iOS, Certificate and "Could not scan for wireless network"
Hi all, in my test environment i'm facing this problem: When i try to connect from an iPad (iOS 8.4 and 9.0) i receive the Certificate immediately followed by the popup saying "Could not scan for wireless network" ( http://www.smaldino.it/appo/IMG_1160.png ) Almost simultaneously FR ends with "Ready to process requests." and, even if i close the popup and tap "Trust", it doesn't connect. I visited http://wiki.freeradius.org/guide/Certificate_Compatibility#eap-session-did-n... but it refers to Windows problems and MTU size. In the log i found that the Framed-MTU is set to 1400, is it small enough, or the problem is elsewhere? And the last: sometimes after the popup and the "Trust" it connects! N.B. FR and the AP are on the same LAN. Thanks for the help. V radiusd: FreeRADIUS Version 2.2.8, for host i686-pc-linux-gnu, built on Sep 22 2015 at 21:42:30 Copyright (C) 1999-2015 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/eap.conf main { allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log" run_dir = "/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/tmp/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = no allow_vulnerable_openssl = no } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = yes dead_time = 120 wake_all_if_all_dead = no } realm LOCAL { authhost = LOCAL accthost = LOCAL } realm SMALDINO.LAN { authhost = LOCAL accthost = LOCAL } radiusd: #### Loading Clients #### client 127.0.0.1 { require_message_authenticator = no secret = "ZeroShell" shortname = "localhost" nastype = "other" } client 192.0.0.0/8 { require_message_authenticator = no secret = "testing123" shortname = "Cl192" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/radiusd.conf mschap { use_mppe = yes require_encryption = no require_strong = yes with_ntdomain_hack = yes allow_retry = yes } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/ssl/certs/trusted_CAs/" pem_file_type = yes private_key_file = "/var/register/system/radius/TLS/key.pem" certificate_file = "/var/register/system/radius/TLS/cert.pem" dh_file = "/etc/ssl/dh.pem" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no check_all_crl = no ecdh_curve = "prime256v1" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = yes include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_attr_rewrite Module: Instantiating module "routeradmin" from file /etc/raddb/radiusd.conf attr_rewrite routeradmin { attribute = "User-Name" searchfor = ".enab15." searchin = "packet" replacewith = "_enab15_" append = no ignore_case = yes new_attribute = no max_matches = 10 } Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/radiusd.conf preprocess { with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = yes with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating module "auth_log" from file /etc/raddb/radiusd.conf detail auth_log { detailfile = "/var/log/radius/reply" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/radiusd.conf Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/radiusd.conf realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/radiusd.conf files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" compat = "no" } reading pairlist file /etc/raddb/users reading pairlist file /etc/raddb/acct_users Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/raddb/radiusd.conf ldap { server = "127.0.0.1" port = 389 password = "" expect_password = yes identity = "" net_timeout = 1 timeout = 4 timelimit = 3 max_uses = 0 tls_mode = no start_tls = no tls_require_cert = "allow" basedn = "ou=Radius,dc=smaldino,dc=lan" filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "sn" auto_header = no access_attr = "dialupAccess" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type conns: 0x861cf48 Module: Linked to module rlm_exec Module: Instantiating module "pppIP" from file /etc/raddb/radiusd.conf exec pppIP { wait = yes program = "/root/kerbynet.cgi/scripts/pppIP" input_pairs = "request" output_pairs = "reply" shell_escape = yes } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/radiusd.conf acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/raddb/radiusd.conf detail { detailfile = "/dev/null" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } Module: Instantiating module "acct_store" from file /etc/raddb/radiusd.conf exec acct_store { wait = yes program = "/root/kerbynet.cgi/scripts/acct_store" input_pairs = "request" output_pairs = "reply" shell_escape = yes } Module: Checking post-auth {...} for more modules to load Module: Instantiating module "SessionLimits" from file /etc/raddb/radiusd.conf exec SessionLimits { wait = yes program = "/root/kerbynet.cgi/scripts/radius-session-limits" input_pairs = "request" output_pairs = "reply" shell_escape = yes } Module: Instantiating module "RadiusLog" from file /etc/raddb/radiusd.conf exec RadiusLog { wait = yes program = "/root/kerbynet.cgi/scripts/RadiusLog" input_pairs = "request" output_pairs = "reply" shell_escape = yes } Module: Instantiating module "reply_log" from file /etc/raddb/radiusd.conf detail reply_log { detailfile = "/dev/null" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no escape_filenames = no } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=10, length=185 User-Name = "test1@smaldino.lan" NAS-IP-Address = 192.168.2.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G" Calling-Station-Id = "BC-3B-AF-C1-9B-41" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0200001701746573743140736d616c64696e6f2e6c616e Message-Authenticator = 0x6d9e58408de63738f0cffcafff2cf992 # Executing section authorize from file /etc/raddb/radiusd.conf +group authorize { [routeradmin] expand: .enab15. -> .enab15. routeradmin: Does not match: User-Name = test1@smaldino.lan ++[routeradmin] = ok ++[preprocess] = ok [auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply [auth_log] /var/log/radius/reply expands to /var/log/radius/reply [auth_log] expand: %t -> Fri Oct 16 17:30:49 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "smaldino.lan" for User-Name = "test1@smaldino.lan " [suffix] Found realm "SMALDINO.LAN" [suffix] Adding Stripped-User-Name = "test1" [suffix] Adding Realm = "SMALDINO.LAN" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 0 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for test1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1) [ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 127.0.0.1:389, authentication 0 [ldap] bind as / to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter (cn=test1) [ldap] checking if remote access for test1 is allowed by dialupAccess [ldap] Added User-Password = testa in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user test1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok Exec output: [pppIP] Exec: program returned: 0 ++[pppIP] = ok +} # group authorize = updated Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/radiusd.conf +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 10 to 192.168.2.1 port 45290 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe1c2aac6e1c3a7cd8f7bb7a7c9250742 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=11, length=186 User-Name = "test1@smaldino.lan" NAS-IP-Address = 192.168.2.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G" Calling-Station-Id = "BC-3B-AF-C1-9B-41" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020100060319 State = 0xe1c2aac6e1c3a7cd8f7bb7a7c9250742 Message-Authenticator = 0x8a2a41183e342309aa40ff4974455ba7 # Executing section authorize from file /etc/raddb/radiusd.conf +group authorize { [routeradmin] expand: .enab15. -> .enab15. routeradmin: Does not match: User-Name = test1@smaldino.lan ++[routeradmin] = ok ++[preprocess] = ok [auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply [auth_log] /var/log/radius/reply expands to /var/log/radius/reply [auth_log] expand: %t -> Fri Oct 16 17:30:49 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "smaldino.lan" for User-Name = "test1@smaldino.lan " [suffix] Found realm "SMALDINO.LAN" [suffix] Adding Stripped-User-Name = "test1" [suffix] Adding Realm = "SMALDINO.LAN" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [ldap] performing user authorization for test1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1) [ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter (cn=test1) [ldap] checking if remote access for test1 is allowed by dialupAccess [ldap] Added User-Password = testa in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user test1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok Exec output: [pppIP] Exec: program returned: 0 ++[pppIP] = ok +} # group authorize = updated Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/radiusd.conf +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 11 to 192.168.2.1 port 45290 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe1c2aac6e0c0b3cd8f7bb7a7c9250742 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=12, length=332 User-Name = "test1@smaldino.lan" NAS-IP-Address = 192.168.2.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G" Calling-Station-Id = "BC-3B-AF-C1-9B-41" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0202009819800000008e160301008901000085030156211829e5957d201cda1bae922443901fe3790b6d9105a60794b4dce2fdfa7400004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c0005000401000012000a00080006001700180019000b00020100 State = 0xe1c2aac6e0c0b3cd8f7bb7a7c9250742 Message-Authenticator = 0x5dbd5564fcff2011be133c641c1ca2a6 # Executing section authorize from file /etc/raddb/radiusd.conf +group authorize { [routeradmin] expand: .enab15. -> .enab15. routeradmin: Does not match: User-Name = test1@smaldino.lan ++[routeradmin] = ok ++[preprocess] = ok [auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply [auth_log] /var/log/radius/reply expands to /var/log/radius/reply [auth_log] expand: %t -> Fri Oct 16 17:30:49 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "smaldino.lan" for User-Name = "test1@smaldino.lan " [suffix] Found realm "SMALDINO.LAN" [suffix] Adding Stripped-User-Name = "test1" [suffix] Adding Realm = "SMALDINO.LAN" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 2 length 152 [eap] Continuing tunnel setup. ++[eap] = ok ++[files] = noop [ldap] performing user authorization for test1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1) [ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter (cn=test1) [ldap] checking if remote access for test1 is allowed by dialupAccess [ldap] Added User-Password = testa in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user test1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok Exec output: [pppIP] Exec: program returned: 0 ++[pppIP] = ok +} # group authorize = ok Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/radiusd.conf +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 142 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0089], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 06e1], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 12 to 192.168.2.1 port 45290 EAP-Message = 0x0103040019c00000093716030100310200002d0301562118299e15ea37dfa894c94cab3ea57e2e0972526b3d634e7bccb67425c007000039000005ff0100010016030106e10b0006dd0006da00033a308203363082021ea003020102020101300d06092a864886f70d010105050030403111300f060355040a1308736d616c64696e6f31173015060355040b130e7a65726f7368656c6c206635666131123010060355040313095a65726f5368656c6c301e170d3135313031353230343034365a170d3137313031343230343034365a3031310e300c060355040b1305486f737473311f301d060355040313167a65726f7368656c6c2e736d616c6469 EAP-Message = 0x6e6f2e6c616e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d1b539e54ef6cf74fe2f83f09b14154adeb5828c2e21394b1acc90e6824e477dddcdf3e4615ed251be9b11e48a6d159f86562f9bae4fb2a4471007d98505d164d21ae3c88e1572fa8cf1d9d1c3b64612ec7433bb4a3e08d4bb703a4fd6a9da5a646c0727259e748198fbe28ff24da657f8ea801054e50e780f5e3a7aeed4a3f6ae4645f0a62209085326da267594a046aeb65084fe76b75012b53ac5fdc33cfab216c74469d35fd25e7a5256b4a88537c51eee6d28b7f6dc4d08b526a4f1c7eeb65d14fa92c1cd41decef5be2f598b01d21129e5c064 EAP-Message = 0xa35282fc3b2c47b9f624f580c03c40738ae49660c45d9d530f8c7324a26b025f30c47fc0d53a28d4cf2d0203010001a34a3048301d0603551d250416301406082b0601050507030106082b0601050507030230270603551d110420301e82167a65726f7368656c6c2e736d616c64696e6f2e6c616e8704c0a802a9300d06092a864886f70d010105050003820101009d36d4d05d2b35426bdc0fe74f206f793de68df073b6ae57778b8db87c49605f52ea5a95bd9552ff623fc5f135e8b08b370cdf456d392e1cbc2d4a8c18f1c3b7ab3000bce401563fcd2374dce320dbbc3d4b21dd6acb56c74887387e196f41c7090cd7fd9d0fe74f7b260adbde44 EAP-Message = 0x214da1f97e1190c205ffe84af2ca8d10e0ee9692c2083f15670543ccbb56f86b56451d037e9cfe29d6df2837f2c8079d70b0a19af328e8b0e6ffb3d27043aadc2fd7822033ec6954616b209291b16e4b687b7b008bd60da8763ccddd0352dd8f795d6e28c5c5446da4d4014a4a8307b1f30c72655cd2e4a351a18456acf092800ae5526d900a90dfac92f4eadc27b95ab1bd00039a308203963082027ea003020102020100300d06092a864886f70d010105050030403111300f060355040a1308736d616c64696e6f31173015060355040b130e7a65726f7368656c6c206635666131123010060355040313095a65726f5368656c6c301e170d313531 EAP-Message = 0x3031353230343034335a170d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe1c2aac6e3c1b3cd8f7bb7a7c9250742 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=13, length=186 User-Name = "test1@smaldino.lan" NAS-IP-Address = 192.168.2.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G" Calling-Station-Id = "BC-3B-AF-C1-9B-41" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020300061900 State = 0xe1c2aac6e3c1b3cd8f7bb7a7c9250742 Message-Authenticator = 0x9cfe139ac01c61752c18a7d388667309 # Executing section authorize from file /etc/raddb/radiusd.conf +group authorize { [routeradmin] expand: .enab15. -> .enab15. routeradmin: Does not match: User-Name = test1@smaldino.lan ++[routeradmin] = ok ++[preprocess] = ok [auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply [auth_log] /var/log/radius/reply expands to /var/log/radius/reply [auth_log] expand: %t -> Fri Oct 16 17:30:49 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "smaldino.lan" for User-Name = "test1@smaldino.lan " [suffix] Found realm "SMALDINO.LAN" [suffix] Adding Stripped-User-Name = "test1" [suffix] Adding Realm = "SMALDINO.LAN" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[files] = noop [ldap] performing user authorization for test1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1) [ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter (cn=test1) [ldap] checking if remote access for test1 is allowed by dialupAccess [ldap] Added User-Password = testa in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user test1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok Exec output: [pppIP] Exec: program returned: 0 ++[pppIP] = ok +} # group authorize = ok Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/radiusd.conf +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 13 to 192.168.2.1 port 45290 EAP-Message = 0x010403fc19403235313031323230343034335a30403111300f060355040a1308736d616c64696e6f31173015060355040b130e7a65726f7368656c6c206635666131123010060355040313095a65726f5368656c6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100c983e10b966097fa8cdcc116ca16f95a9fa3ff365c3afc3870473f14308f0e9bf8f2d238a29396c0bfa28787a32b5c37df143255ebf2beb0da5aa2dde6cb7ac816d84a4f0b7c6cf801f41c9f1864c5746a19ab63e528407b76c474bfeaa2a5508fbb21e7385be79469beda208179e7c7431fa5653b6427f029445ffda67e98be7b8ff7d0bc6e03 EAP-Message = 0xd00f009634ac4474b69514c73e11e88609b1c854969abbd84d7a30d984780d6c8914c3fc8662662d648ba35adf4d9d3a91b84f10c13a3f6daaad83580e1b967491e1ce8455dfeaafb136bfecd436ce977d3bb7b678392ae6733b715541625de10304701ad617651192988324c18d5685e76e6fec30221c8b650203010001a3819a308197301d0603551d0e04160414260ab6b08949dd42c15f6f70ee273d02ab40bb4030680603551d230461305f8014260ab6b08949dd42c15f6f70ee273d02ab40bb40a144a44230403111300f060355040a1308736d616c64696e6f31173015060355040b130e7a65726f7368656c6c206635666131123010060355 EAP-Message = 0x040313095a65726f5368656c6c820100300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010098174b261bcadaf871a77223fbd6c3e19001c44657b245df2fe84d0bc97498696ee9c3f9ab1d811189da45915e8f2af130934f41d53264b0245cc7d1baef9ccb3c1d936933ef7c21c2663b454e2dce96aa389c4c90ac37411191dbf1e1d0c2db33f0fbb2ac98f4ea25bef3240190adcde5dd88b60c1c66f7099fae94714330cd9454daa48e840fd23d1bcd6c85a542ed956cc87b28e8422043890df20f354f5780a53fde4d3ccb064f2cb42fb132bb3d3372a70fcc13e73b7f5b77016a25f1b42a8a0da03a5e79ef7e4b99 EAP-Message = 0xd1ec2beda6bed9c8da4a96da10d15f6b62b4c21c87a0c4eb800427f0134d36b480cde0e865f7ff50b45771c21a223396516648857a160301020d0c0002090080bf8ec9af3537d850914da67115562a2214d2ad0b1f1fac1fcb7f4899b88ce4e660b5da88ffb064f0bdfd94881795f6e4901247037ee111dcbeb512cfb1ace3c35ff4316dfccbd2a5d2dc7be52acf4b9db3ffd7896eea89e9879e9bbe16ed7eef0c75c2a835964bf0234029f6fe8e31554ab70d768d5c1659fe7ff435d3f707db0001020080a700c7436388918a6147213ca8ee2824c43967830afa13078e10d880d0e5348cb93342307ae3407bc43014aac874c2e88dba462fdef3b459 EAP-Message = 0x529d5e7cf72734cf Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe1c2aac6e2c6b3cd8f7bb7a7c9250742 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=14, length=186 User-Name = "test1@smaldino.lan" NAS-IP-Address = 192.168.2.1 NAS-Port = 0 Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G" Calling-Station-Id = "BC-3B-AF-C1-9B-41" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x020400061900 State = 0xe1c2aac6e2c6b3cd8f7bb7a7c9250742 Message-Authenticator = 0x036f0f4ebd2ecf2f42519b9ad1983cf1 # Executing section authorize from file /etc/raddb/radiusd.conf +group authorize { [routeradmin] expand: .enab15. -> .enab15. routeradmin: Does not match: User-Name = test1@smaldino.lan ++[routeradmin] = ok ++[preprocess] = ok [auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply [auth_log] /var/log/radius/reply expands to /var/log/radius/reply [auth_log] expand: %t -> Fri Oct 16 17:30:49 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop [suffix] Looking up realm "smaldino.lan" for User-Name = "test1@smaldino.lan " [suffix] Found realm "SMALDINO.LAN" [suffix] Adding Stripped-User-Name = "test1" [suffix] Adding Realm = "SMALDINO.LAN" [suffix] Authentication realm is LOCAL. ++[suffix] = ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok ++[files] = noop [ldap] performing user authorization for test1 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1) [ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter (cn=test1) [ldap] checking if remote access for test1 is allowed by dialupAccess [ldap] Added User-Password = testa in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user test1 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok Exec output: [pppIP] Exec: program returned: 0 ++[pppIP] = ok +} # group authorize = ok Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/radiusd.conf +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 14 to 192.168.2.1 port 45290 EAP-Message = 0x0105015119005e963fa660565b4f8d54a4372bff3740c57468a50cf21cd8099dd3cf425b7290ed2436ee93161bcc029536743df097d32ae39e90fc05f71bb2b321a485a800b50100b4dc522b855ce93ef5c9b899d8e0a8411d840241ececb7dc5c1943ff2982e80fd5e4e5962aa409b18116629a4872088c64eef13c409fe3866526de48426570ba1a64dfb416ad4f26324b6e8b95f34f05e278136ef01667f3cdb971f0865f77fdc3f686583136ed78708bad75ae4ef44b784320f3378d337f1018497e859baca9f31136e2e7543954a88d6e217ac9043e5b0959c8b5d901b78e55f6cd5106d84929bfd31aadbb05fa0e0aa0e62b98fa0f354ac412d5 EAP-Message = 0x4bcf1659c974acbd061c230a936775ca0ce5d0590ea4b3d185806e7fb12aab089f77cbaa7ec004873d51555d3a447198e8471c1d92993599e7cc30c4cc1264e97f0b1d0f196e2294d36c6416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe1c2aac6e5c7b3cd8f7bb7a7c9250742 Finished request 4. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 10 with timestamp +35 Cleaning up request 1 ID 11 with timestamp +35 Cleaning up request 2 ID 12 with timestamp +35 Cleaning up request 3 ID 13 with timestamp +35 Cleaning up request 4 ID 14 with timestamp +35 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xe1c2aac6e5c7b3cd did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. -- Vito A. Smaldino
participants (1)
-
Vito A. Smaldino