireshark1.jpg http://www.nabble.com/file/p25716490/radiuswireshark2.jpg http://www.nabble.com/file/p25716490/radiuswireshark3.jpg http://www.nabble.com/file/p25716490/radiuswireshark5.jpg Also, see this debug from Aruba controller. Aruba puts the guest in the VLAN 232!!. it is not the VLAN configured in the Radius users file. thanks a lot I hope somebody knows what happen and can help me http://www.nabble.com/file/p25716490/aruba_debug.jpg Thank you -- View this message in context: http://www.nabble.com/Aruba-User-Vlan%2C-how-to-configure-RADIUS-to-send-the... Sent from the FreeRadius - User mailing list archive at Nabble.com.
have freeradius 2.1, and the configuration of my users file is like the following:
... DEFAULT Auth-Type = LDAP Aruba-User-Vlan = 20, Fall-Through : = 1 ....
once I do radiusd -X, I see only the first access-challenge with the Aruba-User-Vlan Attirbute, and no more access-challenges have this attribute.
Any chance we can see that? Ivan Kalik Kalik Informatika ISP
Ivan Kalik wrote:
have freeradius 2.1, and the configuration of my users file is like the following:
... DEFAULT Auth-Type = LDAP Aruba-User-Vlan = 20, Fall-Through : = 1 ....
once I do radiusd -X, I see only the first access-challenge with the Aruba-User-Vlan Attirbute, and no more access-challenges have this attribute.
Any chance we can see that?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I do not understand what do you mean . I have tried to see if radius client (radtest) sends the aruba-user-vlan in a access radius reply, like an access-accept and it works. But, using WPA2/EAP-PEAP using Aruba controller as a NAS , the radius sends inside an access challenge, the aruba-user-vlan VSA attirbute but only in two of the large amount of access-challenge, as you saw in that pictures, or print screen. Aruba, does not receive the VLAN from radius, because otherwise it would work. Do you know what I mean now? Thanks -- View this message in context: http://www.nabble.com/Aruba-User-Vlan%2C-how-to-configure-RADIUS-to-send-the... Sent from the FreeRadius - User mailing list archive at Nabble.com.
have freeradius 2.1, and the configuration of my users file is like the following:
... DEFAULT Auth-Type = LDAP Aruba-User-Vlan = 20, Fall-Through : = 1 ....
once I do radiusd -X, I see only the first access-challenge with the Aruba-User-Vlan Attirbute, and no more access-challenges have this attribute.
Any chance we can see that?
I do not understand what do you mean .
I mean that nobody is going to look at your wireshark capture. Post freeradius debug.
I have tried to see if radius client (radtest) sends the aruba-user-vlan in a access radius reply, like an access-accept and it works. But, using WPA2/EAP-PEAP using Aruba controller as a NAS , the radius sends inside an access challenge, the aruba-user-vlan VSA attirbute but only in two of the large amount of access-challenge, as you saw in that pictures, or print screen.
Erm. No, I haven't. Nor did, I believe, anybody else. If you want help post freeradius debug (as suggested anywhere you care to look - README, FAQ, this list ...) Ivan Kalik Kalik Informatika ISP
aangles wrote:
once I do radiusd -X, I see only the first access-challenge with the Aruba-User-Vlan Attirbute, and no more access-challenges have this attribute.
In fact, Access-Challenges are not supposed to have VSAs.
So, it is not working , May be i am close to the solution but I don't know what to do, and also I don't know what happen.
You need to put the VSA into the Access-Accept. You can do this by adding it in the "post-auth" section.
I send to you a capture of wireshark:
And not the debug logs. Why?
Also, see this debug from Aruba controller.
Why?
thanks a lot I hope somebody knows what happen and can help me
See the FAQ for how to ask questions, and what information we need. Alan DeKok.
Ok!! I'm sorry, it was not a good idea introducing wireshark print screens. Yeah its better to put here a log of my freeradius , which it is the issue we talk about. I didn't though with that. Here is my log of freeradius. As see, only some Aruba-VSA is sent not in the Access-Accept, but inside some of Access-challenges. Moreover, I have configured to sent the VSA in the users file. How do I conigure the VSA to sent the vlan in the post_auth section of freeradius? Thanks FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Dec 3 2008 at 13:57:16 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default group = root user = root including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.50.50.250/24 { require_message_authenticator = no secret = "testing123" shortname = "arubacon" nastype = "other" } client 84.89.244.227 { require_message_authenticator = no secret = "test123" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.key" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no check_cert_cn = "%{User-Name}" cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating auth_log detail auth_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating ntdomain realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "ldap01.cells.es" port = 389 password = "Kag110vostresenyor" identity = "cn=Manager,dc=CELLS,dc=ES" net_timeout = 1 timeout = 6 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=People,dc=CELLS,dc=ES" filter = "(|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es))" base_filter = "(objectclass=radiusprofile)" password_attribute = "userPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 20 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id rlm_ldap: LDAP orgPrimaryAffiliation mapped to RADIUS User-Category conns: 0x7fa943121c30 Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=167, length=172 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020f000a016775657374 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x867d34720cf9850a16d6e3db12571ebb +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:47:30 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 15 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry guest at line 59 ++[files] returns ok [ldap] performing user authorization for guest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es)) -> (|(|(uid=guest))(mail=guest@cells.es)) [ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap01.cells.es:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=CELLS,dc=ES/Kag110vostresenyor to ldap01.cells.es:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter (|(|(uid=guest))(mail=guest@cells.es)) rlm_ldap: object not found or got ambiguous search result [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 167 to 10.50.50.250 port 32821 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x011000061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e8b2c0a5e9b352cdb4e510ee0237d55 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=168, length=260 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0210005019800000004616030100410100003d03014ac9889ad965ad4b15ed17bfaf8deea1b921267b33ab31c7abd36d0a6071232400001600040005000a000900640062000300060013001200630100 State = 0x5e8b2c0a5e9b352cdb4e510ee0237d55 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x703bf79970e4cabec2ccfdb6c4bb194b +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:47:30 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 16 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0b62], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 168 to 10.50.50.250 port 32821 EAP-Message = 0x0111040019c000000b9f160301002a0200002603014ac98872c142583ea44f52d416588d1705449c369b6831e7d887b88a4e2ae82a000004001603010b620b000b5e000b5b0004933082048f30820377a003020102020b010000000001111269caa0300d06092a864886f70d0101050500305f310b300906035504061302424531133011060355040a130a4379626572747275737431173015060355040b130e456475636174696f6e616c20434131223020060355040313194379626572747275737420456475636174696f6e616c204341301e170d3037303330323131323935345a170d3130303330323131323935345a3039310b30090603550406 EAP-Message = 0x13024553310e300c060355040a130543454c4c53311a3018060355040313117765622d6d61696c2e63656c6c732e657330820122300d06092a864886f70d01010105000382010f003082010a0282010100cc46384ee4fe3b3e53c4a2ec840ed7ade3e6ace27d5dba48c79d6f1ee6aaa6f2d72c7deb06caf1877a95daf391c8a4ddfc02352468c2391a5097ce7e13370e4247bdbcb36e3c3a6ed36a60113f403ade97d8782dc17bab7a7d1ef2f09f5ea4975c973bb48d9b5dc96b068e791a4be595805fcb069d7a4a6539ff3a94ec1a3070b1182283c4c6fad9d276327e95ec2115a83f0294d66fafae2b60b5e690bb311c0d594d955c203d52cddadea5 EAP-Message = 0x8ab491fbe7a76006a93cdc1d5f651c20523456ebe4333de37e4110ee1a63ad727b5116e71fc264f4d9726434a5cd693e6de3179a163d9663cbceb3d4d4fcd317e29c3701fa021b5596aaa24e85e88ef7a20f960f0203010001a38201703082016c30500603551d2004493047304506072a8648b13e0100303a303806082b06010505070201162c687474703a2f2f7777772e676c6f62616c7369676e2e6e65742f7265706f7369746f72792f6370732e63666d300e0603551d0f0101ff0404030205a0301f0603551d230418301680146565a33dd73b11a30a072537c9424a5b767750e1301d0603551d0e0416041496d745f253c445bf75496582e5d1 EAP-Message = 0xbd6b21b0bb88303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f656475636174696f6e616c2e63726c304f06082b0601050507010104433041303f06082b060105050730028633687474703a2f2f7365637572652e676c6f62616c7369676e2e6e65742f6361636572742f656475636174696f6e616c2e637274301d0603551d250416301406082b0601050507030106082b06010505070302301c0603551d110415301382117765622d6d61696c2e63656c6c732e6573300d06092a864886f70d010105050003820101004fe3e0e910a1b58a0d3479de0c184b3725a4b1e2a994aaa919 EAP-Message = 0x2186406f44d171c4a8b43606 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e8b2c0a5f9a352cdb4e510ee0237d55 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=169, length=186 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021100061900 State = 0x5e8b2c0a5f9a352cdb4e510ee0237d55 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0xbb995814dc831ba32eb77f77ae2e35ed +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:47:30 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 17 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 169 to 10.50.50.250 port 32821 EAP-Message = 0x011203fc194050e01de9f614accad310ab89a73cd3fe543f856139ebf0deabb426dcd0230bf0ed3a9db4c35ea70af48aef17af4e55653b27b1a7f0eb6944b5976694d69e3bc6c9d810f5375617d92c365aee778532464451f7c3dd1965e61c88039d082739433d4b432f959cda064c446515f29e2d635656a5825d063615a895763869e0b36ea09b6e61cf191715c94aa7188b8a0cb9cddaac70054aa98102f83669e52944c97eb0e02182638ee3dbb818a25cdf413cf57089df0c232bae0e12d7ef06430af5be3474155e2a9a698b41f33c4cdb7f89df59e6c8b7912c827b19ed0004613082045d308203c6a0030201020204040003f9300d06092a86 EAP-Message = 0x4886f70d01010505003075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74301e170d3036303232343136303830305a170d3133303232343233353930305a305f310b300906035504061302424531133011060355040a130a4379626572747275737431173015060355040b130e456475636174696f6e616c20434131223020060355040313194379626572747275737420456475636174696f6e61 EAP-Message = 0x6c20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009522a1101d4a46606e05919bdf83c2ed12b25a7cf8abe1f8505c282c7e7e003893b08b4af1c24c3c102c3cefb0eca1692fb9fccc08146b8d4f18f383d2faa9370820aa5caa8060a2d5a52200cf5ae5b497dfba1ebe5c8e171966fdaf9f7c7b89b20e24d8c7ab63c495328d48e663597d04b833a8bdd75d64bc63b5f74d28fdf90672315cba459465a3d2b458ec3b615844a32f62b39b80b482fdd5c7cc5125e5953f472f307bacc8786ee2e16d27eb3dcc0182e835778dab58bb55d1d5a481568d1cd014b1b006dea09122f3f0a8341747c6e03ef60c5aac EAP-Message = 0x7e504bcde1696e06fc067e6a4db49599a0595c3566ecd949d417e060b05da5d71ae22a6e66f2af1d0203010001a382018a3082018630450603551d1f043e303c303aa038a0368634687474703a2f2f7777772e7075626c69632d74727573742e636f6d2f6367692d62696e2f43524c2f323031382f6364702e63726c301d0603551d0e041604146565a33dd73b11a30a072537c9424a5b767750e1306e0603551d2004673065304806092b06010401b13e0100303b303906082b06010505070201162d687474703a2f2f7777772e7075626c69632d74727573742e636f6d2f4350532f4f6d6e69526f6f742e68746d6c301906092b06010401b13e0132 EAP-Message = 0x300c300a06082b06 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e8b2c0a5c99352cdb4e510ee0237d55 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=170, length=186 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021200061900 State = 0x5e8b2c0a5c99352cdb4e510ee0237d55 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0xcf27bc6254e43e563ea2fe88012666ab +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:47:30 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 18 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 170 to 10.50.50.250 port 32821 EAP-Message = 0x011303b919000105050702013081890603551d23048181307fa179a4773075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74820201a5300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020100300d06092a864886f70d01010505000381810032ac6514914bd17d36cacfa4d6826366c407e3d8ebfdafbaea7a561162dd2514be8d8a5c8823fb06ce024372aaa0 EAP-Message = 0x49916a057443f924f76df8dbdcbfd9809f2daf84ecf5b2e7bcfa825695d71706cb5acd4414247e4cc047dea2b2ebd24d357e1a95e2fd56d869014ec21926cabaf4b9d513e51b8f93bfb871ad9e6c42581d9d00025e3082025a308201c3020201a5300d06092a864886f70d01010405003075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74301e170d3938303831333030323930305a170d313830 EAP-Message = 0x3831333233353930305a3075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100950fa0b6f0509ce87ac788cddd170e2eb094d01b3d0ef694c08a94c706c89097c8b8641a7a7e6c3c53e1372873607fb29753079f53f96d5894d2af8d6d886780e6edb295cf7231caa51c72ba5c02e76442e7f9a92cd63a0dac8d42aa240139 EAP-Message = 0xe69c3f0185570d588745f8d385aa936926857048803f1215c779b41f052f3b62990203010001300d06092a864886f70d0101040500038181006deb1b09e95ed951db672261a42a3c4877e3a07ca6de73a21403853dfbab0e30c58316338113089e7b344edf40c874d7b97ddcf476557d9b635418e9f0eaf35cb1d98b421eb9c0954ebafad5e27cf56861bf8eec05975f5bb0d7a38534c424a70d0f9593efcb94d89e1f9d5c856dc7aaae4f1f22b5cd95adbaa7ccf9ab0b7a7f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e8b2c0a5d98352cdb4e510ee0237d55 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=171, length=502 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021301401980000001361603010106100001020100b69babee349592cb429aa44f593d2ce1e0c7d9aabc3514a9a465566d28bd90c926b5b644e5a2f123ff0aef428f3a403a0235a347337176fc512c8de405cb49ba377f521581ac793698bb9a9da680f2f438d920ee93cd1d298c0d5a720079a96c1b179eced6210e02d6ba4530e4c38b9a088a1d1ebdb4da5c8f46bc1f8ca6a613da55c111d8d7fff9b41beb99bda2b1d846075b1151d00b06c4d415a867deccc197b047666e9d6b5637e2a53a4786401b2880bcddbc3fc3c2f334e3d3ae3653be2bc46f709dd43b72e3bf60249ee4ac0ac541660a49d4cb33d6b6e7f0322519c5d52e87e7d4c1a7bd EAP-Message = 0xe1b92096532d100319ee0adeb2fdc4e97fa7c8cbf0fa5f0b1403010001011603010020e035d08985906e32ccc0cb7ba7d33ea0ea3c8f51a5304efcf1b9dcf3daa08b5d State = 0x5e8b2c0a5d98352cdb4e510ee0237d55 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x2779d747ca85a6b14091da06818d84df +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:47:30 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 19 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 171 to 10.50.50.250 port 32821 EAP-Message = 0x01140031190014030100010116030100202cf731357521e583f46044f7897d3f42c64dfdd5c9df0454e8b702352e9ab082 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e8b2c0a5a9f352cdb4e510ee0237d55 Finished request 4. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 167 with timestamp +18 Cleaning up request 1 ID 168 with timestamp +18 Cleaning up request 2 ID 169 with timestamp +18 Cleaning up request 3 ID 170 with timestamp +18 Cleaning up request 4 ID 171 with timestamp +18 Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=172, length=186 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021400061900 State = 0x5e8b2c0a5a9f352cdb4e510ee0237d55 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x336783f611744868cfdd9a46da997024 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:48:00 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 20 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 172 to 10.50.50.250 port 32821 EAP-Message = 0x011500201900170301001561d61f866dc95d89477d728361944bff2f9dea2508 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e8b2c0a5b9e352cdb4e510ee0237d55 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=173, length=213 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0215002119001703010016480896708acd6813e107540692a20eb207a7e793a88d State = 0x5e8b2c0a5b9e352cdb4e510ee0237d55 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x4ddffb3147e88377de9b0a756d70c390 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:48:00 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 21 length 33 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - guest [peap] Got tunnled request EAP-Message = 0x0215000a016775657374 server (null) { PEAP: Got tunneled identity of guest PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to guest Sending tunneled request EAP-Message = 0x0215000a016775657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "guest" server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:48:00 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "guest", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 21 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry guest at line 59 ++[files] returns ok [ldap] performing user authorization for guest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es)) -> (|(|(uid=guest))(mail=guest@cells.es)) [ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter (|(|(uid=guest))(mail=guest@cells.es)) rlm_ldap: object not found or got ambiguous search result [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x0116001f1a0116001a10054822f5cf4d7bb6da0b31de9d23c1356775657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x64955ed16483446991b279fcd6dcc74d [peap] Got tunneled reply RADIUS code 11 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x0116001f1a0116001a10054822f5cf4d7bb6da0b31de9d23c1356775657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x64955ed16483446991b279fcd6dcc74d [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 173 to 10.50.50.250 port 32821 EAP-Message = 0x011600361900170301002b86fc2df99e9e06a02a09b5c59ac59e1088fd60697a0b053c8e19c20da0dffa45718f840ce976a55b89f4d4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e8b2c0a589d352cdb4e510ee0237d55 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=174, length=267 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021600571900170301004cb479b0c5ab6a864ec72d274708e8e13cebb6dbf6d1feabf719b0c010dc11bb31f6cc8c109a37c801ba76ede8b345cc39d10efcae0aa6d5b34c2e7c6444855d3ea72ac3d1db8f745c717c42a3 State = 0x5e8b2c0a589d352cdb4e510ee0237d55 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x63189866278c0f6cabfe2fc4700409ad +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:48:00 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 22 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x021600401a0216003b31a03348c2e305a71ce2153f8d800766db00000000000000001005132c0ca1a08f04b06b75e36ff7c5873502bd6bcd716f006775657374 server (null) { PEAP: Setting User-Name to guest Sending tunneled request EAP-Message = 0x021600401a0216003b31a03348c2e305a71ce2153f8d800766db00000000000000001005132c0ca1a08f04b06b75e36ff7c5873502bd6bcd716f006775657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "guest" State = 0x64955ed16483446991b279fcd6dcc74d server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:48:00 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "guest", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 22 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry guest at line 59 ++[files] returns ok [ldap] performing user authorization for guest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es)) -> (|(|(uid=guest))(mail=guest@cells.es)) [ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter (|(|(uid=guest))(mail=guest@cells.es)) rlm_ldap: object not found or got ambiguous search result [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for guest with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x011700331a0316002e533d37383538444630353935443541454337424230433730363741434331464438424333384635444632 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x64955ed16582446991b279fcd6dcc74d [peap] Got tunneled reply RADIUS code 11 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x011700331a0316002e533d37383538444630353935443541454337424230433730363741434331464438424333384635444632 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x64955ed16582446991b279fcd6dcc74d [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 174 to 10.50.50.250 port 32821 EAP-Message = 0x0117004a1900170301003f29709f726854c7fba4bb30eb3de74642577c5324a83965a0100ef4195ec8c7bb0de6c946345b30ad05080251e325413315b2ca29f615c2ba822c9ad6868760 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e8b2c0a599c352cdb4e510ee0237d55 Finished request 7. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 172 with timestamp +48 Cleaning up request 6 ID 173 with timestamp +48 Cleaning up request 7 ID 174 with timestamp +48 Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=175, length=209 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0217001d1900170301001211093cb7d3d7d5c34ebfc4da33ebf94b6b34 State = 0x5e8b2c0a599c352cdb4e510ee0237d55 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0xc80db7d291a7647b4531b1c13c5329ba +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:48:30 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 23 length 29 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x021700061a03 server (null) { PEAP: Setting User-Name to guest Sending tunneled request EAP-Message = 0x021700061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "guest" State = 0x64955ed16582446991b279fcd6dcc74d server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:48:30 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "guest", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 23 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry guest at line 59 ++[files] returns ok [ldap] performing user authorization for guest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es)) -> (|(|(uid=guest))(mail=guest@cells.es)) [ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter (|(|(uid=guest))(mail=guest@cells.es)) rlm_ldap: object not found or got ambiguous search result [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x03170004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "guest" [peap] Got tunneled reply RADIUS code 2 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x03170004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "guest" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 175 to 10.50.50.250 port 32821 EAP-Message = 0x011800261900170301001b0295d618276cb9c94b22486141db4b4ffc9565d8a1508eedec4a29 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5e8b2c0a5693352cdb4e510ee0237d55 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=176, length=218 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021800261900170301001b4e5f25878677d3a5d33cf8e3bf3e2d362aa6c2ffcb43bd2618d359 State = 0x5e8b2c0a5693352cdb4e510ee0237d55 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x6f852ada9d073de8461defeca1d91826 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 07:48:30 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 24 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 176 to 10.50.50.250 port 32821 MS-MPPE-Recv-Key = 0xe7641d2abf68f4a0c181769e830bd53cecb8b1182b87e6df202e7a25f82b71c8 MS-MPPE-Send-Key = 0x62151e799ce699224249dfa546f46337ab4fd6d35166230901ce9a1b024df60c EAP-Message = 0x03180004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "guest" Finished request 9. Going to the next request Waking up in 4.9 seconds. Alan DeKok-2 wrote:
aangles wrote:
once I do radiusd -X, I see only the first access-challenge with the Aruba-User-Vlan Attirbute, and no more access-challenges have this attribute.
In fact, Access-Challenges are not supposed to have VSAs.
So, it is not working , May be i am close to the solution but I don't know what to do, and also I don't know what happen.
You need to put the VSA into the Access-Accept. You can do this by adding it in the "post-auth" section.
I send to you a capture of wireshark:
And not the debug logs. Why?
Also, see this debug from Aruba controller.
Why?
thanks a lot I hope somebody knows what happen and can help me
See the FAQ for how to ask questions, and what information we need.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Aruba-User-Vlan%2C-how-to-configure-RADIUS-to-send-the... Sent from the FreeRadius - User mailing list archive at Nabble.com.
aangles wrote:
Ok!! I'm sorry, it was not a good idea introducing wireshark print screens. Yeah its better to put here a log of my freeradius , which it is the issue we talk about. I didn't though with that. Here is my log of freeradius. As see, only some Aruba-VSA is sent not in the Access-Accept, but inside some of Access-challenges. Moreover, I have configured to sent the VSA in the users file. How do I conigure the VSA to sent the vlan in the post_auth section of freeradius?
Read eap.conf. Look for "use_tunneled_reply". Alan DeKok.
Ok. I set that parameter you comment: use_tunneled_reply = yes and it does not sent the VSA in the access-accept which I think that if radius could sent this VSA atributed inside an access-accept paquet then the NAS would understand it. My configuration of eap.conf: ttls { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # TTLS tunnel, we recommend using EAP-MD5. # If the request does not contain an EAP # conversation, then this configuration entry # is ignored. default_eap_type = mschapv2 # The tunneled authentication request does # not usually contain useful attributes # like 'Calling-Station-Id', etc. These # attributes are outside of the tunnel, # and normally unavailable to the tunneled # authentication request. # # By setting this configuration entry to # 'yes', any attribute which NOT in the # tunneled authentication request, but # which IS available outside of the tunnel, # is copied to the tunneled request. # # allowed values: {no, yes} copy_request_to_tunnel = no # The reply attributes sent to the NAS are # usually based on the name of the user # 'outside' of the tunnel (usually # 'anonymous'). If you want to send the # reply attributes based on the user name # inside of the tunnel, then set this # configuration entry to 'yes', and the reply # to the NAS will be taken from the reply to # the tunneled request. # # allowed values: {no, yes} use_tunneled_reply = yes # # The inner tunneled request can be sent # through a virtual server constructed # specifically for this purpose. # # If this entry is commented out, the inner # tunneled request will be sent through # the virtual server that processed the # outer requests. # virtual_server = "inner-tunnel" } and if I do radiusd -X i get the following: ...... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=188, length=172 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020e000a016775657374 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x57bc37ce7c549067b0874937ba0c32f6 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:00:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 14 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry guest at line 59 ++[files] returns ok [ldap] performing user authorization for guest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es)) -> (|(|(uid=guest))(mail=guest@cells.es)) [ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap01.cells.es:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=CELLS,dc=ES/Kag110vostresenyor to ldap01.cells.es:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter (|(|(uid=guest))(mail=guest@cells.es)) rlm_ldap: object not found or got ambiguous search result [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 188 to 10.50.50.250 port 32821 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x010f00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x23c15ae223ce43ea3a0ff95fc6de2960 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=189, length=260 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x020f005019800000004616030100410100003d03014ac999c73850ebf8405b1daa64edc2795a1ab44f5d9924e096d849073bd7bf5300001600040005000a000900640062000300060013001200630100 State = 0x23c15ae223ce43ea3a0ff95fc6de2960 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x8dcb8e14548dddf8cd4834ae4364fbf7 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:00:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 15 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0b62], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 189 to 10.50.50.250 port 32821 EAP-Message = 0x0110040019c000000b9f160301002a0200002603014ac9999f360d6baa2b51846858265df39d0258d6b61ff3b1b2e2387bf3c66f44000004001603010b620b000b5e000b5b0004933082048f30820377a003020102020b010000000001111269caa0300d06092a864886f70d0101050500305f310b300906035504061302424531133011060355040a130a4379626572747275737431173015060355040b130e456475636174696f6e616c20434131223020060355040313194379626572747275737420456475636174696f6e616c204341301e170d3037303330323131323935345a170d3130303330323131323935345a3039310b30090603550406 EAP-Message = 0x13024553310e300c060355040a130543454c4c53311a3018060355040313117765622d6d61696c2e63656c6c732e657330820122300d06092a864886f70d01010105000382010f003082010a0282010100cc46384ee4fe3b3e53c4a2ec840ed7ade3e6ace27d5dba48c79d6f1ee6aaa6f2d72c7deb06caf1877a95daf391c8a4ddfc02352468c2391a5097ce7e13370e4247bdbcb36e3c3a6ed36a60113f403ade97d8782dc17bab7a7d1ef2f09f5ea4975c973bb48d9b5dc96b068e791a4be595805fcb069d7a4a6539ff3a94ec1a3070b1182283c4c6fad9d276327e95ec2115a83f0294d66fafae2b60b5e690bb311c0d594d955c203d52cddadea5 EAP-Message = 0x8ab491fbe7a76006a93cdc1d5f651c20523456ebe4333de37e4110ee1a63ad727b5116e71fc264f4d9726434a5cd693e6de3179a163d9663cbceb3d4d4fcd317e29c3701fa021b5596aaa24e85e88ef7a20f960f0203010001a38201703082016c30500603551d2004493047304506072a8648b13e0100303a303806082b06010505070201162c687474703a2f2f7777772e676c6f62616c7369676e2e6e65742f7265706f7369746f72792f6370732e63666d300e0603551d0f0101ff0404030205a0301f0603551d230418301680146565a33dd73b11a30a072537c9424a5b767750e1301d0603551d0e0416041496d745f253c445bf75496582e5d1 EAP-Message = 0xbd6b21b0bb88303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f656475636174696f6e616c2e63726c304f06082b0601050507010104433041303f06082b060105050730028633687474703a2f2f7365637572652e676c6f62616c7369676e2e6e65742f6361636572742f656475636174696f6e616c2e637274301d0603551d250416301406082b0601050507030106082b06010505070302301c0603551d110415301382117765622d6d61696c2e63656c6c732e6573300d06092a864886f70d010105050003820101004fe3e0e910a1b58a0d3479de0c184b3725a4b1e2a994aaa919 EAP-Message = 0x2186406f44d171c4a8b43606 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x23c15ae222d143ea3a0ff95fc6de2960 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=190, length=186 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021000061900 State = 0x23c15ae222d143ea3a0ff95fc6de2960 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0xe6eaad5386d6481d50a76263074c8524 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:00:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 16 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 190 to 10.50.50.250 port 32821 EAP-Message = 0x011103fc194050e01de9f614accad310ab89a73cd3fe543f856139ebf0deabb426dcd0230bf0ed3a9db4c35ea70af48aef17af4e55653b27b1a7f0eb6944b5976694d69e3bc6c9d810f5375617d92c365aee778532464451f7c3dd1965e61c88039d082739433d4b432f959cda064c446515f29e2d635656a5825d063615a895763869e0b36ea09b6e61cf191715c94aa7188b8a0cb9cddaac70054aa98102f83669e52944c97eb0e02182638ee3dbb818a25cdf413cf57089df0c232bae0e12d7ef06430af5be3474155e2a9a698b41f33c4cdb7f89df59e6c8b7912c827b19ed0004613082045d308203c6a0030201020204040003f9300d06092a86 EAP-Message = 0x4886f70d01010505003075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74301e170d3036303232343136303830305a170d3133303232343233353930305a305f310b300906035504061302424531133011060355040a130a4379626572747275737431173015060355040b130e456475636174696f6e616c20434131223020060355040313194379626572747275737420456475636174696f6e61 EAP-Message = 0x6c20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009522a1101d4a46606e05919bdf83c2ed12b25a7cf8abe1f8505c282c7e7e003893b08b4af1c24c3c102c3cefb0eca1692fb9fccc08146b8d4f18f383d2faa9370820aa5caa8060a2d5a52200cf5ae5b497dfba1ebe5c8e171966fdaf9f7c7b89b20e24d8c7ab63c495328d48e663597d04b833a8bdd75d64bc63b5f74d28fdf90672315cba459465a3d2b458ec3b615844a32f62b39b80b482fdd5c7cc5125e5953f472f307bacc8786ee2e16d27eb3dcc0182e835778dab58bb55d1d5a481568d1cd014b1b006dea09122f3f0a8341747c6e03ef60c5aac EAP-Message = 0x7e504bcde1696e06fc067e6a4db49599a0595c3566ecd949d417e060b05da5d71ae22a6e66f2af1d0203010001a382018a3082018630450603551d1f043e303c303aa038a0368634687474703a2f2f7777772e7075626c69632d74727573742e636f6d2f6367692d62696e2f43524c2f323031382f6364702e63726c301d0603551d0e041604146565a33dd73b11a30a072537c9424a5b767750e1306e0603551d2004673065304806092b06010401b13e0100303b303906082b06010505070201162d687474703a2f2f7777772e7075626c69632d74727573742e636f6d2f4350532f4f6d6e69526f6f742e68746d6c301906092b06010401b13e0132 EAP-Message = 0x300c300a06082b06 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x23c15ae221d043ea3a0ff95fc6de2960 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=191, length=186 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021100061900 State = 0x23c15ae221d043ea3a0ff95fc6de2960 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x93ca5c06d7b7bea239ae1db9db7e3ea5 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:00:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 17 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 191 to 10.50.50.250 port 32821 EAP-Message = 0x011203b919000105050702013081890603551d23048181307fa179a4773075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74820201a5300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020100300d06092a864886f70d01010505000381810032ac6514914bd17d36cacfa4d6826366c407e3d8ebfdafbaea7a561162dd2514be8d8a5c8823fb06ce024372aaa0 EAP-Message = 0x49916a057443f924f76df8dbdcbfd9809f2daf84ecf5b2e7bcfa825695d71706cb5acd4414247e4cc047dea2b2ebd24d357e1a95e2fd56d869014ec21926cabaf4b9d513e51b8f93bfb871ad9e6c42581d9d00025e3082025a308201c3020201a5300d06092a864886f70d01010405003075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74301e170d3938303831333030323930305a170d313830 EAP-Message = 0x3831333233353930305a3075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100950fa0b6f0509ce87ac788cddd170e2eb094d01b3d0ef694c08a94c706c89097c8b8641a7a7e6c3c53e1372873607fb29753079f53f96d5894d2af8d6d886780e6edb295cf7231caa51c72ba5c02e76442e7f9a92cd63a0dac8d42aa240139 EAP-Message = 0xe69c3f0185570d588745f8d385aa936926857048803f1215c779b41f052f3b62990203010001300d06092a864886f70d0101040500038181006deb1b09e95ed951db672261a42a3c4877e3a07ca6de73a21403853dfbab0e30c58316338113089e7b344edf40c874d7b97ddcf476557d9b635418e9f0eaf35cb1d98b421eb9c0954ebafad5e27cf56861bf8eec05975f5bb0d7a38534c424a70d0f9593efcb94d89e1f9d5c856dc7aaae4f1f22b5cd95adbaa7ccf9ab0b7a7f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x23c15ae220d343ea3a0ff95fc6de2960 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=192, length=502 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0212014019800000013616030101061000010201000f8f9f6ce45efc5cea9d847649d26928cb64c560e09bfcf405c74873eefc27c42549adc6047ec12ea55d8f5baf69301c510cc71785f741ec22b20c4f57326d2556777fde7334b7f3db5116aeddf695b1b4fa17191c520c1a0fb7d340feaf940876c591cd333c7d587c82d450201f6b3f5e6bf504ce444b21331d558ed26a913fecb705a045fecd4b8cb07a04ea219fd59177f1182c55e6dfba8bbb3ed627a1a857bcfebbdda91d6570a29170a878d857c45a32617712b111d35e6b348b7bc62f04f8ca672c546bdfd22bedb2147a3f5446b31ff59dd17c2983dd15ee5fbaa699d141ef58a7178b96 EAP-Message = 0xc97f67ff6ec83ada3f065738c29d07cb773207a18bc7dee414030100010116030100200dac101235819d0e63c28dca838c53677d822a01b6d387ef88867e53422c5c09 State = 0x23c15ae220d343ea3a0ff95fc6de2960 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x57fb1999f8a02adc681561edf0e6d23a +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:00:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 18 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 192 to 10.50.50.250 port 32821 EAP-Message = 0x011300311900140301000101160301002026e1de561aedef09b164f765d9505c4d569d5a1810e200c039d222273f73fcea Message-Authenticator = 0x00000000000000000000000000000000 State = 0x23c15ae227d243ea3a0ff95fc6de2960 Finished request 4. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 188 with timestamp +18 Cleaning up request 1 ID 189 with timestamp +18 Cleaning up request 2 ID 190 with timestamp +18 Cleaning up request 3 ID 191 with timestamp +18 Cleaning up request 4 ID 192 with timestamp +18 Ready to process requests. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=193, length=172 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0214000a016775657374 Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x415d7281ea1955e4d5ee2278a32b6fe5 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 20 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry guest at line 59 ++[files] returns ok [ldap] performing user authorization for guest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es)) -> (|(|(uid=guest))(mail=guest@cells.es)) [ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter (|(|(uid=guest))(mail=guest@cells.es)) rlm_ldap: object not found or got ambiguous search result [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 193 to 10.50.50.250 port 32821 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x011500061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfc74ed9cfd2573e8bcb9264c430741e Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=194, length=260 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0215005019800000004616030100410100003d03014ac99a035ef97e318d0b0dbee426ca007d405aeb01801fc7003f0c368745266400001600040005000a000900640062000300060013001200630100 State = 0xcfc74ed9cfd2573e8bcb9264c430741e Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0xc1ea8fdb1eddcea00ad673e3fb6c8d1c +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 21 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0b62], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 194 to 10.50.50.250 port 32821 EAP-Message = 0x0116040019c000000b9f160301002a0200002603014ac999db2ae9d1e29df2965426f02dc8d96d6575e8bdd395636b063e8ca45f92000004001603010b620b000b5e000b5b0004933082048f30820377a003020102020b010000000001111269caa0300d06092a864886f70d0101050500305f310b300906035504061302424531133011060355040a130a4379626572747275737431173015060355040b130e456475636174696f6e616c20434131223020060355040313194379626572747275737420456475636174696f6e616c204341301e170d3037303330323131323935345a170d3130303330323131323935345a3039310b30090603550406 EAP-Message = 0x13024553310e300c060355040a130543454c4c53311a3018060355040313117765622d6d61696c2e63656c6c732e657330820122300d06092a864886f70d01010105000382010f003082010a0282010100cc46384ee4fe3b3e53c4a2ec840ed7ade3e6ace27d5dba48c79d6f1ee6aaa6f2d72c7deb06caf1877a95daf391c8a4ddfc02352468c2391a5097ce7e13370e4247bdbcb36e3c3a6ed36a60113f403ade97d8782dc17bab7a7d1ef2f09f5ea4975c973bb48d9b5dc96b068e791a4be595805fcb069d7a4a6539ff3a94ec1a3070b1182283c4c6fad9d276327e95ec2115a83f0294d66fafae2b60b5e690bb311c0d594d955c203d52cddadea5 EAP-Message = 0x8ab491fbe7a76006a93cdc1d5f651c20523456ebe4333de37e4110ee1a63ad727b5116e71fc264f4d9726434a5cd693e6de3179a163d9663cbceb3d4d4fcd317e29c3701fa021b5596aaa24e85e88ef7a20f960f0203010001a38201703082016c30500603551d2004493047304506072a8648b13e0100303a303806082b06010505070201162c687474703a2f2f7777772e676c6f62616c7369676e2e6e65742f7265706f7369746f72792f6370732e63666d300e0603551d0f0101ff0404030205a0301f0603551d230418301680146565a33dd73b11a30a072537c9424a5b767750e1301d0603551d0e0416041496d745f253c445bf75496582e5d1 EAP-Message = 0xbd6b21b0bb88303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f656475636174696f6e616c2e63726c304f06082b0601050507010104433041303f06082b060105050730028633687474703a2f2f7365637572652e676c6f62616c7369676e2e6e65742f6361636572742f656475636174696f6e616c2e637274301d0603551d250416301406082b0601050507030106082b06010505070302301c0603551d110415301382117765622d6d61696c2e63656c6c732e6573300d06092a864886f70d010105050003820101004fe3e0e910a1b58a0d3479de0c184b3725a4b1e2a994aaa919 EAP-Message = 0x2186406f44d171c4a8b43606 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfc74ed9ced1573e8bcb9264c430741e Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=195, length=186 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021600061900 State = 0xcfc74ed9ced1573e8bcb9264c430741e Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x8b081d08251a9c7d272b316fc44cecc7 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 22 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 195 to 10.50.50.250 port 32821 EAP-Message = 0x011703fc194050e01de9f614accad310ab89a73cd3fe543f856139ebf0deabb426dcd0230bf0ed3a9db4c35ea70af48aef17af4e55653b27b1a7f0eb6944b5976694d69e3bc6c9d810f5375617d92c365aee778532464451f7c3dd1965e61c88039d082739433d4b432f959cda064c446515f29e2d635656a5825d063615a895763869e0b36ea09b6e61cf191715c94aa7188b8a0cb9cddaac70054aa98102f83669e52944c97eb0e02182638ee3dbb818a25cdf413cf57089df0c232bae0e12d7ef06430af5be3474155e2a9a698b41f33c4cdb7f89df59e6c8b7912c827b19ed0004613082045d308203c6a0030201020204040003f9300d06092a86 EAP-Message = 0x4886f70d01010505003075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74301e170d3036303232343136303830305a170d3133303232343233353930305a305f310b300906035504061302424531133011060355040a130a4379626572747275737431173015060355040b130e456475636174696f6e616c20434131223020060355040313194379626572747275737420456475636174696f6e61 EAP-Message = 0x6c20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009522a1101d4a46606e05919bdf83c2ed12b25a7cf8abe1f8505c282c7e7e003893b08b4af1c24c3c102c3cefb0eca1692fb9fccc08146b8d4f18f383d2faa9370820aa5caa8060a2d5a52200cf5ae5b497dfba1ebe5c8e171966fdaf9f7c7b89b20e24d8c7ab63c495328d48e663597d04b833a8bdd75d64bc63b5f74d28fdf90672315cba459465a3d2b458ec3b615844a32f62b39b80b482fdd5c7cc5125e5953f472f307bacc8786ee2e16d27eb3dcc0182e835778dab58bb55d1d5a481568d1cd014b1b006dea09122f3f0a8341747c6e03ef60c5aac EAP-Message = 0x7e504bcde1696e06fc067e6a4db49599a0595c3566ecd949d417e060b05da5d71ae22a6e66f2af1d0203010001a382018a3082018630450603551d1f043e303c303aa038a0368634687474703a2f2f7777772e7075626c69632d74727573742e636f6d2f6367692d62696e2f43524c2f323031382f6364702e63726c301d0603551d0e041604146565a33dd73b11a30a072537c9424a5b767750e1306e0603551d2004673065304806092b06010401b13e0100303b303906082b06010505070201162d687474703a2f2f7777772e7075626c69632d74727573742e636f6d2f4350532f4f6d6e69526f6f742e68746d6c301906092b06010401b13e0132 EAP-Message = 0x300c300a06082b06 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfc74ed9cdd0573e8bcb9264c430741e Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=196, length=186 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021700061900 State = 0xcfc74ed9cdd0573e8bcb9264c430741e Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0xe285d5853798351bd00b623c52a19272 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 23 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 196 to 10.50.50.250 port 32821 EAP-Message = 0x011803b919000105050702013081890603551d23048181307fa179a4773075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74820201a5300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020100300d06092a864886f70d01010505000381810032ac6514914bd17d36cacfa4d6826366c407e3d8ebfdafbaea7a561162dd2514be8d8a5c8823fb06ce024372aaa0 EAP-Message = 0x49916a057443f924f76df8dbdcbfd9809f2daf84ecf5b2e7bcfa825695d71706cb5acd4414247e4cc047dea2b2ebd24d357e1a95e2fd56d869014ec21926cabaf4b9d513e51b8f93bfb871ad9e6c42581d9d00025e3082025a308201c3020201a5300d06092a864886f70d01010405003075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74301e170d3938303831333030323930305a170d313830 EAP-Message = 0x3831333233353930305a3075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100950fa0b6f0509ce87ac788cddd170e2eb094d01b3d0ef694c08a94c706c89097c8b8641a7a7e6c3c53e1372873607fb29753079f53f96d5894d2af8d6d886780e6edb295cf7231caa51c72ba5c02e76442e7f9a92cd63a0dac8d42aa240139 EAP-Message = 0xe69c3f0185570d588745f8d385aa936926857048803f1215c779b41f052f3b62990203010001300d06092a864886f70d0101040500038181006deb1b09e95ed951db672261a42a3c4877e3a07ca6de73a21403853dfbab0e30c58316338113089e7b344edf40c874d7b97ddcf476557d9b635418e9f0eaf35cb1d98b421eb9c0954ebafad5e27cf56861bf8eec05975f5bb0d7a38534c424a70d0f9593efcb94d89e1f9d5c856dc7aaae4f1f22b5cd95adbaa7ccf9ab0b7a7f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfc74ed9ccdf573e8bcb9264c430741e Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=197, length=502 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x02180140198000000136160301010610000102010005d1ac205aeae976b3770dcc15a1d6a87b784ba15f8a8924f93d81085979bbeb4bbd5f3a5ea2c7dd84b90079e7c5c92be25789a4ed56b59bb5d20dc3d5ecd1a99d9b457656652808c00ef1beba34b04610d90eeb10d9a992ff842770b811fa0caf4a86557d722ac6384547307a7f03d8e2b600f172249fa007afbbedb4c6da08edb35654affcd9ae507957350f93649f4d20b1d239d315ba55c60425f24958c37f2b713a1c2936e299cbd398584fbeb9fff874fdec2a269d1a0de04fbc5d023c2134bc433e186f393d136033919ac2fbac246cc3899ba627e703a52c8f40f6ca761ac3fbd4190f31 EAP-Message = 0xb31320164be84ed1eb427a2e4e2a3a0cd3a54f3e8a7d33ef1403010001011603010020b6a276ea9da800962ebf5fa52d96cc4563af96483f432f9a606d528dbe0c9239 State = 0xcfc74ed9ccdf573e8bcb9264c430741e Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0xd0f565f397e7718479c7dca52b005932 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 24 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 197 to 10.50.50.250 port 32821 EAP-Message = 0x011900311900140301000101160301002093e268cbc13d7508d782e795a4408666a2fb8bfe2fd2a28c8c4f3bb3956c9d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfc74ed9cbde573e8bcb9264c430741e Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=198, length=186 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021900061900 State = 0xcfc74ed9cbde573e8bcb9264c430741e Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0xfed932e959c7aecc06ab74e25e41d3d6 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 25 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 198 to 10.50.50.250 port 32821 EAP-Message = 0x011a00201900170301001515768e1216472080a3749e31b1714edd9577667da0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfc74ed9cadd573e8bcb9264c430741e Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=199, length=213 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021a0021190017030100166f3203c51b5d64efd9ccd930e189a0f9e904fdd18e25 State = 0xcfc74ed9cadd573e8bcb9264c430741e Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x1605fd6d968c61b5f385289f6376075f +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 26 length 33 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - guest [peap] Got tunnled request EAP-Message = 0x021a000a016775657374 server (null) { PEAP: Got tunneled identity of guest PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to guest Sending tunneled request EAP-Message = 0x021a000a016775657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "guest" server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "guest", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 26 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry guest at line 59 ++[files] returns ok [ldap] performing user authorization for guest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es)) -> (|(|(uid=guest))(mail=guest@cells.es)) [ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter (|(|(uid=guest))(mail=guest@cells.es)) rlm_ldap: object not found or got ambiguous search result [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x011b001f1a011b001a10d96635072c646e554f77e8b44c01afbc6775657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e5ac4772e41def6c5601c1f6d8a45a4 [peap] Got tunneled reply RADIUS code 11 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x011b001f1a011b001a10d96635072c646e554f77e8b44c01afbc6775657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e5ac4772e41def6c5601c1f6d8a45a4 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 199 to 10.50.50.250 port 32821 EAP-Message = 0x011b00361900170301002b10a706d40c01f8c830382f4a41410f0979575a935db0967e3b5aafd6a63f18b8a1caa264c1b27ea21fe57b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfc74ed9c9dc573e8bcb9264c430741e Finished request 11. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=200, length=267 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021b00571900170301004cd9fe2923bcf7741f59b559c2aba1bb9cb11cda9f29d7ebbe533b087ee6d1c31a54abd850208d88670916e06760911d06540e992bd175668f5fcb10edd0616992a75a9d5220f727781d59e633 State = 0xcfc74ed9c9dc573e8bcb9264c430741e Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0xf573266d55fced69eba83500059a0b89 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 27 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x021b00401a021b003b31caef4a21f1e8e33bca7aaefeabd2ced6000000000000000086d797a3c01843d6a0e0353ab9421532963bd6b44559fdd5006775657374 server (null) { PEAP: Setting User-Name to guest Sending tunneled request EAP-Message = 0x021b00401a021b003b31caef4a21f1e8e33bca7aaefeabd2ced6000000000000000086d797a3c01843d6a0e0353ab9421532963bd6b44559fdd5006775657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "guest" State = 0x2e5ac4772e41def6c5601c1f6d8a45a4 server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "guest", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 27 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry guest at line 59 ++[files] returns ok [ldap] performing user authorization for guest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es)) -> (|(|(uid=guest))(mail=guest@cells.es)) [ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter (|(|(uid=guest))(mail=guest@cells.es)) rlm_ldap: object not found or got ambiguous search result [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for guest with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x011c00331a031b002e533d32393231313230383331304332373843333832343643453638453333384541453431313241364131 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e5ac4772f46def6c5601c1f6d8a45a4 [peap] Got tunneled reply RADIUS code 11 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x011c00331a031b002e533d32393231313230383331304332373843333832343643453638453333384541453431313241364131 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e5ac4772f46def6c5601c1f6d8a45a4 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 200 to 10.50.50.250 port 32821 EAP-Message = 0x011c004a1900170301003fa63a59356ac1d59eb069991fd27bc76711fbd7e97a41fdbf4f6ca3503d3b2c204c85955fb005a0a95c864dcb3277a45a4589a57003686ccf9e94fd55759f68 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfc74ed9c8db573e8bcb9264c430741e Finished request 12. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=201, length=209 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021c001d19001703010012d339352e15490f56e46fcfbb25ac409fc126 State = 0xcfc74ed9c8db573e8bcb9264c430741e Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0x036b6f49909a780300ae42a3e85cae74 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 28 length 29 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x021c00061a03 server (null) { PEAP: Setting User-Name to guest Sending tunneled request EAP-Message = 0x021c00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "guest" State = 0x2e5ac4772f46def6c5601c1f6d8a45a4 server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "guest", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 28 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry guest at line 59 ++[files] returns ok [ldap] performing user authorization for guest [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es)) -> (|(|(uid=guest))(mail=guest@cells.es)) [ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter (|(|(uid=guest))(mail=guest@cells.es)) rlm_ldap: object not found or got ambiguous search result [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x031c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "guest" [peap] Got tunneled reply RADIUS code 2 Aruba-User-Role = "testrole" Aruba-User-Vlan = 2120 EAP-Message = 0x031c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "guest" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 201 to 10.50.50.250 port 32821 EAP-Message = 0x011d00261900170301001bc0474fb0fd0ad2bd0a6eb80b14840658b61ff194765e57cd363c34 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfc74ed9c7da573e8bcb9264c430741e Finished request 13. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=202, length=218 User-Name = "guest" NAS-IP-Address = 10.50.50.250 NAS-Port = 1 NAS-Identifier = "arubacon" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "0022437B7A67" Called-Station-Id = "000B86615D8C" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x021d00261900170301001b5b3e9f4ac8eb6089bb169d87c2d5d808920ef0e75e62e794db370c State = 0xcfc74ed9c7da573e8bcb9264c430741e Aruba-Essid-Name = "SecureWiFIAruba" Aruba-Location-Id = "apob00off09_pos5" Message-Authenticator = 0xbf235145edbaf5b031707e0b4986a133 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005 [auth_log] expand: %t -> Mon Oct 5 09:01:47 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "guest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 29 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 202 to 10.50.50.250 port 32821 MS-MPPE-Recv-Key = 0xa7226356ffae28db8a4141a68c2d237097e6b0f789757a8fd5d8a75fb84ce155 MS-MPPE-Send-Key = 0xc5b80379a82021d85e592f155bc2e0d34f2ffe17fb7ecf2e5d5a85c10308328b EAP-Message = 0x031d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "guest" Finished request 14. Going to the next request No VSA is inside the Access-Accept paquet :( Also, not all the access-challenge contains the VSA. Why? It should to? You said me that generally access-challenge does not have suppor for VSA, and also you commented to modify post_auth section to sent VSA inside an access-accept. How to do that? which would be this configuration? thanks a lot!! ..... Alan DeKok-2 wrote:
aangles wrote:
Ok!! I'm sorry, it was not a good idea introducing wireshark print screens. Yeah its better to put here a log of my freeradius , which it is the issue we talk about. I didn't though with that. Here is my log of freeradius. As see, only some Aruba-VSA is sent not in the Access-Accept, but inside some of Access-challenges. Moreover, I have configured to sent the VSA in the users file. How do I conigure the VSA to sent the vlan in the post_auth section of freeradius?
Read eap.conf. Look for "use_tunneled_reply".
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Aruba-User-Vlan%2C-how-to-configure-RADIUS-to-send-the... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Ok. I set that parameter you comment: use_tunneled_reply = yes and it does not sent the VSA in the access-accept which I think that if radius could sent this VSA atributed inside an access-accept paquet then the NAS would understand it.
That would work, if only you enabled it in the *correct* section!
My configuration of eap.conf:
ttls {
Nice, but ... ...
[eap] processing type peap ...
... you are not doing EAP-TTLS. Enable same parameter in peap section of eap.conf. Ivan Kalik Kalik Informatika ISP
thank you very much Kalik. Now it works!! :) Ivan Kalik wrote:
Ok. I set that parameter you comment: use_tunneled_reply = yes and it does not sent the VSA in the access-accept which I think that if radius could sent this VSA atributed inside an access-accept paquet then the NAS would understand it.
That would work, if only you enabled it in the *correct* section!
My configuration of eap.conf:
ttls {
Nice, but ...
...
[eap] processing type peap ...
... you are not doing EAP-TTLS. Enable same parameter in peap section of eap.conf.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Aruba-User-Vlan%2C-how-to-configure-RADIUS-to-send-the... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
aangles -
Alan DeKok -
Ivan Kalik