MSCHAPV2 authenticate including the suffix
Hello, I am using an SQL backend. The usernames are stored with the full username including a suffix 'user@domain.com I am trying to use TTLS/PEAP with MSCHAPV2 So I want freeradius to authenticate the full username, not the stripped username. I want it to match 'user@domain.com<mailto:user@domain.com>' not 'user' When trying to authenticate, it says: [mschap] ERROR: User-Name (user@domain.com<mailto:user@domain.com>) is not the same as MS-CHAP Name (user) from EAP-MSCHAPv2. If I set the username in the database to just 'user' and send that through in the supplicant, it works. But I want it to work with the full username including the suffix in the database. Is this possible? Thanks for your help Dean.
Thank you Alan, This is now working with the same config after upgrading to version 2.2.5 -----Original Message----- From: freeradius-users-bounces+dgoldhill=netutils.com@lists.freeradius.org [mailto:freeradius-users-bounces+dgoldhill=netutils.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 09 June 2014 14:26 To: FreeRadius users mailing list Subject: Re: MSCHAPV2 authenticate including the suffix Dean Goldhill wrote:
When trying to authenticate, it says:
[mschap] ERROR: User-Name (user@domain.com) is not the same as MS-CHAP Name (user) from EAP-MSCHAPv2.
Use a recent version of the server. That error has been changed to a warning. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, I have managed to get this working with TTLS & PEAP with EAP-MSCHAPV2 But I still get rejected ([mschap] FAILED: MS-CHAP2-Response is incorrect) when using TTLS with MSCHAPV2. That's is to say, when using EAP-MSCHAPV2 (CHAP messages are encapsulated inside the EAP message) - this works When using just MSCHAPV2 (CHAP messages are NOT encapsulated inside the EAP message) - This does not work. But, the same thing as before: If the username does not have a suffix (user instead of user@domain) both in the SQL database and on the supplicant, then it also works with just MSCHAPV2 (CHAP messages are NOT encapsulated inside the EAP message). As soon as I try to authenticate a user that has a suffix, they get rejected. Can anyone suggest something to try? Much appreciated. Thanks -----Original Message----- From: Dean Goldhill Sent: 09 June 2014 18:03 To: 'FreeRadius users mailing list' Subject: RE: MSCHAPV2 authenticate including the suffix Thank you Alan, This is now working with the same config after upgrading to version 2.2.5 -----Original Message----- From: freeradius-users-bounces+dgoldhill=netutils.com@lists.freeradius.org [mailto:freeradius-users-bounces+dgoldhill=netutils.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 09 June 2014 14:26 To: FreeRadius users mailing list Subject: Re: MSCHAPV2 authenticate including the suffix Dean Goldhill wrote:
When trying to authenticate, it says:
[mschap] ERROR: User-Name (user@domain.com) is not the same as MS-CHAP Name (user) from EAP-MSCHAPv2.
Use a recent version of the server. That error has been changed to a warning. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dean Goldhill wrote:
When using just MSCHAPV2 (CHAP messages are NOT encapsulated inside the EAP message) - This does not work.
But, the same thing as before: If the username does not have a suffix (user instead of user@domain) both in the SQL database and on the supplicant, then it also works with just MSCHAPV2 (CHAP messages are NOT encapsulated inside the EAP message). As soon as I try to authenticate a user that has a suffix, they get rejected.
Can anyone suggest something to try?
The full debug log would help. Alan DeKok.
This is using domain@user with TTLS & EAP-MSCHAPV2 - does work radiusd: FreeRADIUS Version 2.2.5, for host x86_64-redhat-linux-gnu, built on Apr 29 2014 at 09:18:14 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/cache including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/dhcp_sqlippool including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/radrelay including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 192.168.42.114 { require_message_authenticator = no secret = "radius" shortname = "test" } client 192.168.42.16 { require_message_authenticator = no secret = "radius" shortname = "test2" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 1024 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/raddb/huntgroups reading pairlist file /etc/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } reading pairlist file /etc/raddb/users reading pairlist file /etc/raddb/acct_users reading pairlist file /etc/raddb/preproxy_users Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "192.168.152.3" port = "" login = "freeradius" password = "freeradius" radius_db = "ManagedRADIUSWiFi" read_groups = yes sqltrace = yes sqltracefile = "/var/log/radius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT '111', '%{SQL-User-Name}', 'Cleartext-Password', (select GuestAuthRADIUS ('%{SQL-User-Name}', '%{Calling-Station-Id}' ,'%{Packet-Src-IP-Address}')), ':='" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to freeradius@192.168.152.3:/ManagedRADIUSWiFi rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 46643 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.42.16 port 20008, id=109, length=151 NAS-Port-Id = "AP2/1" Calling-Station-Id = "AC-72-89-16-1B-1A" Called-Station-Id = "00-26-3E-62-42-86:GW-Auth" Service-Type = Framed-User EAP-Message = 0x0201000e01616e6f6e796d6f7573 User-Name = "anonymous" NAS-Port = 44319 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.42.16 NAS-Identifier = "Juniper" Message-Authenticator = 0xff55a0900d026c64bf015aaf7540957c # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 1 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> anonymous [sql] sql_set_user escaped user --> 'anonymous' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT '111', '%{SQL-User-Name}', 'Cleartext-Password', (select GuestAuthRADIUS ('%{SQL-User-Name}', '%{Calling-Station-Id}' ,'%{Packet-Src-IP-Address}')), ':=' -> SELECT '111', 'anonymous', 'Cleartext-Password', (select GuestAuthRADIUS ('anonymous', 'AC-72-89-16-1B-1A' ,'192.168.42.16')), ':=' rlm_sql_mysql: query: SELECT '111', 'anonymous', 'Cleartext-Password', (select GuestAuthRADIUS ('anonymous', 'AC-72-89-16-1B-1A' ,'192.168.42.16')), ':=' [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'anonymous' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'anonymous' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = BINARY 'anonymous' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = BINARY 'anonymous' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 109 to 192.168.42.16 port 20008 EAP-Message = 0x010200160410a3ee98d125163c69864618b950ab9635 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x91d0802891d2844d542d6ddb9dd69868 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.42.16 port 20008, id=110, length=161 NAS-Port-Id = "AP2/1" Calling-Station-Id = "AC-72-89-16-1B-1A" Called-Station-Id = "00-26-3E-62-42-86:GW-Auth" Service-Type = Framed-User User-Name = "anonymous" NAS-Port = 44319 State = 0x91d0802891d2844d542d6ddb9dd69868 EAP-Message = 0x020200060315 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.42.16 NAS-Identifier = "Juniper" Message-Authenticator = 0x4d1aadc0322838e24b6463eba26bd404 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> anonymous [sql] sql_set_user escaped user --> 'anonymous' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT '111', '%{SQL-User-Name}', 'Cleartext-Password', (select GuestAuthRADIUS ('%{SQL-User-Name}', '%{Calling-Station-Id}' ,'%{Packet-Src-IP-Address}')), ':=' -> SELECT '111', 'anonymous', 'Cleartext-Password', (select GuestAuthRADIUS ('anonymous', 'AC-72-89-16-1B-1A' ,'192.168.42.16')), ':=' rlm_sql_mysql: query: SELECT '111', 'anonymous', 'Cleartext-Password', (select GuestAuthRADIUS ('anonymous', 'AC-72-89-16-1B-1A' ,'192.168.42.16')), ':=' [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'anonymous' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'anonymous' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = BINARY 'anonymous' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = BINARY 'anonymous' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 110 to 192.168.42.16 port 20008 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x91d0802890d3954d542d6ddb9dd69868 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.42.16 port 20008, id=111, length=260 NAS-Port-Id = "AP2/1" Calling-Station-Id = "AC-72-89-16-1B-1A" Called-Station-Id = "00-26-3E-62-42-86:GW-Auth" Service-Type = Framed-User User-Name = "anonymous" NAS-Port = 44319 State = 0x91d0802890d3954d542d6ddb9dd69868 EAP-Message = 0x0203006915800000005f160301005a0100005603015398800f12782782365c599070143092f93bcce2efe4552377ac1d22cedcd82a0000280039003800330032001600130035002f00150012000a0005000400090014001100030006000800ff01000005000f000101 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.42.16 NAS-Identifier = "Juniper" Message-Authenticator = 0xa6f9bce4af09a13b7ff49b74ab0fd459 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 105 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 95 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 005a], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0036], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 08d0], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 111 to 192.168.42.16 port 20008 EAP-Message = 0x0104040015c000000b2b160301003602000032030153987ef31f2409e196259b251763f65595388b3544d4c735a451bdaa2b46f2c200003900000aff01000100000f00010116030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361 EAP-Message = 0x746520417574686f72697479301e170d3134303631313135323730345a170d3135303631313135323730345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0a67f56d1218a0a58127603fe396e0160e12705798fdcffe06102c318b7ef9b2176b32f852224eeed482d2ae89f2a0e3b8b EAP-Message = 0xa64fa02f2fbaa1a39b287cd33eafabd326c98dba127ce8b0e44f48db533593598d5391fd079b633cbf92ab99027756e45356ec2ae2f0f32f28bceb364e0d2f123e6276560ef03a8a6fb1ebf4fd63b82006ddca60484df672e0ad74ea2188b295fbe028275a61cad572f73ab977ea9eba084c60677aef2bcc7762832524d649c1e832bd576f8b832583af68d50d6c8e8fa2bc68f417ad3e048042515ead2c650199bcf74b3459641692df0ba363a6c65e7d756e50ff80fc6dd178276bf719b41c1d9fc1338b9a7789a110287c1c4b0203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba029a027 EAP-Message = 0x8625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003820101009d6e0fa587fab9dc4a9b4905c18f17669d904c6b5c3b1440304d5ce4625915e54cbbd7dfcce48441a51ed45798252e59ceede8362eb553b09e2c8d6be51940a1bb96ac0bcf06b7cdef5175605a7984c67b9058ac8a21f4b7397d3ac4f4e6677cd3302a78d865b433d2514255f6ae1b784f88ab2f01ec6ebd928591eeebd0dff400393bae2aa4acb14be31f56e824b9386f40ca8ed2e3026a17b27585d8079e7e86eb3a91c5dd07e552c31df48d67c4f8982e7aeb15358c5501bb7b5906f7935b06cb EAP-Message = 0x71200169cea51e7af1c334c0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x91d0802893d4954d542d6ddb9dd69868 Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.42.16 port 20008, id=112, length=161 NAS-Port-Id = "AP2/1" Calling-Station-Id = "AC-72-89-16-1B-1A" Called-Station-Id = "00-26-3E-62-42-86:GW-Auth" Service-Type = Framed-User User-Name = "anonymous" NAS-Port = 44319 State = 0x91d0802893d4954d542d6ddb9dd69868 EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.42.16 NAS-Identifier = "Juniper" Message-Authenticator = 0xe4cb7e931af9ec8b6ee9cdcae37a41ce # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 112 to 192.168.42.16 port 20008 EAP-Message = 0x0105040015c000000b2b1e7a5bff52453e4c9694a7407bf3e1e883321da050c6fa53e4a05a83d8c7077349330a2c1ac202be61c5c75833905c13f4ec0004e5308204e1308203c9a003020102020900dfa3486c6cb1f96e300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930 EAP-Message = 0x1e170d3134303631313135323730345a170d3135303631313135323730345a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c8fcd609bf8dd3edc91006985ff77c8643e8479cc90a5e4d5894e363b614dd90bf73272be715f9 EAP-Message = 0xe41b51c815ad8ce1cb9bfc5084ad728e75005644152bdd82e97809b77d2baa16e22fe4638a8516a11e9df56b7f6ea31e61f857caa5256a32d28a1d0f6e384f2ff4ee93e351069faf4ca06e682c7772ff53415e29f9bf076afe00f042d6c57063e558670fa4b5f4ad4a5ca28277fb789ca3e943f0f0b828831ae871a61aae88b3db06daae7df9356e4ab6afb2e6d148d9c2c9866e82ff857c9465ae636b517037f6bd8c8c9fbdafd5c5cd5305f015d4988f4cd34e38aaee5380a0f942f1c4c4b055a15c86b5f0aede98b5dc3b82d22cae163a484927fcf868bb0203010001a382013430820130301d0603551d0e041604140d99bc282493fbc134a9dec9 EAP-Message = 0xc277c212c932dd1d3081c80603551d230481c03081bd80140d99bc282493fbc134a9dec9c277c212c932dd1da18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900dfa3486c6cb1f96e300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777 EAP-Message = 0x772e6578616d706c652e636f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x91d0802892d5954d542d6ddb9dd69868 Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.42.16 port 20008, id=113, length=161 NAS-Port-Id = "AP2/1" Calling-Station-Id = "AC-72-89-16-1B-1A" Called-Station-Id = "00-26-3E-62-42-86:GW-Auth" Service-Type = Framed-User User-Name = "anonymous" NAS-Port = 44319 State = 0x91d0802892d5954d542d6ddb9dd69868 EAP-Message = 0x020500061500 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.42.16 NAS-Identifier = "Juniper" Message-Authenticator = 0x91031fc8a0e1a3142db6a3eb73e2030a # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 113 to 192.168.42.16 port 20008 EAP-Message = 0x01060349158000000b2b6d2f6578616d706c655f63612e63726c300d06092a864886f70d0101050500038201010095c6536dc2a04e2b2508da21065191ea4ac1db7167daca4192246690a1087cf7b070972df9b8a62dd10be43c06f198c9d93f202ddf39691311bb27695fc8cb744f2218ffcdd6514f03078e595fc01ec9141342a81ac921a7396227603d7b4048222a29f38340ba361aacac3328e77cfcd520580aca674883469e5864b345e32a1c98bd9e74ce6e87ff7ff9b7f48608950bc56fb7ccae1aacea92edf7227813fc87390cce2bd04eb09881045a687723577faf1ba909af2beccfb646d835549e3d91dfe871212054884517001aa21426 EAP-Message = 0x97169fd53671f7a1944d9e1b03930cd247c33f567e49e8863f67e7625498cd069c8ee8ccdca8afab008e5160bfee716745160301020d0c0002090080ef8cb67830bf429c4b9ad4714e77aaa750c3db460d39315a8c6fcdfa5c4d9f2d1759901723a901aecd8a5488b65b6dea6dc9385ff769702783b1111064e222d4c4f9e1220b2b1863ca2764bed79f4de5cc029915f46e71b2e247f3efbea696b49dfaa6e54ed45fc427fdf0f3bfbf2e234172f350331fd40471e5a02d72504cf30001020080d3a2cda914030f8dce2958dc060c18ed10fc04c079881315ea56d551c78b4918daa00734706646e4bb8e801a169a60766543e58d06f5bcde04d0cd34 EAP-Message = 0x657afd49c7421531730a72812c5477ea5a57414a6160eeac80192482d6c20e212bb9af4c434908ab0d90eaa4f012ef3e0abcc42540e9808394bdbc8fc9f1f04c443cac320100b9a25e6561197efad2ba4386d6a9d8046ca82d28e61b6680d7e5b693d9ebda151647239caa964eeedbfe314c025e9d4bc3c67131883c385798c866faf265879fdb7faec5e4fd94d96540002fda7ebbac82041542fa991c5ea8ec3607e94855afe6068891a61abe8b8453c647b200e57dc8245cea25143a05b7baeb4250783f10561095cd574fa989b4b7317f827d5f50a2394701a13a1fa905df0222fb639471c082af99ff423f7e0d953d49d30edcdc1ba85e0758afd6 EAP-Message = 0x1ee738327b0cb8967164a41b0cf14a48e101b4fa42ff28457513e73b3bf355c747dc705d4b2868f936feaa813bb655a16662b94e506d7ceb87e4ecca21080a72458a541a07f8c015db16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x91d0802895d6954d542d6ddb9dd69868 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.42.16 port 20008, id=114, length=363 NAS-Port-Id = "AP2/1" Calling-Station-Id = "AC-72-89-16-1B-1A" Called-Station-Id = "00-26-3E-62-42-86:GW-Auth" Service-Type = Framed-User User-Name = "anonymous" NAS-Port = 44319 State = 0x91d0802895d6954d542d6ddb9dd69868 EAP-Message = 0x020600d01580000000c61603010086100000820080758eec13cbb3fced38dcf7fc6fe5b6b927308673d2fbff3b467e4b8f1789f26df483d5f2989872df23b753276538f1637aa4abe88b1c0aa11f70ad26b00ff6386c2cb52b15410c5871f30cb0079e9b2db63db91b5122cf0757e294f8fb9b2c3c082e49debe66b589631869c75703425728d30c61951ad63691c411539a98c08c14030100010116030100306577ef958428ea0cff9d1205b3cfd6499aecb7ae9d2c50292fffeced7cfe48ebad110361cc8ae64ea17e06cdfb6e7c59 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.42.16 NAS-Identifier = "Juniper" Message-Authenticator = 0xa8df600d638534f60ea0b1d3f5f18987 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 208 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 198 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 114 to 192.168.42.16 port 20008 EAP-Message = 0x0107004515800000003b14030100010116030100304422e9f876df87dab39f6e62bae2e9730973ac913d35591da0fbe2f508647e828aceb389def506c31d311f840f7c0861 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x91d0802894d7954d542d6ddb9dd69868 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.42.16 port 20008, id=115, length=234 NAS-Port-Id = "AP2/1" Calling-Station-Id = "AC-72-89-16-1B-1A" Called-Station-Id = "00-26-3E-62-42-86:GW-Auth" Service-Type = Framed-User User-Name = "anonymous" NAS-Port = 44319 State = 0x91d0802894d7954d542d6ddb9dd69868 EAP-Message = 0x0207004f158000000045170301004026909d7dc457bbb79d798895c6c147ee85b282ec4933b97318f29a6989ed0593177735f56acf4adbc9961f08c11bc146d1f224e5eacc4530eca084abc4bc801c NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.42.16 NAS-Identifier = "Juniper" Message-Authenticator = 0x1b1c8e522db1a9dce4fb151f0c202ebb # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 79 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 69 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x02000019016a6f7365664074657374646f6d61696e2e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Got tunneled identity of josef@testdomain.com [ttls] Setting default EAP type for tunneled EAP session. [ttls] Sending tunneled request EAP-Message = 0x02000019016a6f7365664074657374646f6d61696e2e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "josef@testdomain.com" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "testdomain.com" for User-Name = "josef@testdomain.com" [suffix] No such realm "testdomain.com" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 0 length 25 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> josef@testdomain.com [sql] sql_set_user escaped user --> 'josef@testdomain.com' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT '111', '%{SQL-User-Name}', 'Cleartext-Password', (select GuestAuthRADIUS ('%{SQL-User-Name}', '%{Calling-Station-Id}' ,'%{Packet-Src-IP-Address}')), ':=' -> SELECT '111', 'josef@testdomain.com', 'Cleartext-Password', (select GuestAuthRADIUS ('josef@testdomain.com', '' ,'192.168.42.16')), ':=' rlm_sql_mysql: query: SELECT '111', 'josef@testdomain.com', 'Cleartext-Password', (select GuestAuthRADIUS ('josef@testdomain.com', '' ,'192.168.42.16')), ':=' [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'josef@testdomain.com' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'josef@testdomain.com' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = BINARY 'josef@testdomain.com' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = BINARY 'josef@testdomain.com' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code 11 EAP-Message = 0x010100160410b63599d119594aeb5fb7454e7d1784f3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x145eec75145fe855f0147a7829674fc1 [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 115 to 192.168.42.16 port 20008 EAP-Message = 0x0108004f15800000004517030100401642da9c58b6d981c908c58e9924430edb6a5bbd161cff524bad2cc3f299cfb119bf308a08a29afa3503a34753b89a51fa1e53f143f82f419f27b9d253bddb18 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x91d0802897d8954d542d6ddb9dd69868 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.42.16 port 20008, id=116, length=218 NAS-Port-Id = "AP2/1" Calling-Station-Id = "AC-72-89-16-1B-1A" Called-Station-Id = "00-26-3E-62-42-86:GW-Auth" Service-Type = Framed-User User-Name = "anonymous" NAS-Port = 44319 State = 0x91d0802897d8954d542d6ddb9dd69868 EAP-Message = 0x0208003f15800000003517030100304d706571380297b60795b0b9586d9b93f6a231ca359a4bed723e4d1850eed0e95fcfe2b7ef35d37b82834e4ea1d9da17 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.42.16 NAS-Identifier = "Juniper" Message-Authenticator = 0xd1a6e0455fddf1d0e2101891a0ee267b # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 8 length 63 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 53 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x02010006031a FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x02010006031a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "josef@testdomain.com" State = 0x145eec75145fe855f0147a7829674fc1 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "testdomain.com" for User-Name = "josef@testdomain.com" [suffix] No such realm "testdomain.com" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> josef@testdomain.com [sql] sql_set_user escaped user --> 'josef@testdomain.com' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT '111', '%{SQL-User-Name}', 'Cleartext-Password', (select GuestAuthRADIUS ('%{SQL-User-Name}', '%{Calling-Station-Id}' ,'%{Packet-Src-IP-Address}')), ':=' -> SELECT '111', 'josef@testdomain.com', 'Cleartext-Password', (select GuestAuthRADIUS ('josef@testdomain.com', '' ,'192.168.42.16')), ':=' rlm_sql_mysql: query: SELECT '111', 'josef@testdomain.com', 'Cleartext-Password', (select GuestAuthRADIUS ('josef@testdomain.com', '' ,'192.168.42.16')), ':=' [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'josef@testdomain.com' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'josef@testdomain.com' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = BINARY 'josef@testdomain.com' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = BINARY 'josef@testdomain.com' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/mschapv2 [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code 11 EAP-Message = 0x0102002e1a0102002910b6f82af2dd8676dcd3e7d1737681176d6a6f7365664074657374646f6d61696e2e636f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x145eec75155cf655f0147a7829674fc1 [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 116 to 192.168.42.16 port 20008 EAP-Message = 0x0109005f1580000000551703010050479418fd22d45205901520570bfce8f3d74fa51e9380ff2e2164e696db5c8e6637af2413e0766678376fcd48795ec580e9d86845d9eb322b8861fad862e327fc10c76e6f1c150e39032b076fac477b28 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x91d0802896d9954d542d6ddb9dd69868 Finished request 7. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.42.16 port 20008, id=117, length=266 NAS-Port-Id = "AP2/1" Calling-Station-Id = "AC-72-89-16-1B-1A" Called-Station-Id = "00-26-3E-62-42-86:GW-Auth" Service-Type = Framed-User User-Name = "anonymous" NAS-Port = 44319 State = 0x91d0802896d9954d542d6ddb9dd69868 EAP-Message = 0x0209006f158000000065170301006020088164f7012d6163e65063a00d5482825b560387cfdd6da1b44d41063b98f5c84b8bf68c969cd6672a654ffe3ade291fae0795f92b212c737bf5a83cd535ae6f1d694718fdfe85afab1822aea0aa15f513631e60a63805c4871ec6d9c357a7 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.42.16 NAS-Identifier = "Juniper" Message-Authenticator = 0x050a98354f2ca95ae3af176892bdfbde # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 9 length 111 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 101 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x020200401a0202003b3102a9b392dfb17311277809906ef15111000000000000000058ce4ffdc8d608c16fc25e31b3beb886b5e7944427e820af006a6f736566 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x020200401a0202003b3102a9b392dfb17311277809906ef15111000000000000000058ce4ffdc8d608c16fc25e31b3beb886b5e7944427e820af006a6f736566 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "josef@testdomain.com" State = 0x145eec75155cf655f0147a7829674fc1 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "testdomain.com" for User-Name = "josef@testdomain.com" [suffix] No such realm "testdomain.com" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 2 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> josef@testdomain.com [sql] sql_set_user escaped user --> 'josef@testdomain.com' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT '111', '%{SQL-User-Name}', 'Cleartext-Password', (select GuestAuthRADIUS ('%{SQL-User-Name}', '%{Calling-Station-Id}' ,'%{Packet-Src-IP-Address}')), ':=' -> SELECT '111', 'josef@testdomain.com', 'Cleartext-Password', (select GuestAuthRADIUS ('josef@testdomain.com', '' ,'192.168.42.16')), ':=' rlm_sql_mysql: query: SELECT '111', 'josef@testdomain.com', 'Cleartext-Password', (select GuestAuthRADIUS ('josef@testdomain.com', '' ,'192.168.42.16')), ':=' [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'josef@testdomain.com' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'josef@testdomain.com' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = BINARY 'josef@testdomain.com' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = BINARY 'josef@testdomain.com' ORDER BY priority rlm_sql (sql): Released sql socket id: 0 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] WARNING: User-Name (josef@testdomain.com) is not the same as MS-CHAP Name (josef) from EAP-MSCHAPv2 [mschap] Creating challenge hash with username: josef [mschap] Client is using MS-CHAPv2 for josef, we need NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [ttls] Got tunneled reply code 11 EAP-Message = 0x010300331a0302002e533d38464237423338413143394230464345363337413443343436423836453643453735423631333343 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x145eec75165df655f0147a7829674fc1 [ttls] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 117 to 192.168.42.16 port 20008 EAP-Message = 0x010a006f15800000006517030100609b43286f77f3bd456023796fbb726aa2a000774552abac244451e219676e643c0479c127ac4191f1b57771bca1ab1bb3bc576f324d7a461d492ffe42a020a767dc2473e6684d4bd4576f1da93a52e35ddc9f602bd0f530f2cd820ba64a67e185 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x91d0802899da954d542d6ddb9dd69868 Finished request 8. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.42.16 port 20008, id=118, length=218 NAS-Port-Id = "AP2/1" Calling-Station-Id = "AC-72-89-16-1B-1A" Called-Station-Id = "00-26-3E-62-42-86:GW-Auth" Service-Type = Framed-User User-Name = "anonymous" NAS-Port = 44319 State = 0x91d0802899da954d542d6ddb9dd69868 EAP-Message = 0x020a003f1580000000351703010030fe1936f17c8e2ab8f3ce4d548e0b1ede69c56f0f16daaab2acd44eef5604d89d6b41a73819b36eabda32b0252040dca9 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.42.16 NAS-Identifier = "Juniper" Message-Authenticator = 0x9b609073ae0045a102414c80df4102b0 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 10 length 63 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 53 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request EAP-Message = 0x020300061a03 FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request EAP-Message = 0x020300061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "josef@testdomain.com" State = 0x145eec75165df655f0147a7829674fc1 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "testdomain.com" for User-Name = "josef@testdomain.com" [suffix] No such realm "testdomain.com" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> josef@testdomain.com [sql] sql_set_user escaped user --> 'josef@testdomain.com' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT '111', '%{SQL-User-Name}', 'Cleartext-Password', (select GuestAuthRADIUS ('%{SQL-User-Name}', '%{Calling-Station-Id}' ,'%{Packet-Src-IP-Address}')), ':=' -> SELECT '111', 'josef@testdomain.com', 'Cleartext-Password', (select GuestAuthRADIUS ('josef@testdomain.com', '' ,'192.168.42.16')), ':=' rlm_sql_mysql: query: SELECT '111', 'josef@testdomain.com', 'Cleartext-Password', (select GuestAuthRADIUS ('josef@testdomain.com', '' ,'192.168.42.16')), ':=' [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'josef@testdomain.com' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'josef@testdomain.com' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = BINARY 'josef@testdomain.com' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = BINARY 'josef@testdomain.com' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel [ttls] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x8f5655df86e81e5a24bfa4c85ada49f3 MS-MPPE-Recv-Key = 0x6146786d1ba27020711ac24a8f4e4cac EAP-Message = 0x03030004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "josef@testdomain.com" [ttls] Got tunneled Access-Accept [eap] Freeing handler rlm_eap_ttls: Freeing handler for user josef@testdomain.com ++[eap] = ok +} # group authenticate = ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 118 to 192.168.42.16 port 20008 MS-MPPE-Recv-Key = 0x816dbbf73a1be4d050b27aabb2bfbcb37b9421231a9f9322c77806fe3659b654 MS-MPPE-Send-Key = 0x7ab2c244adbb83f54bfd05d05eb15acb2ee4b12060942dd6d39cca6a5c8c668d EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" Finished request 9.
On 09/06/14 14:12, Dean Goldhill wrote:
[mschap] ERROR: User-Name (user@domain.com <mailto:user@domain.com>) is not the same as MS-CHAP Name (user) from EAP-MSCHAPv2.
Don't change the username. This won't work. Instead, change the SQL queries, either to use another attribute (with the domain appended) or to append the domain in the query. I can't say much more because your query is too vague without an example debug.
participants (3)
-
Alan DeKok -
Dean Goldhill -
Phil Mayers