I'm trying to get Perl authentication setup along with Peap/MSChapV2. I have a perl script that I wish to use to authenticate the user but for some reason, it does not look like the perl script is even being called at the point where it needs to. See below for the log. I could be wrong, but the issue seems to be here: ------------------------------------------------ WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancel ling invalid proxy request. auth: No authenticate method (Auth-Type) configuration found for the request: Re jecting the user auth: Failed to validate the user. Login incorrect: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled -------------------------------------------------- If I need to provide any config files, please just say so. I'm not sure which ones to include here. Version is 2.0.5 Thanks. -Adam Sewell Log: -------------------------------------------------- rad_recv: Access-Request packet from host 192.168.240.78 port 2372, id=131, lengt h=152 Message-Authenticator = 0xede4cc6e1f95787b1f2f1eb7172fdf44 User-Name = "testUser" NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" EAP-Message = 0x0207000d016c6a61636b736f6e Framed-MTU = 1000 Called-Station-Id = "0001F4-B6-1B-80\0004" NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop users: Matched entry DEFAULT at line 189 ++[files] returns ok rlm_eap: EAP packet type response id 7 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 0: Preceding "if" was taken ++ ... skipping elsif for request 0: Preceding "if" was taken rad_check_password: Found Auth-Type Perl rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'testUser' auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 131 to 192.168.240.78 port 2372 EAP-Message = 0x010800061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd856426bd8d7d24113b1577a1fc0b35 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2372, id=132, lengt h=249 Message-Authenticator = 0xff045bcad52434215028c1d31990ae00 User-Name = "testUser" State = 0xbd856426bd8d7d24113b1577a1fc0b35 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x0208005c190016030100510100004d030149c2516a7d86eed958cf9d bcc1b3a313d5271a03db4f39f3ce88760640dfaabc00002600390038003500160013000a 00330032 002f00050004001500120009001400110008000600030100 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop users: Matched entry DEFAULT at line 189 ++[files] returns ok rlm_eap: EAP packet type response id 8 length 92 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type Perl rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'testUser' auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 132 to 192.168.240.78 port 2372 EAP-Message = 0x010903e419c000000acd160301004a02000046030149c23c6e6f3afe ce786b5cb656f4566f4b9ab71a9b123a9ee0c351d3cacad44a20e9c2f3afa8b7e0eeb081 288ac57e 9975f411c844194714ff16f15cde4ad2f3ae003900160301085e0b00085a0008570003a6 308203a2 3082028aa003020102020101300d06092a864886f70d0101040500308193310b30090603 55040613 024652310f300d060355040813065261646975733112301006035504071309536f6d6577 68657265 31153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01 09011611 61646d696e406578616d706c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f 72697479301e170d3039303232363138313530335a170d3130303232363138313530335a 307c310b 3009060355040613024652310f300d060355040813065261646975733115301306035504 0a130c45 78616d706c6520496e632e312330210603550403131a4578616d706c6520536572766572 20436572 74696669636174653120301e06092a864886f70d010901161161646d696e406578616d70 6c652e63 6f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100af 91ce4cc9 6ce447a1b9ce6a3c8d5cee06559ffe5d6c58649c8af10cf4d8 EAP-Message = 0x2196a122f04a957a7ca72043e3f61c0e4149a18d32bea21f5807e44e 710762d5ede33f41f89e5238ba8ec146775ec45f90335564a0ccdf9d7332b714993b5277 76d70068 a939f58c7475e677850446ef1de2427a39b1469d4707f59723cc3c5c432426f51d899e3d f16df486 41151eb1a34b9aacf00fb3380f43db62d6efe38255abd22667ba5a4a4d0de897d955eb54 532c642b 009994eb1d4353ab340852d9a2db429111f08e31dc5a5c063a1b4625023d21496f55717d 44b2ef16 38b6cce64bf716e719d885f20b305fed4e6d94a8ecb1201d43389cbbd9e48328d7f88506 41d50203 010001a317301530130603551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d010104050003820101005e3f3bed58 8f5e438581d8abdf869d6e5b9751c0407043ba804bae8a935f2ccfda3e106c7b9bd3c41e 3baa1e6b ea239a7878a67fa523f76e9207640ce1900a71ee645e0a200007826520944b15177a2d85 5ba97f35 b5484cc4476b4c49bbcc55fa40b919506eb73e3f6f35c87ed3d38fca2b33a82d541a108e 60a54b95 8ebab48dbcbed264380c05df5c4e8839169ade9bed2cde41faa08755b53dfe9a4a8fe741 7795f114 9529d9e2ad6c0c6f610a12772c3a5b1dca9826bc8e55ba4d17bd2e60db88e70bb9f66b22 433be9a9 d28522870278805bab Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd856426bc8c7d24113b1577a1fc0b35 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2372, id=133, lengt h=163 Message-Authenticator = 0x1a136248076ddec3dfa07234893eb3fb User-Name = "testUser" State = 0xbd856426bc8c7d24113b1577a1fc0b35 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020900061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop users: Matched entry DEFAULT at line 189 ++[files] returns ok rlm_eap: EAP packet type response id 9 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type Perl rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'testUser' auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 133 to 192.168.240.78 port 2372 EAP-Message = 0x010a03e01940192b141d954ba5dad16f574bfa9c6f1069e1fda082af c3ba1fc97a0d151f664e5dd53aed97cf332119fe0004ab308204a73082038fa003020102 020900ba d26bfd4ce6479b300d06092a864886f70d0101050500308193310b300906035504061302 4652310f 300d060355040813065261646975733112301006035504071309536f6d65776865726531 15301306 0355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161 646d696e 406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469 66696361 746520417574686f72697479301e170d303930323236313831 EAP-Message = 0x3530315a170d3039303332383138313530315a308193310b30090603 55040613024652310f300d06035504081306526164697573311230100603550407130953 6f6d6577 6865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a8648 86f70d01 0901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d 706c6520 436572746966696361746520417574686f7269747930820122300d06092a864886f70d01 01010500 0382010f003082010a0282010100c005918d15156e31de5cad4be43bcee9a30544cbd781 4d9e8b12 5c6aefc9a71a5c8d815d1cc12b0f37be7b2b30abd5cb4c696e EAP-Message = 0x9f5aa45dd330796a68c9440b1114f9181342ef7006f2ca01e8805e58 0f4505da0d6b20c3e5ec1c85ac9473c4ce52cbba3917612d45f3d2ddcd0a7da895a57d4e f7defd41 353010449e124599e5d3115874e99c358e6448a5b78d84626d9b4479134e2fe45407e708 8bf1930a 59b64aa4d17dc992cd317ea3ace04b31064a61647847ad710d6f458d128810e2152bc460 182cf327 c63cf30639c3072fbd5ac302e525319efdb02c7e3a33026e7228186d464695aa1e00e461 fc004d86 f4aabb8be9f06db98714d5ef63b51c433d0203010001a381fb3081f8301d0603551d0e04 160414d0 0f03b207edebc2780daafc959d2c27157dcad13081c8060355 EAP-Message = 0x1d230481c03081bd8014d00f03b207edebc2780daafc959d2c27157d cad1a18199a48196308193310b3009060355040613024652310f300d0603550408130652 61646975 733112301006035504071309536f6d65776865726531153013060355040a130c4578616d 706c6520 496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e63 6f6d3126 30240603550403131d4578616d706c6520436572746966696361746520417574686f7269 74798209 00bad26bfd4ce6479b300c0603551d13040530030101ff300d06092a864886f70d010105 05000382 010100183c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd856426bf8f7d24113b1577a1fc0b35 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2372, id=134, lengt h=163 Message-Authenticator = 0xfe56a2125a6096f339b3c22ce587817b User-Name = "testUser" State = 0xbd856426bf8f7d24113b1577a1fc0b35 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020a00061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop users: Matched entry DEFAULT at line 189 ++[files] returns ok rlm_eap: EAP packet type response id 10 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type Perl rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'testUser' auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 134 to 192.168.240.78 port 2372 EAP-Message = 0x010b031f19005647775d06a03ebb8b89c3256914ceac4171e7ee41b3 bb5f8497c3f7eea643ac0637116e282046f3611e910dcf39d779ad13a14a68e75e9c416a f68cb847 4782e1d77d20cbb4785c40d8b36de0f2caca1c5a477b3a09c488d3065b0865e63b546965 fa1bc70c 89f578eb1c88bcd329c3afb49730d0af199bf022be1f0cb74f71fde6d6be2f23af396c88 3b5411c1 07b4d6fc51bc2bc07534c6d6d352c9afde1cb48565b9b669489403d0940d0da70125b207 3f724b7d 1e3cd7cf5f31432eb7a659105af9fb92e5f67d36ad6c15321a218a34f89235844c88cc09 f44d3915 1cbbc12c70d4f6dba5f9e80cbfb2af15bb644c7749a3b34a57 EAP-Message = 0x50b8f96e2da78c160301020d0c000209008095c28ea954c729df2931 ea0e63d9b9ab25cdacbad88a7ded24c19ae298dddfd9b9b2dfba285398d544e1aebe2e6f d4302399 a2a156a1be615d6b7579973fe3323c4f65428282088b141e06ee2d99144c7b458bb1da4e c85778a8 806b2e9183475abdc4707fd70974a7bfeb9068894e5b15a6a576a266a6ccf9e439a22428 44530001 0200807016d2ffeeac20415bd5e3d06f5d56797b894340ba4cfa86b7c249d7a19f4a30a1 50166a1c ad77dc80946762574bbe839165a11847955d822c7618609cb0823aa6fbfa3fde5ac1689d e3992cc7 7b62ed0f56f46e72899d535b2a7686b42a23879e2e43b31ebe EAP-Message = 0x1436022c138e7ea74e034cd234eed9bf9e88a34b36dcf47a567b0100 5ecc0ea78b9c0878dfc0795293d10b08dd9bd428ded50b9ee6e466268adcefea9d179f53 f109cdb2 1a8e7a3db6b0968211beffd26709bdfd941711deeadcfcdb3070a225778a47dd4d37e189 b12514b4 002bee6009872c50d6fba56fc0a687d4d6d4db9e034ce2679d03a28d2b3cc2cdee4c2107 7e7c41aa 15a5e1cb08fa98e01ad0c70248712e18b4e491dc63d54c1e0e4276997f834f02a76138e4 ecc3cf95 2f47659401e312bc4e3a1f7fad06988938bb26f6e16261603f793c33220772ae205cdab2 7d1b7271 846bf24a154840e38af13a8be8e8b37245599708ee3458d84d EAP-Message = 0xf119be8b5c51d006e288aa595c249249489b1c5e01ba8561fac3ff17 13e15416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd856426be8e7d24113b1577a1fc0b35 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2372, id=135, lengt h=361 Message-Authenticator = 0xaadc7c7cbfc2e4703d87937b07653f56 User-Name = "testUser" State = 0xbd856426be8e7d24113b1577a1fc0b35 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020b00cc1900160301008610000082008034b73538e4af77762136cf 968dff3f35c0d7d26816075e8acf59f85a9ea17d2d2bdaba8c52bf8b73ca5e4cf1b3f41d df18b7b3 445bd77cd43505da9d00164b0b4e910aaa253aa28e96c2b434a5bffc9676162be91af163 ed23925d 1d81ba43067a5a8745490c4084d009852adf47e9378c5449fc0ec305b358ee2bbfae681f 04140301 0001011603010030c008d2eb665cdccc20489b58aef27cf392e5c948d673fb629ba7c518 b1b5639c a046ccb28c891a79e2fedb7bc1b55850 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop users: Matched entry DEFAULT at line 189 ++[files] returns ok rlm_eap: EAP packet type response id 11 length 204 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type Perl rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'testUser' auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 135 to 192.168.240.78 port 2372 EAP-Message = 0x010c0041190014030100010116030100309920be9ebe8f52fa4ed630 8ada16be1cd50eec4ec78738d17b4397acff90fd2bf52e77f77ceb28a8acacd32c82e092 ab Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd856426b9897d24113b1577a1fc0b35 Finished request 4. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2372, id=136, lengt h=163 Message-Authenticator = 0xcfaba03208b5391f2170865024c7b4d2 User-Name = "testUser" State = 0xbd856426b9897d24113b1577a1fc0b35 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020c00061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop users: Matched entry DEFAULT at line 189 ++[files] returns ok rlm_eap: EAP packet type response id 12 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type Perl rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'testUser' auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 136 to 192.168.240.78 port 2372 EAP-Message = 0x010d002b19001703010020eaa91fa81f90eda46f466f7882f677ea9e bcc91b987231d339cf0aa989cf0c54 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd856426b8887d24113b1577a1fc0b35 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2372, id=137, lengt h=237 Message-Authenticator = 0xa9aedf5cd00f0ac40e58d97685afb53c User-Name = "testUser" State = 0xbd856426b8887d24113b1577a1fc0b35 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020d00501900170301002057cb0d149913d21e3bf3fef3c63273735c 374f1f98a48743223f9256cf517be31703010020a85accc63c089e33310a616953971ec9 20520cb9 8fe0d3244b4bd8ce10aaa739 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop users: Matched entry DEFAULT at line 189 ++[files] returns ok rlm_eap: EAP packet type response id 13 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type Perl rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'testUser' auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - testUser PEAP: Got tunneled identity of testUser PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to testUser +- entering group authorize ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testUser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing EAP. ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancel ling invalid proxy request. auth: No authenticate method (Auth-Type) configuration found for the request: Re jecting the user auth: Failed to validate the user. Login incorrect: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 137 to 192.168.240.78 port 2372 EAP-Message = 0x010e002b190017030100200dbc1fdc99ce198e1395aaf13395f18c2a d4deecf9025e18d3a17e85698aba58 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbd856426bb8b7d24113b1577a1fc0b35 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2372, id=138, lengt h=237 Message-Authenticator = 0xc55c7e9c1e86cc3723640d1d5ca4ed5e User-Name = "testUser" State = 0xbd856426bb8b7d24113b1577a1fc0b35 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020e00501900170301002059f4b1892fa7f016f7576a058660d11c7d 8064c436922e0ce4963588c05be5be1703010020d23026f856c74389b87ecbb68d220a7f 215ee0f5 1ed4cd4746cfdb39c6180a48 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop users: Matched entry DEFAULT at line 189 ++[files] returns ok rlm_eap: EAP packet type response id 14 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type Perl rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'testUser' auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this sessio n. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [testUser] (from client DORMTEST2_M80 port 4 cli 00-16-D3-30-E5 -74) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testUser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 138 to 192.168.240.78 port 2372 EAP-Message = 0x040e0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 7. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 131 with timestamp +1335 Cleaning up request 1 ID 132 with timestamp +1335 Cleaning up request 2 ID 133 with timestamp +1335 Cleaning up request 3 ID 134 with timestamp +1335 Waking up in 0.1 seconds. Cleaning up request 4 ID 135 with timestamp +1336 Cleaning up request 5 ID 136 with timestamp +1336 Cleaning up request 6 ID 137 with timestamp +1336 Cleaning up request 7 ID 138 with timestamp +1336 Ready to process requests.
Hi, you dont have a LOCAL defined in proxy.conf - set that. you are allowing EAP to come before perl, it seems, in your auth or post-auth sections. also, are you hardcoding Auth-Type ? it appears that you are. that is bad in general. if the PERL isnt being called check that you have enabled PERL functionality - ie in 2.x check that the perl module is configured correctly in modules/perl and that the function you want to call (auth, or post-auth) is enabled in that module. check that you call 'perl' in the Authorise section, for example, in your sites-enabled/$VIRTUAL-HOST-YOU-USE alan
In my proxy.conf file, I have Realm LOCAL { } I noticed right above that, that it suggest to add "DEFAULT EAP-TYPE == PEAP, Proxy-To-Realm := LOCAL to the users file. So I added that to the users file. Is realm Local {} not correct? If not, what should it be? In the sites-enabled/default I had eap { ok = return} before I had the statement calling perl, so I moved the eap {} to after the perl statement. This is in the authorize function. I did hardcode the Auth-Type perl because the wiki said to in the users file. I've taken that out now. I know that perl is being initiated because this is in the log file, Module: Instantiating perl perl { module = "/etc/raddb/perl/authorize.pl" func_authorize = "authorize" func_authenticate = "authenticate" and I do call perl in the authorize section of the sites-enabled/default file. Thanks for your help. -Adam New Log: ------------------------------------------------------------------------ ----- Listening on authentication address 192.168.214.119 port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.240.78 port 2435, id=224, length=152 Message-Authenticator = 0xb681fb7cb43023dfa88fdf7c84c72173 User-Name = "testUser" NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" EAP-Message = 0x0201000d016c6a61636b736f6e Framed-MTU = 1000 Called-Station-Id = "0001F4-B6-1B-80\0004" NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 0: Preceding "if" was taken ++ ... skipping elsif for request 0: Preceding "if" was taken rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 224 to 192.168.240.78 port 2435 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4729b2a0472bab8876dd9daf2a9b0548 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2435, id=225, length=249 Message-Authenticator = 0xcb9007ad59f00da438e5b5f58606ae9d User-Name = "testUser" State = 0x4729b2a0472bab8876dd9daf2a9b0548 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x0202005c190016030100510100004d030149c261cf4866425b9fb5f855a3b6cf3e448f a79400bdae2cd5c064fe096c57a100002600390038003500160013000a00330032002f00 050004001500120009001400110008000600030100 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 1: Preceding "if" was taken ++ ... skipping elsif for request 1: Preceding "if" was taken rlm_eap: EAP packet type response id 2 length 92 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 225 to 192.168.240.78 port 2435 EAP-Message = 0x010303e419c000000acd160301004a02000046030149c24cdaa169ca3d3a6669aac71f 727b0b3851d2623352c341da5a50031feaa420e98cd4bf8a1a07fccb1773270380546562 1a5292d44e84d92a287a6bace07f47003900160301085e0b00085a0008570003a6308203 a23082028aa003020102020101300d06092a864886f70d0101040500308193310b300906 0355040613024652310f300d060355040813065261646975733112301006035504071309 536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e 06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603 5504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e17 0d3039303232363138313530335a170d3130303232363138313530335a307c310b300906 0355040613024652310f300d0603550408130652616469757331153013060355040a130c 4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665 722043657274696669636174653120301e06092a864886f70d010901161161646d696e40 6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f0030 82010a0282010100af91ce4cc96ce447a1b9ce6a3c8d5cee06559ffe5d6c58649c8af10c f4d8 EAP-Message = 0x2196a122f04a957a7ca72043e3f61c0e4149a18d32bea21f5807e44e710762d5ede33f 41f89e5238ba8ec146775ec45f90335564a0ccdf9d7332b714993b527776d70068a939f5 8c7475e677850446ef1de2427a39b1469d4707f59723cc3c5c432426f51d899e3df16df4 8641151eb1a34b9aacf00fb3380f43db62d6efe38255abd22667ba5a4a4d0de897d955eb 54532c642b009994eb1d4353ab340852d9a2db429111f08e31dc5a5c063a1b4625023d21 496f55717d44b2ef1638b6cce64bf716e719d885f20b305fed4e6d94a8ecb1201d43389c bbd9e48328d7f8850641d50203010001a317301530130603551d25040c300a06082b0601 0505 EAP-Message = 0x070301300d06092a864886f70d010104050003820101005e3f3bed588f5e438581d8ab df869d6e5b9751c0407043ba804bae8a935f2ccfda3e106c7b9bd3c41e3baa1e6bea239a 7878a67fa523f76e9207640ce1900a71ee645e0a200007826520944b15177a2d855ba97f 35b5484cc4476b4c49bbcc55fa40b919506eb73e3f6f35c87ed3d38fca2b33a82d541a10 8e60a54b958ebab48dbcbed264380c05df5c4e8839169ade9bed2cde41faa08755b53dfe 9a4a8fe7417795f1149529d9e2ad6c0c6f610a12772c3a5b1dca9826bc8e55ba4d17bd2e 60db88e70bb9f66b22433be9a9d28522870278805bab Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4729b2a0462aab8876dd9daf2a9b0548 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2435, id=226, length=163 Message-Authenticator = 0x388d469a46b320847d396bb997b5e248 User-Name = "testUser" State = 0x4729b2a0462aab8876dd9daf2a9b0548 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020300061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 2: Preceding "if" was taken ++ ... skipping elsif for request 2: Preceding "if" was taken rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 226 to 192.168.240.78 port 2435 EAP-Message = 0x010403e01940192b141d954ba5dad16f574bfa9c6f1069e1fda082afc3ba1fc97a0d15 1f664e5dd53aed97cf332119fe0004ab308204a73082038fa003020102020900bad26bfd 4ce6479b300d06092a864886f70d0101050500308193310b300906035504061302465231 0f300d060355040813065261646975733112301006035504071309536f6d657768657265 31153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01 0901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d 706c6520436572746966696361746520417574686f72697479301e170d30393032323631 3831 EAP-Message = 0x3530315a170d3039303332383138313530315a308193310b3009060355040613024652 310f300d060355040813065261646975733112301006035504071309536f6d6577686572 6531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d 010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861 6d706c6520436572746966696361746520417574686f7269747930820122300d06092a86 4886f70d01010105000382010f003082010a0282010100c005918d15156e31de5cad4be4 3bcee9a30544cbd7814d9e8b125c6aefc9a71a5c8d815d1cc12b0f37be7b2b30abd5cb4c 696e EAP-Message = 0x9f5aa45dd330796a68c9440b1114f9181342ef7006f2ca01e8805e580f4505da0d6b20 c3e5ec1c85ac9473c4ce52cbba3917612d45f3d2ddcd0a7da895a57d4ef7defd41353010 449e124599e5d3115874e99c358e6448a5b78d84626d9b4479134e2fe45407e7088bf193 0a59b64aa4d17dc992cd317ea3ace04b31064a61647847ad710d6f458d128810e2152bc4 60182cf327c63cf30639c3072fbd5ac302e525319efdb02c7e3a33026e7228186d464695 aa1e00e461fc004d86f4aabb8be9f06db98714d5ef63b51c433d0203010001a381fb3081 f8301d0603551d0e04160414d00f03b207edebc2780daafc959d2c27157dcad13081c806 0355 EAP-Message = 0x1d230481c03081bd8014d00f03b207edebc2780daafc959d2c27157dcad1a18199a481 96308193310b3009060355040613024652310f300d060355040813065261646975733112 301006035504071309536f6d65776865726531153013060355040a130c4578616d706c65 20496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e 636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 74686f72697479820900bad26bfd4ce6479b300c0603551d13040530030101ff300d0609 2a864886f70d01010505000382010100183c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4729b2a0452dab8876dd9daf2a9b0548 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2435, id=227, length=163 Message-Authenticator = 0xf324d706ef4ecc346f70e82c2665e56f User-Name = "testUser" State = 0x4729b2a0452dab8876dd9daf2a9b0548 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020400061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 3: Preceding "if" was taken ++ ... skipping elsif for request 3: Preceding "if" was taken rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 227 to 192.168.240.78 port 2435 EAP-Message = 0x0105031f19005647775d06a03ebb8b89c3256914ceac4171e7ee41b3bb5f8497c3f7ee a643ac0637116e282046f3611e910dcf39d779ad13a14a68e75e9c416af68cb8474782e1 d77d20cbb4785c40d8b36de0f2caca1c5a477b3a09c488d3065b0865e63b546965fa1bc7 0c89f578eb1c88bcd329c3afb49730d0af199bf022be1f0cb74f71fde6d6be2f23af396c 883b5411c107b4d6fc51bc2bc07534c6d6d352c9afde1cb48565b9b669489403d0940d0d a70125b2073f724b7d1e3cd7cf5f31432eb7a659105af9fb92e5f67d36ad6c15321a218a 34f89235844c88cc09f44d39151cbbc12c70d4f6dba5f9e80cbfb2af15bb644c7749a3b3 4a57 EAP-Message = 0x50b8f96e2da78c160301020d0c000209008095c28ea954c729df2931ea0e63d9b9ab25 cdacbad88a7ded24c19ae298dddfd9b9b2dfba285398d544e1aebe2e6fd4302399a2a156 a1be615d6b7579973fe3323c4f65428282088b141e06ee2d99144c7b458bb1da4ec85778 a8806b2e9183475abdc4707fd70974a7bfeb9068894e5b15a6a576a266a6ccf9e439a224 28445300010200803b2009f31e812a26375be2145065e7a66a8b81664c93c8b937914b9a 9ead3f992f900bdb40a4e0b643fb0f7e53535e350b0f4af48639f2f7806ec4b1b2dde599 7ec1961a8567b68535c53fe87b23845a5ad9241c3a6be5848a31b4765a16593668256cef 3773 EAP-Message = 0xeab2fa285daf7aa8f62fd36398bb147a69ec61898e1776b72b0e010031da9feecc99d0 06689b78288db21b0453a9e825b52fccfcf0b2d8d78dc07b20038c02853e7746112fe005 8bf8ce45b2da12fd6e05686fe952350a2959b22e53aa20b41f4a7eb573573fb8ec561d4b 01ebb53618818f55c2a0711652a0c5fb933fd2dfb48096b38c85d4e40a2e4f07d58177a8 4c98892bf917f0a7c7f7935b9f8a9c37b194e399876ec1c4b6f54f2fe1a1a1a92d198e2d c48568df40ae1dd385462357fadcd86f49f0aab31d60f04bf9a82b71ca45b2131f677fe3 11302116732ea45e9bd7807b8be3a8c422ddd9ccfdfcdb90f135d631cb75495351a2835c 2a7e EAP-Message = 0x558fc4bf96b7f7fa3dad44ecb9bb64915dcb7474d65f2b1155b18a514f1ec116030100 040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4729b2a0442cab8876dd9daf2a9b0548 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2435, id=228, length=361 Message-Authenticator = 0xc2ec7e0e35f2af546055bc8ab6ce72ae User-Name = "testUser" State = 0x4729b2a0442cab8876dd9daf2a9b0548 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020500cc19001603010086100000820080327bccc59960afdfbffbc3ea54dd761b956d 4a0627e14d53d9f0a99168dbc274980e992c11080644e2df2f6123825453b93340725c53 43ec0958b8a7039423db548d654463b6f1c5a696045b30e04e9d434e15e9629e7f73f26f 8d6986fe7deff09ae0f96ca52a5ccbd041b6614bd4cfe41090588f96eff7656607c843e6 7d6e14030100010116030100305cd27961643013446263982fe4f250da27cdd22ce007cb bca8e85bdf3c713b35e9dfc2e3511c6f9589011d5b46ddb091 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 4: Preceding "if" was taken ++ ... skipping elsif for request 4: Preceding "if" was taken rlm_eap: EAP packet type response id 5 length 204 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 228 to 192.168.240.78 port 2435 EAP-Message = 0x0106004119001403010001011603010030288f5a1a33632738112553c48f095f48a5c6 b62dd29ad292103b06aed5e7066326c5c6045394b899a96107790f687390 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4729b2a0432fab8876dd9daf2a9b0548 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2435, id=229, length=163 Message-Authenticator = 0xf7881d1e61842e0ad6147bcf63dd46bc User-Name = "testUser" State = 0x4729b2a0432fab8876dd9daf2a9b0548 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020600061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 5: Preceding "if" was taken ++ ... skipping elsif for request 5: Preceding "if" was taken rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 229 to 192.168.240.78 port 2435 EAP-Message = 0x0107002b190017030100204cf0c6d00e903af6d9bc6afda2cf11086959d8897fdab282 1f5d04962a770e24 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4729b2a0422eab8876dd9daf2a9b0548 Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2435, id=230, length=237 Message-Authenticator = 0xf12d32407558e9c12a5dfb01fd327299 User-Name = "testUser" State = 0x4729b2a0422eab8876dd9daf2a9b0548 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x0207005019001703010020f0dad26f2a83c4df79c48f23d2834322365ef67c95e52485 909cb1e77a16f31d1703010020804107dab5a6e1693455ef5564cdd0582c9d81e386cc72 e0796a6b09cad23837 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 6: Preceding "if" was taken ++ ... skipping elsif for request 6: Preceding "if" was taken rlm_eap: EAP packet type response id 7 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - testUser PEAP: Got tunneled identity of testUser PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to testUser +- entering group authorize ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testUser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing EAP. ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 230 to 192.168.240.78 port 2435 EAP-Message = 0x0108002b19001703010020ece80cc5c7f409dd5c4f15994546592e373a054226d5e1f5 8166049a203e835c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4729b2a04121ab8876dd9daf2a9b0548 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2435, id=231, length=237 Message-Authenticator = 0x2182c5c53cfbbd289bd90ceee4c4498f User-Name = "testUser" State = 0x4729b2a04121ab8876dd9daf2a9b0548 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x0208005019001703010020bf9daf98961e669b4dd1c66f5f6bb4a1aecae6bd206b148d 3e0f78d1a5de2df517030100209db46e6f4313575af773ec994eca4514fa1786c7ee4cf8 54b11d17df897c359a NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 7: Preceding "if" was taken ++ ... skipping elsif for request 7: Preceding "if" was taken rlm_eap: EAP packet type response id 8 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [testUser] (from client DORMTEST2_M80 port 4 cli 00-16-D3-30-E5-74) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testUser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 231 to 192.168.240.78 port 2435 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 7. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 224 with timestamp +6 Cleaning up request 1 ID 225 with timestamp +6 Cleaning up request 2 ID 226 with timestamp +6 Cleaning up request 3 ID 227 with timestamp +6 Waking up in 0.1 seconds. Cleaning up request 4 ID 228 with timestamp +6 Cleaning up request 5 ID 229 with timestamp +6 Cleaning up request 6 ID 230 with timestamp +6 Cleaning up request 7 ID 231 with timestamp +6 Ready to process requests. -----Original Message----- From: A.L.M.Buxey@lboro.ac.uk [mailto:A.L.M.Buxey@lboro.ac.uk] Sent: Thursday, March 19, 2009 10:26 AM To: FreeRadius users mailing list Subject: Re: Perl/Peap-MSChapV2 Issues Hi, you dont have a LOCAL defined in proxy.conf - set that. you are allowing EAP to come before perl, it seems, in your auth or post-auth sections. also, are you hardcoding Auth-Type ? it appears that you are. that is bad in general. if the PERL isnt being called check that you have enabled PERL functionality - ie in 2.x check that the perl module is configured correctly in modules/perl and that the function you want to call (auth, or post-auth) is enabled in that module. check that you call 'perl' in the Authorise section, for example, in your sites-enabled/$VIRTUAL-HOST-YOU-USE alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
In my proxy.conf file, I have
Realm LOCAL { }
I noticed right above that, that it suggest to add "DEFAULT EAP-TYPE == PEAP, Proxy-To-Realm := LOCAL to the users file. So I added that to the users file. Is realm Local {} not correct? If not, what should it be?
Nothing. Zou can delete that DEFAULT entry.
In the sites-enabled/default I had eap { ok = return} before I had the statement calling perl, so I moved the eap {} to after the perl statement. This is in the authorize function.
Put it back as it was. You don't need perl in TLS exchange. Don't list it in default virtual server.
I did hardcode the Auth-Type perl because the wiki said to in the users file. I've taken that out now.
I assume you hardcoded that in perl sub authorize. That's a good place for it. Put it back.
I know that perl is being initiated because this is in the log file,
Module: Instantiating perl perl { module = "/etc/raddb/perl/authorize.pl" func_authorize = "authorize" func_authenticate = "authenticate"
and I do call perl in the authorize section of the sites-enabled/default file.
No, don't call perl in default virtual server. Call it in authorize and authenticate in inner-tunnel virtual server. That's where (if you haven't made changes to eap.conf) mschap authentication takes place. Ivan Kalik Kalik Informatika ISP
Thanks for the reply. I've left the Local {} alone in the proxy.conf file. I've taken out the "DEFAULT EAP-TYPE.." from the users file. I've taken out all perl references from the sites-enabled/default and moved them to sites-enabled/inner-tunnel
I assume you hardcoded that in perl sub authorize. That's a good place for it. Put it back.
I'm not sure what you mean. Here is the new log: ------------------------------------------------------------------------ --------- Ready to process requests. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=118, length=152 Message-Authenticator = 0xc4502f1e386b9fdcd2d095862915551d User-Name = "192.168." NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" EAP-Message = 0x02f1000d016c6a61636b736f6e Framed-MTU = 1000 Called-Station-Id = "0001F4-B6-1B-80\0004" NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 241 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 118 to 192.168.240.78 port 2565 EAP-Message = 0x01f200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb069552e427044fa9b3b9c6df5c6ff Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=119, length=249 Message-Authenticator = 0x069b37b2ecf7a36edb9c581f848d9ce9 User-Name = "192.168." State = 0x2eb069552e427044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f2005c190016030100510100004d030149c281bb53687b34071ca2e5b38c3b0b6fff 5d19ebbc4ca51b11a45f82eb1da600002600390038003500160013000a00330032002f00 050004001500120009001400110008000600030100 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 242 length 92 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 119 to 192.168.240.78 port 2565 EAP-Message = 0x01f303e419c000000acd160301004a02000046030149c26cc54f36624e97984c353fd6 febf8ac11f718be7a317523cb2ec51d441db20007643dca31a0dc8721df5ecd3af888cee 91d082de6b97048be35489cc70e8dc003900160301085e0b00085a0008570003a6308203 a23082028aa003020102020101300d06092a864886f70d0101040500308193310b300906 0355040613024652310f300d060355040813065261646975733112301006035504071309 536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e 06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603 5504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e17 0d3039303232363138313530335a170d3130303232363138313530335a307c310b300906 0355040613024652310f300d0603550408130652616469757331153013060355040a130c 4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665 722043657274696669636174653120301e06092a864886f70d010901161161646d696e40 6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f0030 82010a0282010100af91ce4cc96ce447a1b9ce6a3c8d5cee06559ffe5d6c58649c8af10c f4d8 EAP-Message = 0x2196a122f04a957a7ca72043e3f61c0e4149a18d32bea21f5807e44e710762d5ede33f 41f89e5238ba8ec146775ec45f90335564a0ccdf9d7332b714993b527776d70068a939f5 8c7475e677850446ef1de2427a39b1469d4707f59723cc3c5c432426f51d899e3df16df4 8641151eb1a34b9aacf00fb3380f43db62d6efe38255abd22667ba5a4a4d0de897d955eb 54532c642b009994eb1d4353ab340852d9a2db429111f08e31dc5a5c063a1b4625023d21 496f55717d44b2ef1638b6cce64bf716e719d885f20b305fed4e6d94a8ecb1201d43389c bbd9e48328d7f8850641d50203010001a317301530130603551d25040c300a06082b0601 0505 EAP-Message = 0x070301300d06092a864886f70d010104050003820101005e3f3bed588f5e438581d8ab df869d6e5b9751c0407043ba804bae8a935f2ccfda3e106c7b9bd3c41e3baa1e6bea239a 7878a67fa523f76e9207640ce1900a71ee645e0a200007826520944b15177a2d855ba97f 35b5484cc4476b4c49bbcc55fa40b919506eb73e3f6f35c87ed3d38fca2b33a82d541a10 8e60a54b958ebab48dbcbed264380c05df5c4e8839169ade9bed2cde41faa08755b53dfe 9a4a8fe7417795f1149529d9e2ad6c0c6f610a12772c3a5b1dca9826bc8e55ba4d17bd2e 60db88e70bb9f66b22433be9a9d28522870278805bab Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb069552f437044fa9b3b9c6df5c6ff Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=120, length=163 Message-Authenticator = 0x503ddd72c6db548c6fec4fb9218e8b34 User-Name = "192.168." State = 0x2eb069552f437044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f300061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 243 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 120 to 192.168.240.78 port 2565 EAP-Message = 0x01f403e01940192b141d954ba5dad16f574bfa9c6f1069e1fda082afc3ba1fc97a0d15 1f664e5dd53aed97cf332119fe0004ab308204a73082038fa003020102020900bad26bfd 4ce6479b300d06092a864886f70d0101050500308193310b300906035504061302465231 0f300d060355040813065261646975733112301006035504071309536f6d657768657265 31153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01 0901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d 706c6520436572746966696361746520417574686f72697479301e170d30393032323631 3831 EAP-Message = 0x3530315a170d3039303332383138313530315a308193310b3009060355040613024652 310f300d060355040813065261646975733112301006035504071309536f6d6577686572 6531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d 010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861 6d706c6520436572746966696361746520417574686f7269747930820122300d06092a86 4886f70d01010105000382010f003082010a0282010100c005918d15156e31de5cad4be4 3bcee9a30544cbd7814d9e8b125c6aefc9a71a5c8d815d1cc12b0f37be7b2b30abd5cb4c 696e EAP-Message = 0x9f5aa45dd330796a68c9440b1114f9181342ef7006f2ca01e8805e580f4505da0d6b20 c3e5ec1c85ac9473c4ce52cbba3917612d45f3d2ddcd0a7da895a57d4ef7defd41353010 449e124599e5d3115874e99c358e6448a5b78d84626d9b4479134e2fe45407e7088bf193 0a59b64aa4d17dc992cd317ea3ace04b31064a61647847ad710d6f458d128810e2152bc4 60182cf327c63cf30639c3072fbd5ac302e525319efdb02c7e3a33026e7228186d464695 aa1e00e461fc004d86f4aabb8be9f06db98714d5ef63b51c433d0203010001a381fb3081 f8301d0603551d0e04160414d00f03b207edebc2780daafc959d2c27157dcad13081c806 0355 EAP-Message = 0x1d230481c03081bd8014d00f03b207edebc2780daafc959d2c27157dcad1a18199a481 96308193310b3009060355040613024652310f300d060355040813065261646975733112 301006035504071309536f6d65776865726531153013060355040a130c4578616d706c65 20496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e 636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 74686f72697479820900bad26bfd4ce6479b300c0603551d13040530030101ff300d0609 2a864886f70d01010505000382010100183c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb069552c447044fa9b3b9c6df5c6ff Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=121, length=163 Message-Authenticator = 0x8021baa596732e32a6b6ff9e1b452e15 User-Name = "192.168." State = 0x2eb069552c447044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f400061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 244 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 121 to 192.168.240.78 port 2565 EAP-Message = 0x01f5031f19005647775d06a03ebb8b89c3256914ceac4171e7ee41b3bb5f8497c3f7ee a643ac0637116e282046f3611e910dcf39d779ad13a14a68e75e9c416af68cb8474782e1 d77d20cbb4785c40d8b36de0f2caca1c5a477b3a09c488d3065b0865e63b546965fa1bc7 0c89f578eb1c88bcd329c3afb49730d0af199bf022be1f0cb74f71fde6d6be2f23af396c 883b5411c107b4d6fc51bc2bc07534c6d6d352c9afde1cb48565b9b669489403d0940d0d a70125b2073f724b7d1e3cd7cf5f31432eb7a659105af9fb92e5f67d36ad6c15321a218a 34f89235844c88cc09f44d39151cbbc12c70d4f6dba5f9e80cbfb2af15bb644c7749a3b3 4a57 EAP-Message = 0x50b8f96e2da78c160301020d0c000209008095c28ea954c729df2931ea0e63d9b9ab25 cdacbad88a7ded24c19ae298dddfd9b9b2dfba285398d544e1aebe2e6fd4302399a2a156 a1be615d6b7579973fe3323c4f65428282088b141e06ee2d99144c7b458bb1da4ec85778 a8806b2e9183475abdc4707fd70974a7bfeb9068894e5b15a6a576a266a6ccf9e439a224 28445300010200806451d1e70e3b2f3c6b16032225bfbfa0571e088d772244d6114bfdc7 e704b05a982c91cf7e935e6ca504b8e627d87d66c44cd4cd3346743b92de99e165af6243 7e235b8fdb20ef865773e2051aa64cb3992591540f63be59d7d57846df902df896b8dea4 f3dd EAP-Message = 0x5a6d1abc0969afe5ac36fa1dfca84627c8bb5359304c6b1c857501003e52b848548114 af61b043b7e103d1b257b0e1c0d67b2825dd9d1d789fc91961e318c38bd42e7ad0a4a7b6 43c594d0947cc40f5ece2f5dfb6184def83ecfa55f821e6d9bbc0760d121b64fa3bff6b8 47ba3c4d2531323870be303cdd6703bd5f3d16a25bbfb0d997772274dd487cd1d50ebd34 f282852d5b3df60af456b45cc3c2066193baa3501d1960c63e3e91a41966ed99870141de d5ba43537ca4627cf16a784887de21eb8600d7a895ef3ab6995430c047883bc835b5b7b4 92ca50808e92ac84a4ac17afe7ec464258d7215768345010bb4ace43e687a18a0973bf13 d125 EAP-Message = 0x964c15fee685a3ff5a50de93701f30c2d6faa7d3cf74d941ef81690e4afabf16030100 040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb069552d457044fa9b3b9c6df5c6ff Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=122, length=361 Message-Authenticator = 0x2cb5386bb255577cae477eab5882bc80 User-Name = "192.168." State = 0x2eb069552d457044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f500cc19001603010086100000820080203c7a10fc7157eba989f712fd6eeda8eedb 92e3672f5c1f07b72f9ef3fedd0f88314e2be7a453f7f1389c9a34a27c3ce35285aba2cd e83653d0c97acde03abcc6f69cbe42cd73f554d82495ed7c8e130de0e6b1e79d3fd61a50 a32c5f6544cb71885520ca3002cb2c5d137ac3c4176ec46f3b2950108778f1e71462b056 d4d214030100010116030100308900f632f1d415796123682b97976590b06e95cb7a76fb 8c3eae09384be8d3fd2b696178c686c25508a09e5587239f59 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 245 length 204 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 122 to 192.168.240.78 port 2565 EAP-Message = 0x01f60041190014030100010116030100308d00339e38242c4d72c4e844e9de1df7f6f7 cde044594e5a32a5c0543a335d477fb74586d3a1743dbc94122d9008c7ee Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb069552a467044fa9b3b9c6df5c6ff Finished request 4. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=123, length=163 Message-Authenticator = 0x641bc71b0531b0ccbbca5435e0b439fe User-Name = "192.168." State = 0x2eb069552a467044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f600061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 246 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 123 to 192.168.240.78 port 2565 EAP-Message = 0x01f7002b1900170301002076a95031c176e3d15df7749cf6458354b9940cd936dbccb1 d5cf289cdd7372d1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb069552b477044fa9b3b9c6df5c6ff Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=124, length=237 Message-Authenticator = 0x49a531b23ada3c39f6a897f7d10f0c42 User-Name = "192.168." State = 0x2eb069552b477044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f7005019001703010020fe8b92ea49f5055ec724f9da4b10fb99a1d4b5e4652ae576 3529b1bfd353c8aa170301002019c55b3fcab62b6c91ec7e8f7ae5715b346b8ae5102a20 d66d87f4604a2e8843 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 247 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - 192.168. PEAP: Got tunneled identity of 192.168. PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to 192.168. +- entering group authorize ++[mschap] returns noop rlm_realm: No '@' in User-Name = "192.168.", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing EAP. ++[eap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 6: Preceding "if" was taken ++ ... skipping elsif for request 6: Preceding "if" was taken ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [192.168.] (from client DORMTEST2_M80 port 0 via TLS tunnel) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 124 to 192.168.240.78 port 2565 EAP-Message = 0x01f8002b190017030100209027fdf63396cfcaac9f84091c71949bd21d23e845deac24 cd40b704770d422c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2eb0695528487044fa9b3b9c6df5c6ff Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2565, id=125, length=237 Message-Authenticator = 0x41b5e8fbbea177d13ea559438d073fd9 User-Name = "192.168." State = 0x2eb0695528487044fa9b3b9c6df5c6ff NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02f8005019001703010020ab0aecbfaf4745ba42886a5578729502b900143a5989eb29 c80961d95bdeabfd170301002042e0297f34f85a88ae11939eb39077fa541f57f7cbb9cc 1559f956125fc965d8 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 248 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [192.168.] (from client DORMTEST2_M80 port 4 cli 00-16-D3-30-E5-74) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> 192.168. attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 125 to 192.168.240.78 port 2565 EAP-Message = 0x04f80004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 7. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 118 with timestamp +9 Cleaning up request 1 ID 119 with timestamp +9 Cleaning up request 2 ID 120 with timestamp +9 Cleaning up request 3 ID 121 with timestamp +9 Waking up in 0.1 seconds. Cleaning up request 4 ID 122 with timestamp +9 Cleaning up request 5 ID 123 with timestamp +9 Cleaning up request 6 ID 124 with timestamp +9 Cleaning up request 7 ID 125 with timestamp +9 Ready to process requests. -----Original Message----- From: tnt@kalik.net [mailto:tnt@kalik.net] Sent: Thursday, March 19, 2009 12:18 PM To: FreeRadius users mailing list Subject: RE: Perl/Peap-MSChapV2 Issues
In my proxy.conf file, I have
Realm LOCAL { }
I noticed right above that, that it suggest to add "DEFAULT EAP-TYPE == PEAP, Proxy-To-Realm := LOCAL to the users file. So I added that to the users file. Is realm Local {} not correct? If not, what should it be?
Nothing. Zou can delete that DEFAULT entry.
In the sites-enabled/default I had eap { ok = return} before I had the statement calling perl, so I moved the eap {} to after the perl statement. This is in the authorize function.
Put it back as it was. You don't need perl in TLS exchange. Don't list it in default virtual server.
I did hardcode the Auth-Type perl because the wiki said to in the users file. I've taken that out now.
I assume you hardcoded that in perl sub authorize. That's a good place for it. Put it back.
I know that perl is being initiated because this is in the log file,
Module: Instantiating perl perl { module = "/etc/raddb/perl/authorize.pl" func_authorize = "authorize" func_authenticate = "authenticate"
and I do call perl in the authorize section of the sites-enabled/default file.
No, don't call perl in default virtual server. Call it in authorize and authenticate in inner-tunnel virtual server. That's where (if you haven't made changes to eap.conf) mschap authentication takes place. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've taken out all perl references from the sites-enabled/default and moved them to sites-enabled/inner-tunnel
I don't see perl being called:
rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - 192.168. PEAP: Got tunneled identity of 192.168. PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to 192.168. +- entering group authorize ++[mschap] returns noop rlm_realm: No '@' in User-Name = "192.168.", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing EAP. ++[eap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 6: Preceding "if" was taken ++ ... skipping elsif for request 6: Preceding "if" was taken ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Post the inner-tunnel authorize section.
I assume you hardcoded that in perl sub authorize. That's a good place for it. Put it back.
I'm not sure what you mean.
You need to set Auth-Type perl somewhere: users file or perl sub authorize. Ivan Kalik Kalik Informatika ISP
Ok, I've made a little progress. The perl script is now being called correctly and returning the correct data. There seems to be something else now. Thanks for the help! I added DEFAULT Auth-Type = Perl Fall-Through = 1 to users, I think that's what you were wanting. Inner-tunnel authorize ------------------------------ Authorize { Mschap Suffix Update control { Proxy-To-Realm := LOCAL } Eap { Ok=return } Perl Expiration Logintime Pap } Log: ----------------------------------------- Ready to process requests. rad_recv: Access-Request packet from host 192.168.240.78 port 2676, id=2, length=152 Message-Authenticator = 0xcea30489b92c26ffdaa8fdb6da8efae0 User-Name = "testUser" NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" EAP-Message = 0x0201000d016c6a61636b736f6e Framed-MTU = 1000 Called-Station-Id = "0001F4-B6-1B-80\0004" NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.240.78 port 2676 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe12d310ae12f28a1800156155aa34531 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2676, id=3, length=249 Message-Authenticator = 0x467724da1090475e0f600ab2cb4381ad User-Name = "testUser" State = 0xe12d310ae12f28a1800156155aa34531 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x0202005c190016030100510100004d030149c2aa62e5b90d83cec04128bd232e5827f8 075bed072a76f61960ee34f465cb00002600390038003500160013000a00330032002f00 050004001500120009001400110008000600030100 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 2 length 92 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.240.78 port 2676 EAP-Message = 0x010303e419c000000acd160301004a02000046030149c2956da03287d649f047c44cec a603858ff8c65ebdfa6e815377215d9e4fb7201cc450e78d0b149401ea7fda15a2461da3 49131ba90f408400edf975dde9ce60003900160301085e0b00085a0008570003a6308203 a23082028aa003020102020101300d06092a864886f70d0101040500308193310b300906 0355040613024652310f300d060355040813065261646975733112301006035504071309 536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e 06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603 5504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e17 0d3039303232363138313530335a170d3130303232363138313530335a307c310b300906 0355040613024652310f300d0603550408130652616469757331153013060355040a130c 4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665 722043657274696669636174653120301e06092a864886f70d010901161161646d696e40 6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f0030 82010a0282010100af91ce4cc96ce447a1b9ce6a3c8d5cee06559ffe5d6c58649c8af10c f4d8 EAP-Message = 0x2196a122f04a957a7ca72043e3f61c0e4149a18d32bea21f5807e44e710762d5ede33f 41f89e5238ba8ec146775ec45f90335564a0ccdf9d7332b714993b527776d70068a939f5 8c7475e677850446ef1de2427a39b1469d4707f59723cc3c5c432426f51d899e3df16df4 8641151eb1a34b9aacf00fb3380f43db62d6efe38255abd22667ba5a4a4d0de897d955eb 54532c642b009994eb1d4353ab340852d9a2db429111f08e31dc5a5c063a1b4625023d21 496f55717d44b2ef1638b6cce64bf716e719d885f20b305fed4e6d94a8ecb1201d43389c bbd9e48328d7f8850641d50203010001a317301530130603551d25040c300a06082b0601 0505 EAP-Message = 0x070301300d06092a864886f70d010104050003820101005e3f3bed588f5e438581d8ab df869d6e5b9751c0407043ba804bae8a935f2ccfda3e106c7b9bd3c41e3baa1e6bea239a 7878a67fa523f76e9207640ce1900a71ee645e0a200007826520944b15177a2d855ba97f 35b5484cc4476b4c49bbcc55fa40b919506eb73e3f6f35c87ed3d38fca2b33a82d541a10 8e60a54b958ebab48dbcbed264380c05df5c4e8839169ade9bed2cde41faa08755b53dfe 9a4a8fe7417795f1149529d9e2ad6c0c6f610a12772c3a5b1dca9826bc8e55ba4d17bd2e 60db88e70bb9f66b22433be9a9d28522870278805bab Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe12d310ae02e28a1800156155aa34531 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2676, id=4, length=163 Message-Authenticator = 0xeb4220c6485e44c1057f2a57e9ac463c User-Name = "testUser" State = 0xe12d310ae02e28a1800156155aa34531 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020300061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.240.78 port 2676 EAP-Message = 0x010403e01940192b141d954ba5dad16f574bfa9c6f1069e1fda082afc3ba1fc97a0d15 1f664e5dd53aed97cf332119fe0004ab308204a73082038fa003020102020900bad26bfd 4ce6479b300d06092a864886f70d0101050500308193310b300906035504061302465231 0f300d060355040813065261646975733112301006035504071309536f6d657768657265 31153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01 0901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d 706c6520436572746966696361746520417574686f72697479301e170d30393032323631 3831 EAP-Message = 0x3530315a170d3039303332383138313530315a308193310b3009060355040613024652 310f300d060355040813065261646975733112301006035504071309536f6d6577686572 6531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d 010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861 6d706c6520436572746966696361746520417574686f7269747930820122300d06092a86 4886f70d01010105000382010f003082010a0282010100c005918d15156e31de5cad4be4 3bcee9a30544cbd7814d9e8b125c6aefc9a71a5c8d815d1cc12b0f37be7b2b30abd5cb4c 696e EAP-Message = 0x9f5aa45dd330796a68c9440b1114f9181342ef7006f2ca01e8805e580f4505da0d6b20 c3e5ec1c85ac9473c4ce52cbba3917612d45f3d2ddcd0a7da895a57d4ef7defd41353010 449e124599e5d3115874e99c358e6448a5b78d84626d9b4479134e2fe45407e7088bf193 0a59b64aa4d17dc992cd317ea3ace04b31064a61647847ad710d6f458d128810e2152bc4 60182cf327c63cf30639c3072fbd5ac302e525319efdb02c7e3a33026e7228186d464695 aa1e00e461fc004d86f4aabb8be9f06db98714d5ef63b51c433d0203010001a381fb3081 f8301d0603551d0e04160414d00f03b207edebc2780daafc959d2c27157dcad13081c806 0355 EAP-Message = 0x1d230481c03081bd8014d00f03b207edebc2780daafc959d2c27157dcad1a18199a481 96308193310b3009060355040613024652310f300d060355040813065261646975733112 301006035504071309536f6d65776865726531153013060355040a130c4578616d706c65 20496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e 636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 74686f72697479820900bad26bfd4ce6479b300c0603551d13040530030101ff300d0609 2a864886f70d01010505000382010100183c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe12d310ae32928a1800156155aa34531 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2676, id=5, length=163 Message-Authenticator = 0x55e17dd633cdf932066dc762b88e60fd User-Name = "testUser" State = 0xe12d310ae32928a1800156155aa34531 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020400061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.240.78 port 2676 EAP-Message = 0x0105031f19005647775d06a03ebb8b89c3256914ceac4171e7ee41b3bb5f8497c3f7ee a643ac0637116e282046f3611e910dcf39d779ad13a14a68e75e9c416af68cb8474782e1 d77d20cbb4785c40d8b36de0f2caca1c5a477b3a09c488d3065b0865e63b546965fa1bc7 0c89f578eb1c88bcd329c3afb49730d0af199bf022be1f0cb74f71fde6d6be2f23af396c 883b5411c107b4d6fc51bc2bc07534c6d6d352c9afde1cb48565b9b669489403d0940d0d a70125b2073f724b7d1e3cd7cf5f31432eb7a659105af9fb92e5f67d36ad6c15321a218a 34f89235844c88cc09f44d39151cbbc12c70d4f6dba5f9e80cbfb2af15bb644c7749a3b3 4a57 EAP-Message = 0x50b8f96e2da78c160301020d0c000209008095c28ea954c729df2931ea0e63d9b9ab25 cdacbad88a7ded24c19ae298dddfd9b9b2dfba285398d544e1aebe2e6fd4302399a2a156 a1be615d6b7579973fe3323c4f65428282088b141e06ee2d99144c7b458bb1da4ec85778 a8806b2e9183475abdc4707fd70974a7bfeb9068894e5b15a6a576a266a6ccf9e439a224 28445300010200801308bbde6226911ca6943b37850b3b02d9dd833b1517de45c8be3634 857aaf575b4ffabee15bb724649094dfd87ed6d3bf87564bd3dbc833c5743de333a9ff8a 18a2f80f2f84bfb2fec2e00182db1b8b155fae381bae60352d7cac18a2e8d259285b145a 4e51 EAP-Message = 0x8117e6a04420b63c3d8c81d07d27116572faf695499e1c6c1377010049efc786aa1134 fe95ce9eb0a916a1644dd0b4700544abcccf6e281ad9ebbb55f0cf7b02f0fd1740afd1a9 cce73c0fe892dc057f873ee0fe7fa155585e1110ccfa1cae02536eecde4028047cbec5ec 2538f57e3dad476782098b4b39f8488364839bb1c38fb524331059ded76b48598e6e3099 60cacb84315aeb40af30506a4eff27775e3a5ad4777b6dbd663bb6c036f4e640f07ee382 450277b57f16df0c5d40c2ab3de425a63dab7973ddc6c32272dca051cd76165a76d96d5c c732c35ab3bcba3324a48300d4e1ba8a4f852f0629bd894ee22671c76fe3e4b714b0e313 17ee EAP-Message = 0x94975d58e13f02fc8637f4f3816e5baf32fb1af4832dfa51a731403a270f1716030100 040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe12d310ae22828a1800156155aa34531 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2676, id=6, length=361 Message-Authenticator = 0xbdafc2bc53bf68eb96b1c2f303a2bfa6 User-Name = "testUser" State = 0xe12d310ae22828a1800156155aa34531 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020500cc19001603010086100000820080937ab2b395e302774e2543db590e4f963705 96383d5f905bab039212df1166766326aaeead86e1d424d42fe72b1584eb0014ba852cd1 4aee5b185382c3b319c6e85a736058eb4519e1dad1b4541d0ffe1f516e52a99d1ddc785d 22ae0309f278db5cc0d7fa2b85f99315ccddbe2a1284d2fcaaa30918d45032a30f4261ba 8151140301000101160301003034a7b9154ffb6c518b9b8e5beb1584208f9d39cb8338e9 110462d5d96f2412b6ff68ea2b28256d8765f961a899d8cb63 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 5 length 204 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.240.78 port 2676 EAP-Message = 0x0106004119001403010001011603010030b2aa75db0294be14dbad42e7d280a17e7642 51f1106d834a7e73853d4a59774f3792a559a7bc9f129bf0a350563bffb2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe12d310ae52b28a1800156155aa34531 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2676, id=7, length=163 Message-Authenticator = 0x6ebdb3150f738501452ca7704f020fc5 User-Name = "testUser" State = 0xe12d310ae52b28a1800156155aa34531 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020600061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 7 to 192.168.240.78 port 2676 EAP-Message = 0x0107002b19001703010020262f5d1ef7c9637ebfeaa6a61f9d46ea483f8abb5219ac95 4bb8bf083f2bd30f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe12d310ae42a28a1800156155aa34531 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2676, id=8, length=237 Message-Authenticator = 0x4433c3b27733a2cfcd22453efa771bbc User-Name = "testUser" State = 0xe12d310ae42a28a1800156155aa34531 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020700501900170301002064809e7864415dff87c39c6eed9a2f5732d409cb4ac76856 1c64046e8528b4e0170301002077245235776f36367afffb0670d56f2f0dd3b502a0c64d de4c3ca6a3e307a27f NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 7 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - testUser PEAP: Got tunneled identity of testUser PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to testUser +- entering group authorize ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testUser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing EAP. ++[eap] returns noop perl_pool: item 0x8192020 asigned new request. Handled so far: 1 found interpetator at address 0x8192020 rlm_perl: Added pair User-Name = testUser rlm_perl: Added pair EAP-Message = 0x0207000d016c6a61636b736f6e rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student rlm_perl: Added pair Cleartext-Password = password09 rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2 perl_pool total/active/spare [64/0/64] Unreserve perl at address 0x8192020 ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled Sending Access-Challenge of id 8 to 192.168.240.78 port 2676 EAP-Message = 0x0108002b19001703010020c8c3e314046ffe680fd1481d456600797f4dfe80167c6667 cf4a842f7dcf9dd3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe12d310ae72528a1800156155aa34531 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 2676, id=9, length=237 Message-Authenticator = 0x14c8457bb68aa004ba68900830473021 User-Name = "testUser" State = 0xe12d310ae72528a1800156155aa34531 NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x0208005019001703010020eb13f254dedc7bf752d0c616f6cdfcf92e50268d310f3f34 f114e08421261fcf170301002048fe1b9393fbb14bb637edacb92d74a1ffc680992e2ede 85f97a1ecd021b2fba NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 8 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Had sent TLV failure. User was rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [testUser] (from client DORMTEST2_M80 port 4 cli 00-16-D3-30-E5-74) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testUser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 9 to 192.168.240.78 port 2676 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 7. Going to the next request Waking up in 4.7 seconds. -----Original Message----- From: tnt@kalik.net [mailto:tnt@kalik.net] Sent: Thursday, March 19, 2009 2:04 PM To: FreeRadius users mailing list Subject: RE: Perl/Peap-MSChapV2 Issues
I've taken out all perl references from the sites-enabled/default and moved them to sites-enabled/inner-tunnel
I don't see perl being called:
rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - 192.168. PEAP: Got tunneled identity of 192.168. PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to 192.168. +- entering group authorize ++[mschap] returns noop rlm_realm: No '@' in User-Name = "192.168.", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing EAP. ++[eap] returns noop ++? if (EAP-Message) ? Evaluating (EAP-Message) -> TRUE ++? if (EAP-Message) -> TRUE ++- entering if (EAP-Message) +++[noop] returns noop ++- if (EAP-Message) returns noop ++ ... skipping elsif for request 6: Preceding "if" was taken ++ ... skipping elsif for request 6: Preceding "if" was taken ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Post the inner-tunnel authorize section.
I assume you hardcoded that in perl sub authorize. That's a good place for it. Put it back.
I'm not sure what you mean.
You need to set Auth-Type perl somewhere: users file or perl sub authorize. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok, I've made a little progress. The perl script is now being called correctly and returning the correct data. There seems to be something else now.
Yes, there is something else.
I added DEFAULT Auth-Type = Perl Fall-Through = 1 to users, I think that's what you were wanting.
Fine. Only you haven't listed files in inner-tunnel, so this is never used.
Inner-tunnel authorize ------------------------------ Authorize {
Mschap Suffix
Update control { Proxy-To-Realm := LOCAL }
Remove that.
Eap { Ok=return } Perl Expiration Logintime Pap }
..
perl_pool: item 0x8192020 asigned new request. Handled so far: 1 found interpetator at address 0x8192020 rlm_perl: Added pair User-Name = testUser rlm_perl: Added pair EAP-Message = 0x0207000d016c6a61636b736f6e rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student rlm_perl: Added pair Cleartext-Password = password09 rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2 perl_pool total/active/spare [64/0/64] Unreserve perl at address 0x8192020 ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: type Local
This is breaking EAP. Remove forcing Auth-Type Local. Ivan Kalik Kalik Informatika ISP
I removed the DEFAULT Auth-Type = Perl since you said it wasn't use. I removed the update control from the authorize in inner-tunnel. Here's the new log. Thanks for the help. Ready to process requests. rad_recv: Accounting-Request packet from host 192.168.240.78 port 3083, id=11, length=101 Acct-Status-Type = Stop Acct-Session-Id = "00000005" User-Name = "testUser" NAS-IP-Address = 192.168.240.78 NAS-Port = 4 Calling-Station-Id = "00-16-D3-30-E5-74" Acct-Delay-Time = 0 Acct-Session-Time = 72 Acct-Authentic = RADIUS Acct-Terminate-Cause = Lost-Carrier +- entering group preacct ++[preprocess] returns ok rlm_acct_unique: Hashing 'NAS-Port = 4,Client-IP-Address = 192.168.240.78,NAS-IP-Address = 192.168.240.78,Acct-Session-Id = "00000005",User-Name = "testUser"' rlm_acct_unique: Acct-Unique-Session-ID = "4675a10eb3ec92c2". ++[acct_unique] returns ok ++[files] returns noop +- entering group accounting expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/192.168.240.78/detail-20090320 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.240.78/detail-20090320 expand: %t -> Fri Mar 20 07:52:25 2009 ++[detail] returns ok ++[unix] returns ok expand: /var/log/radius/radutmp -> /var/log/radius/radutmp expand: %{User-Name} -> testUser ++[radutmp] returns ok expand: %{User-Name} -> testUser attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 11 to 192.168.240.78 port 3083 Finished request 0. Cleaning up request 0 ID 11 with timestamp +3 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 192.168.240.78 port 3085, id=235, length=152 Message-Authenticator = 0x7d2d05eba9f44b4f560221d152a604d6 User-Name = "testUser" NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" EAP-Message = 0x0201000d016c6a61636b736f6e Framed-MTU = 1000 Called-Station-Id = "0001F4-B6-1B-80\0004" NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 235 to 192.168.240.78 port 3085 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01bfa13001bdb807fc4539ef1278734e Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 3085, id=236, length=249 Message-Authenticator = 0xae6d806c5e45d7aa21bbaee13239c841 User-Name = "testUser" State = 0x01bfa13001bdb807fc4539ef1278734e NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x0202005c190016030100510100004d030149c3987c0e37eb6c0bac727f1287e3f6cd86 2647f846d214e820432669caf44800002600390038003500160013000a00330032002f00 050004001500120009001400110008000600030100 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 2 length 92 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 236 to 192.168.240.78 port 3085 EAP-Message = 0x010303e419c000000acd160301004a02000046030149c383888e099135de3aa395da3f 053a0929a117724438a84cb0120230dc279d204044516166651aa96ff3c159f1ef0d302e 721399f0e55e533bed7a54ea1c81d0003900160301085e0b00085a0008570003a6308203 a23082028aa003020102020101300d06092a864886f70d0101040500308193310b300906 0355040613024652310f300d060355040813065261646975733112301006035504071309 536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e 06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603 5504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e17 0d3039303232363138313530335a170d3130303232363138313530335a307c310b300906 0355040613024652310f300d0603550408130652616469757331153013060355040a130c 4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665 722043657274696669636174653120301e06092a864886f70d010901161161646d696e40 6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f0030 82010a0282010100af91ce4cc96ce447a1b9ce6a3c8d5cee06559ffe5d6c58649c8af10c f4d8 EAP-Message = 0x2196a122f04a957a7ca72043e3f61c0e4149a18d32bea21f5807e44e710762d5ede33f 41f89e5238ba8ec146775ec45f90335564a0ccdf9d7332b714993b527776d70068a939f5 8c7475e677850446ef1de2427a39b1469d4707f59723cc3c5c432426f51d899e3df16df4 8641151eb1a34b9aacf00fb3380f43db62d6efe38255abd22667ba5a4a4d0de897d955eb 54532c642b009994eb1d4353ab340852d9a2db429111f08e31dc5a5c063a1b4625023d21 496f55717d44b2ef1638b6cce64bf716e719d885f20b305fed4e6d94a8ecb1201d43389c bbd9e48328d7f8850641d50203010001a317301530130603551d25040c300a06082b0601 0505 EAP-Message = 0x070301300d06092a864886f70d010104050003820101005e3f3bed588f5e438581d8ab df869d6e5b9751c0407043ba804bae8a935f2ccfda3e106c7b9bd3c41e3baa1e6bea239a 7878a67fa523f76e9207640ce1900a71ee645e0a200007826520944b15177a2d855ba97f 35b5484cc4476b4c49bbcc55fa40b919506eb73e3f6f35c87ed3d38fca2b33a82d541a10 8e60a54b958ebab48dbcbed264380c05df5c4e8839169ade9bed2cde41faa08755b53dfe 9a4a8fe7417795f1149529d9e2ad6c0c6f610a12772c3a5b1dca9826bc8e55ba4d17bd2e 60db88e70bb9f66b22433be9a9d28522870278805bab Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01bfa13000bcb807fc4539ef1278734e Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 3085, id=237, length=163 Message-Authenticator = 0x36564054cf14369701daca7e3be846a9 User-Name = "testUser" State = 0x01bfa13000bcb807fc4539ef1278734e NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020300061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 237 to 192.168.240.78 port 3085 EAP-Message = 0x010403e01940192b141d954ba5dad16f574bfa9c6f1069e1fda082afc3ba1fc97a0d15 1f664e5dd53aed97cf332119fe0004ab308204a73082038fa003020102020900bad26bfd 4ce6479b300d06092a864886f70d0101050500308193310b300906035504061302465231 0f300d060355040813065261646975733112301006035504071309536f6d657768657265 31153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01 0901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d 706c6520436572746966696361746520417574686f72697479301e170d30393032323631 3831 EAP-Message = 0x3530315a170d3039303332383138313530315a308193310b3009060355040613024652 310f300d060355040813065261646975733112301006035504071309536f6d6577686572 6531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d 010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861 6d706c6520436572746966696361746520417574686f7269747930820122300d06092a86 4886f70d01010105000382010f003082010a0282010100c005918d15156e31de5cad4be4 3bcee9a30544cbd7814d9e8b125c6aefc9a71a5c8d815d1cc12b0f37be7b2b30abd5cb4c 696e EAP-Message = 0x9f5aa45dd330796a68c9440b1114f9181342ef7006f2ca01e8805e580f4505da0d6b20 c3e5ec1c85ac9473c4ce52cbba3917612d45f3d2ddcd0a7da895a57d4ef7defd41353010 449e124599e5d3115874e99c358e6448a5b78d84626d9b4479134e2fe45407e7088bf193 0a59b64aa4d17dc992cd317ea3ace04b31064a61647847ad710d6f458d128810e2152bc4 60182cf327c63cf30639c3072fbd5ac302e525319efdb02c7e3a33026e7228186d464695 aa1e00e461fc004d86f4aabb8be9f06db98714d5ef63b51c433d0203010001a381fb3081 f8301d0603551d0e04160414d00f03b207edebc2780daafc959d2c27157dcad13081c806 0355 EAP-Message = 0x1d230481c03081bd8014d00f03b207edebc2780daafc959d2c27157dcad1a18199a481 96308193310b3009060355040613024652310f300d060355040813065261646975733112 301006035504071309536f6d65776865726531153013060355040a130c4578616d706c65 20496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e 636f6d312630240603550403131d4578616d706c65204365727469666963617465204175 74686f72697479820900bad26bfd4ce6479b300c0603551d13040530030101ff300d0609 2a864886f70d01010505000382010100183c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01bfa13003bbb807fc4539ef1278734e Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 3085, id=238, length=163 Message-Authenticator = 0xcd1123700762639172681128396a1141 User-Name = "testUser" State = 0x01bfa13003bbb807fc4539ef1278734e NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020400061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 238 to 192.168.240.78 port 3085 EAP-Message = 0x0105031f19005647775d06a03ebb8b89c3256914ceac4171e7ee41b3bb5f8497c3f7ee a643ac0637116e282046f3611e910dcf39d779ad13a14a68e75e9c416af68cb8474782e1 d77d20cbb4785c40d8b36de0f2caca1c5a477b3a09c488d3065b0865e63b546965fa1bc7 0c89f578eb1c88bcd329c3afb49730d0af199bf022be1f0cb74f71fde6d6be2f23af396c 883b5411c107b4d6fc51bc2bc07534c6d6d352c9afde1cb48565b9b669489403d0940d0d a70125b2073f724b7d1e3cd7cf5f31432eb7a659105af9fb92e5f67d36ad6c15321a218a 34f89235844c88cc09f44d39151cbbc12c70d4f6dba5f9e80cbfb2af15bb644c7749a3b3 4a57 EAP-Message = 0x50b8f96e2da78c160301020d0c000209008095c28ea954c729df2931ea0e63d9b9ab25 cdacbad88a7ded24c19ae298dddfd9b9b2dfba285398d544e1aebe2e6fd4302399a2a156 a1be615d6b7579973fe3323c4f65428282088b141e06ee2d99144c7b458bb1da4ec85778 a8806b2e9183475abdc4707fd70974a7bfeb9068894e5b15a6a576a266a6ccf9e439a224 28445300010200808f1ccb7beec0faf418d6009cadacf97e1dff1a23ea14e00095e0f379 c192ab756481669f1a81926412284a3073109dc3eacd408be0b3fad04452d9ee9a426e13 1c0a3f5c43c81470036ac5e71f76fa0cf8ee624d2ce79e917d66585438a2df7ed2ad363b b772 EAP-Message = 0x272c7638e47c389aec3b130f34328e9b4478de353f1a45deb78201000d2c2852e7c40b 90919128791cd4c552bd7c92a7a790a224fdeef4538b147d34869f4f8688a6193fcdae32 e14be0135595b681eb1d01de11e644221a7d517b053e6ee8c1f396b6d329ace204565f54 adc7a868d185f8cae3baf93782493fa4696462458c6bd43f7e13643434ac8f1bd67030e9 43b0a9ae13e0265d1b4ac922a5fab7813ab47415695f979408c18d73799fd006d7ce3cd5 b5a51bdb3acf433f3670b4eb22a6040497ac0c1601acc09a5f18c5f78ef9a978425b7308 2b5eeded09d28a47b7670649c5c3186afc18733b9fbdd05187966e69e8467cacc67edc50 ffd6 EAP-Message = 0x67c572f95b5fb02aab834279525ace940eea2f8bda43b01f0b72f4844f94cf16030100 040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01bfa13002bab807fc4539ef1278734e Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 3085, id=239, length=361 Message-Authenticator = 0x09003c2770b7ebd8489a9b994c20f74b User-Name = "testUser" State = 0x01bfa13002bab807fc4539ef1278734e NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020500cc190016030100861000008200806b94c23fdb8d8035ecc8259084476867386a afa76130f1ada15ee84f0d62dba7467b19f8f1968cd2223a67cc5814c1723850f3c0b4ea e6b1808ce8dfb5bb2c585f326c9197fd2e872cd2f650e04a688906592f54be046332fcf6 4a071fafdea6f44932c9f0caac54e8b4c8dc39a50ae6faec29e9f81cb4089a636c7612dc da771403010001011603010030167b64a37c9d69319b82fb4f49b144db14bf1097443c63 09e41d38b7545438f60a0dc100e140b1660bcecb0984ff086e NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 5 length 204 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 239 to 192.168.240.78 port 3085 EAP-Message = 0x010600411900140301000101160301003031553e3d100736927b572c87a4a544ac2e5c 13e28672736daeb20c6a7633ff9d91f9440db93fafb1e0fcf2a42c2b401a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01bfa13005b9b807fc4539ef1278734e Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 3085, id=240, length=163 Message-Authenticator = 0xb9721f691bfe0d3af8faf21a0ff630aa User-Name = "testUser" State = 0x01bfa13005b9b807fc4539ef1278734e NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020600061900 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 6 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 240 to 192.168.240.78 port 3085 EAP-Message = 0x0107002b190017030100207d2e96536e28ad72eb3ca57c8a2bcf688cb96b50806c7eba 642545b13c390577 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01bfa13004b8b807fc4539ef1278734e Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 3085, id=241, length=237 Message-Authenticator = 0x3ad17cc6959f8c49d02162344986a841 User-Name = "testUser" State = 0x01bfa13004b8b807fc4539ef1278734e NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x0207005019001703010020eeb76cf08fd4f2dd75225fce25e025a088b4349d3653ed4f e2df729676e6f7c01703010020de00409ede5e7e5a8d11a17d3ffc1e1fb2756068f3acc9 d77fa86efcff9de378 NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 7 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - testUser PEAP: Got tunneled identity of testUser PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to testUser +- entering group authorize ++[mschap] returns noop rlm_eap: EAP packet type response id 7 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated perl_pool: item 0x8191728 asigned new request. Handled so far: 1 found interpetator at address 0x8191728 rlm_perl: Added pair User-Name = testUser rlm_perl: Added pair EAP-Message = 0x0207000d016c6a61636b736f6e rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student rlm_perl: Added pair Cleartext-Password = password09 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair EAP-Type = MS-CHAP-V2 perl_pool total/active/spare [64/0/64] Unreserve perl at address 0x8191728 ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 241 to 192.168.240.78 port 3085 EAP-Message = 0x0108004b19001703010040e31225a17d30228bb7726cc44bf263d914f7579e06b0a286 4f97ce5e3d9219571a383a062a61d4e397ed58fd314ba1245ed182935ac989ed833b4b2d 6d67eda8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01bfa13007b7b807fc4539ef1278734e Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 3085, id=242, length=301 Message-Authenticator = 0x82d26d1f2e916f292d1e74c07e2673fd User-Name = "testUser" State = 0x01bfa13007b7b807fc4539ef1278734e NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x02080090190017030100203509abf8d3006800cf8fd548e2463dd1db3971dd04eaabf2 265fc3b7a0a1499c1703010060f4771096b5bd8385dabd3a1bd741da9eab1606c411c739 9a6677799722d86be4e087574bdd32d9a136518bd8cf5bca394bfb5ebce00ffc341ccbcf 9ffa0a41a2eb6fe7789095ba937b75779b21c743e3aede20f2ef1fafa5ee4aa0b7017c0e ad NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 8 length 144 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to testUser +- entering group authorize ++[mschap] returns noop rlm_eap: EAP packet type response id 8 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated perl_pool: item 0x83bd3c0 asigned new request. Handled so far: 1 found interpetator at address 0x83bd3c0 rlm_perl: Added pair User-Name = testUser rlm_perl: Added pair EAP-Message = 0x020800431a0208003e31d253ad39b9fda0c56ca1ea3593e679c700000000000000005a 3766caadf4442e13e2a263c18c03121055eb446b426c51006c6a61636b736f6e rlm_perl: Added pair EAP-Type = MS-CHAP-V2 rlm_perl: Added pair State = 0xd36534b3d36d2ee2a528a15b28aae93c rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student rlm_perl: Added pair Cleartext-Password = password09 rlm_perl: Added pair Auth-Type = EAP perl_pool total/active/spare [64/0/64] Unreserve perl at address 0x83bd3c0 ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: Told to do MS-CHAPv2 for testUser with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 242 to 192.168.240.78 port 3085 EAP-Message = 0x0109005b190017030100506e30c2b48acb850cd73aeb0a26b62e4d5fceda76923a125c d308f84e63d376c0aa97567fc85f9171bcc3ab08744380905298620b8783077b0538c506 22f1b0bc02bb9314c2ec99be670d39dc2e9b79e6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01bfa13006b6b807fc4539ef1278734e Finished request 8. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 3085, id=243, length=237 Message-Authenticator = 0x77e2252beeafd9a16ab1c8e17a578773 User-Name = "testUser" State = 0x01bfa13006b6b807fc4539ef1278734e NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020900501900170301002078b33b77fa12a265f134bf85941c35d098f428c755efe6f2 82c2ff3c2ec7e4051703010020fe71c1e773492d476502217835e03c5a4f35fb35dba550 32c4b35e10d42d2c0c NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 9 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to testUser +- entering group authorize ++[mschap] returns noop rlm_eap: EAP packet type response id 9 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated perl_pool: item 0x84b6230 asigned new request. Handled so far: 1 found interpetator at address 0x84b6230 rlm_perl: Added pair User-Name = testUser rlm_perl: Added pair EAP-Message = 0x020900061a03 rlm_perl: Added pair EAP-Type = MS-CHAP-V2 rlm_perl: Added pair State = 0xd36534b3d26c2ee2a528a15b28aae93c rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student rlm_perl: Added pair Cleartext-Password = password09 rlm_perl: Added pair Auth-Type = EAP perl_pool total/active/spare [64/0/64] Unreserve perl at address 0x84b6230 ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler ++[eap] returns ok Login OK: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel) PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS ++[eap] returns handled Sending Access-Challenge of id 243 to 192.168.240.78 port 3085 EAP-Message = 0x010a002b19001703010020884606f22ab4302ddb6a5c5f4e37fdc5e31c04cff4a19a90 fb889231c0d13d15 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01bfa13009b5b807fc4539ef1278734e Finished request 9. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.240.78 port 3085, id=244, length=237 Message-Authenticator = 0xd6e7fd50aff83fb7860432e00ee61b91 User-Name = "testUser" State = 0x01bfa13009b5b807fc4539ef1278734e NAS-IP-Address = 192.168.240.78 NAS-Port = 4 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-B6-1B-80" Framed-MTU = 1000 EAP-Message = 0x020a005019001703010020ed5d8078eeac6585f770e9723882e7dfab5001c2ef6c0554 96f8c24475ee9443170301002072f87cbf1d487ab533b305badcd983e1969071c0a4d57e df1b228d940d336a9a NAS-Identifier = "HOKDORM_01953_M48" NAS-Port-Id = "fe.0.4" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_eap: EAP packet type response id 10 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success rlm_eap: Freeing handler ++[eap] returns ok Login OK: [testUser] (from client DORMTEST2_M80 port 4 cli 00-16-D3-30-E5-74) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 244 to 192.168.240.78 port 3085 MS-MPPE-Recv-Key = 0xc19c41b6b90a8a2fd163fd01b2063947b0d92633fd05fdce97f314dd267e05c6 MS-MPPE-Send-Key = 0x4a11b9ee8d9de1506569176d11bf97823ba21771a97e79fea82e427acad442a2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testUser" Finished request 10. Going to the next request Waking up in 4.6 seconds. rad_recv: Accounting-Request packet from host 192.168.240.78 port 3086, id=12, length=89 Acct-Status-Type = Start User-Name = "testUser" NAS-IP-Address = 192.168.240.78 NAS-Port = 4 Calling-Station-Id = "00-16-D3-30-E5-74" Acct-Delay-Time = 0 Acct-Session-Id = "00000006" Acct-Authentic = RADIUS +- entering group preacct ++[preprocess] returns ok rlm_acct_unique: Hashing 'NAS-Port = 4,Client-IP-Address = 192.168.240.78,NAS-IP-Address = 192.168.240.78,Acct-Session-Id = "00000006",User-Name = "testUser"' rlm_acct_unique: Acct-Unique-Session-ID = "761ab26e01bff75f". ++[acct_unique] returns ok ++[files] returns noop +- entering group accounting expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/192.168.240.78/detail-20090320 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.240.78/detail-20090320 expand: %t -> Fri Mar 20 07:52:41 2009 ++[detail] returns ok ++[unix] returns ok expand: /var/log/radius/radutmp -> /var/log/radius/radutmp expand: %{User-Name} -> testUser ++[radutmp] returns ok expand: %{User-Name} -> testUser attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 12 to 192.168.240.78 port 3086 Finished request 11. Cleaning up request 11 ID 12 with timestamp +19 Going to the next request Waking up in 4.6 seconds. -----Original Message----- From: tnt@kalik.net [mailto:tnt@kalik.net] Sent: Thursday, March 19, 2009 6:14 PM To: FreeRadius users mailing list Subject: RE: Perl/Peap-MSChapV2 Issues
Ok, I've made a little progress. The perl script is now being called correctly and returning the correct data. There seems to be something else now.
Yes, there is something else.
I added DEFAULT Auth-Type = Perl Fall-Through = 1 to users, I think that's what you were wanting.
Fine. Only you haven't listed files in inner-tunnel, so this is never used.
Inner-tunnel authorize ------------------------------ Authorize {
Mschap Suffix
Update control { Proxy-To-Realm := LOCAL }
Remove that.
Eap { Ok=return } Perl Expiration Logintime Pap }
..
perl_pool: item 0x8192020 asigned new request. Handled so far: 1 found interpetator at address 0x8192020 rlm_perl: Added pair User-Name = testUser rlm_perl: Added pair EAP-Message = 0x0207000d016c6a61636b736f6e rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student rlm_perl: Added pair Cleartext-Password = password09 rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2 perl_pool total/active/spare [64/0/64] Unreserve perl at address 0x8192020 ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: type Local
This is breaking EAP. Remove forcing Auth-Type Local. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I removed the DEFAULT Auth-Type = Perl since you said it wasn't use.
I removed the update control from the authorize in inner-tunnel.
Here's the new log. Thanks for the help.
What now? It works:
Login OK: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel) PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS .. Login OK: [testUser] (from client DORMTEST2_M80 port 4 cli 00-16-D3-30-E5-74) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 244 to 192.168.240.78 port 3085 MS-MPPE-Recv-Key = 0xc19c41b6b90a8a2fd163fd01b2063947b0d92633fd05fdce97f314dd267e05c6 MS-MPPE-Send-Key = 0x4a11b9ee8d9de1506569176d11bf97823ba21771a97e79fea82e427acad442a2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testUser" Finished request 10.
Ivan Kalik Kalik Informatika ISP
I believe the only thing left is that it needs to return a Filter-Id along with the access-accept? -----Original Message----- From: tnt@kalik.net [mailto:tnt@kalik.net] Sent: Friday, March 20, 2009 10:43 AM To: FreeRadius users mailing list Subject: RE: Perl/Peap-MSChapV2 Issues
I removed the DEFAULT Auth-Type = Perl since you said it wasn't use.
I removed the update control from the authorize in inner-tunnel.
Here's the new log. Thanks for the help.
What now? It works:
Login OK: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel) PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS .. Login OK: [testUser] (from client DORMTEST2_M80 port 4 cli 00-16-D3-30-E5-74) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 244 to 192.168.240.78 port 3085 MS-MPPE-Recv-Key = 0xc19c41b6b90a8a2fd163fd01b2063947b0d92633fd05fdce97f314dd267e05c6 MS-MPPE-Send-Key = 0x4a11b9ee8d9de1506569176d11bf97823ba21771a97e79fea82e427acad442a2 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testUser" Finished request 10.
Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes, I have $RAD_REPLY{'Filter-Id'} = $filterId; in the perl script. In the log, it says: rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=Student But shouldn't that show up in the Access-Accept also? -----Original Message----- From: tnt@kalik.net [mailto:tnt@kalik.net] Sent: Friday, March 20, 2009 11:01 AM To: FreeRadius users mailing list Subject: RE: Perl/Peap-MSChapV2 Issues
I believe the only thing left is that it needs to return a Filter-Id along with the access-accept?
Is you perl script adding it to $RAD_REPLY? I can't see it in the reply. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes, I have $RAD_REPLY{'Filter-Id'} = $filterId; in the perl script.
In the log, it says:
rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=Student
But shouldn't that show up in the Access-Accept also?
You probably need to set use_tunneled_reply to yes in peap section of eap.conf. This is slightly older server version which doesn't show tunneled reply so can't be sure. Ivan Kalik Kalik Informatika ISP
Yep, that was it. Thanks so much for your help! -----Original Message----- From: tnt@kalik.net [mailto:tnt@kalik.net] Sent: Friday, March 20, 2009 3:08 PM To: FreeRadius users mailing list Subject: RE: Perl/Peap-MSChapV2 Issues
Yes, I have $RAD_REPLY{'Filter-Id'} = $filterId; in the perl script.
In the log, it says:
rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=Student
But shouldn't that show up in the Access-Accept also?
You probably need to set use_tunneled_reply to yes in peap section of eap.conf. This is slightly older server version which doesn't show tunneled reply so can't be sure. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Adam W. Sewell -
tnt@kalik.net