Hi (sorry I resend the email because in my earlier one the subject was missing by mistake) I'm trying to get working huntgroups but I can't do it: I've appended something like to huntgroups file mb NAS-IP-Address == 10.129.189.1 mb NAS-IP-Address == 10.129.84.1 mb Called-Station-Id == 00-1B-7E-DC-AB-1A:UP-PVIII-I And in users files: pruebita Huntgroup-Name == "mb",Cleartext-Password := "pruebon" But is not working user pruebita does not get an Access-Accept Please could you help me to solve it? Below the debug messages (I've trunked a bit for mail can be sent) FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on Jan 3 2012 at 16:18:16 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb-testing/radiusd.conf including configuration file /etc/raddb-testing/proxy.conf including configuration file /etc/raddb-testing/clients.conf including files in directory /etc/raddb-testing/modules/ including configuration file /etc/raddb-testing/modules/chap including configuration file /etc/raddb-testing/modules/mschap including configuration file /etc/raddb-testing/modules/sqlcounter_expire_on_login including configuration file /etc/raddb-testing/modules/exec including configuration file /etc/raddb-testing/modules/realm including configuration file /etc/raddb-testing/modules/checkval including configuration file /etc/raddb-testing/modules/rediswho including configuration file /etc/raddb-testing/modules/passwd including configuration file /etc/raddb-testing/modules/attr_filter including configuration file /etc/raddb-testing/modules/linelog including configuration file /etc/raddb-testing/modules/wimax including configuration file /etc/raddb-testing/modules/pam including configuration file /etc/raddb-testing/modules/inner-eap including configuration file /etc/raddb-testing/modules/echo including configuration file /etc/raddb-testing/modules/soh including configuration file /etc/raddb-testing/modules/replicate including configuration file /etc/raddb-testing/modules/acct_unique including configuration file /etc/raddb-testing/modules/etc_group including configuration file /etc/raddb-testing/modules/pap including configuration file /etc/raddb-testing/modules/expr including configuration file /etc/raddb-testing/modules/smbpasswd including configuration file /etc/raddb-testing/modules/attr_rewrite including configuration file /etc/raddb-testing/modules/radutmp including configuration file /etc/raddb-testing/modules/mac2ip including configuration file /etc/raddb-testing/modules/logintime including configuration file /etc/raddb-testing/modules/sql_log including configuration file /etc/raddb-testing/modules/smsotp including configuration file /etc/raddb-testing/modules/preprocess including configuration file /etc/raddb-testing/modules/policy including configuration file /etc/raddb-testing/modules/cui including configuration file /etc/raddb-testing/modules/perl including configuration file /etc/raddb-testing/modules/digest including configuration file /etc/raddb-testing/modules/mac2vlan including configuration file /etc/raddb-testing/modules/otp including configuration file /etc/raddb-testing/modules/files including configuration file /etc/raddb-testing/modules/always including configuration file /etc/raddb-testing/modules/ntlm_auth including configuration file /etc/raddb-testing/modules/detail including configuration file /etc/raddb-testing/modules/krb5 including configuration file /etc/raddb-testing/modules/sradutmp including configuration file /etc/raddb-testing/modules/opendirectory including configuration file /etc/raddb-testing/modules/counter including configuration file /etc/raddb-testing/modules/detail.example.com including configuration file /etc/raddb-testing/modules/ippool including configuration file /etc/raddb-testing/modules/expiration including configuration file /etc/raddb-testing/modules/dynamic_clients including configuration file /etc/raddb-testing/modules/detail.log including configuration file /etc/raddb-testing/modules/redis including configuration file /etc/raddb-testing/modules/ldap including configuration file /etc/raddb-testing/modules/unix including configuration file /etc/raddb-testing/eap.conf including configuration file /etc/raddb-testing/policy.conf including files in directory /etc/raddb-testing/sites-enabled/ including configuration file /etc/raddb-testing/sites-enabled/status including configuration file /etc/raddb-testing/sites-enabled/control-socket including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel including configuration file /etc/raddb-testing/sites-enabled/default including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel-peap main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb-testing/dictionary main { name = "radiusd" prefix = "/usr/local-test" localstatedir = "/usr/local-test/var" sbindir = "/usr/local-test/sbin" logdir = "/usr/local-test/var/log/radius" run_dir = "/usr/local-test/var/run/radiusd" libdir = "/usr/local-test/lib" radacctdir = "/usr/local-test/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/usr/local-test/var/run/radiusd/radiusd.pid" checkrad = "/usr/local-test/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client spectrum { require_message_authenticator = no secret = "testing123" shortname = "spectrum.sarlanga.edu" } client 10.129.100.1 { require_message_authenticator = no secret = "sarlangalad0-Red-3-winnie" shortname = "AP-PI-PB" } client 10.129.10.1 { require_message_authenticator = no secret = "sarlangalad0-Red-3-winnie" shortname = "AP-PI-SS" } client 10.129.11.1 { require_message_authenticator = no secret = "sarlangalad0-Red-3-winnie" shortname = "AP-PI-1" } client 10.129.111.1 { require_message_authenticator = no secret = "sarlangalad0-Red-3-winnie" shortname = "AP-PI-1" } client 10.129.12.1 { require_message_authenticator = no secret = "sarlangalad0-Red-3-winnie" shortname = "AP-PI-2" } client 10.129.13.1 { require_message_authenticator = no secret = "sarlangalad0-Red-3-winnie" shortname = "AP-PI-3" } client 10.129.14.1 { require_message_authenticator = no secret = "sarlangalad0-Red-3-winnie" shortname = "AP-PI-4" } client 10.129.199.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "PIVOT-LINKSYS" } client 10.129.200.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "PIVOT-TPLINK" } client 10.129.254.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "Transitional" } client 10.129.15.1 { require_message_authenticator = no secret = "sarlangalad0-Red-3-winnie" shortname = "AP-PI-5" } client 10.129.16.1 { require_message_authenticator = no secret = "sarlangalad0-Red-3-winnie" shortname = "AP-PI-6" } client 10.129.17.1 { require_message_authenticator = no secret = "sarlangalad0-Red-3-winnie" shortname = "AP-PI-7" } client 10.129.60.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-Sociales-0" } client 10.129.61.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-Sociales-I" } client 10.129.158.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-SS" } client 10.129.80.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-PB" } client 10.129.180.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-PB-SUM" } client 10.128.255.81 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-I" } client 10.129.81.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-I" } client 10.128.255.82 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-II" } client 10.129.82.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-II" } client 10.128.250.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-Bridge" } client 10.128.255.172 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-I_bis_test" } client 10.128.255.83 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-III" } client 10.129.83.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-III" } client 10.129.183.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-III" } client 10.129.84.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-IV" } client 10.129.184.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-IV-Bis" } client 10.129.194.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-IV-Bis-2" } client 10.128.255.181 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-I_bis" } client 10.129.181.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-I_bis" } client 10.129.162.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-I_bis_2" } client 10.128.255.86 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-VI" } client 10.129.86.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-VI" } client 10.128.255.87 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-VII" } client 10.129.87.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-VII" } client 10.129.187.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-VII-Derecho" } client 10.129.99.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-Pivot" } client 10.129.52.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PV-PB" } client 10.128.255.85 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-V" } client 10.129.85.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-V" } client 10.129.189.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-IX-HD" } client 10.129.88.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-VIII" } client 10.129.89.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "oficina-test" } client 10.129.160.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-Sociales-Auditorio" } client 10.129.182.1 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-PVIII-X" } client 192.168.2.53 { require_message_authenticator = no secret = "akantilad0-Green-22" shortname = "sarlanga3" } client 192.168.45 { require_message_authenticator = no secret = "sarlangalad0-black-54" shortname = "sarlanga4" } client 192.168.3.201 { require_message_authenticator = no secret = "sarlangalad0-blue-246692" shortname = "sarlanga7" } client 192.168.4 { require_message_authenticator = no secret = "Zarag0Za-Muppet5-32" shortname = "AP-sarlanga7" } client 192.168.142.240 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-Cabre-1" } client 192.168.142.241 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-Cabre-2" } client 192.168.142.242 { require_message_authenticator = no secret = "sarlangalad0-Red-398952" shortname = "AP-Cabre-3" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb-testing/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb-testing/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb-testing/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb-testing/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb-testing/radiusd.conf modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb-testing/modules/pap pap { encryption_scheme = "auto" auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb-testing/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb-testing/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_pam Module: Instantiating module "pam" from file /etc/raddb-testing/modules/pam pam { pam_auth = "radiusd" } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb-testing/modules/unix unix { radwtmp = "/usr/local-test/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb-testing/eap.conf eap { default_eap_type = "md5" timer_expire = 600 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/pki/tls/certs/ips-spectrum-key.pem" certificate_file = "/etc/pki/tls/certs/spectrum.sarlanga.edu.cer" CA_file = "/etc/pki/tls/certs/IPS-IPSCABUNDLE.crt" dh_file = "/etc/raddb-testing/certs/dh" random_file = "/etc/raddb-testing/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = yes lifetime = 6 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel-peap" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb-testing/modules/preprocess preprocess { huntgroups = "/etc/raddb-testing/huntgroups" hints = "/etc/raddb-testing/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating module "auth_log" from file /etc/raddb-testing/modules/detail.log detail auth_log { detailfile = "/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb-testing/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb-testing/modules/files files { usersfile = "/etc/raddb-testing/users" acctusersfile = "/etc/raddb-testing/acct_users" preproxy_usersfile = "/etc/raddb-testing/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb-testing/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/raddb-testing/modules/detail detail { detailfile = "/usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb-testing/modules/radutmp radutmp { filename = "/usr/local-test/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb-testing/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb-testing/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "reply_log" from file /etc/raddb-testing/modules/detail.log detail reply_log { detailfile = "/usr/local-test/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb-testing/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb-testing/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server status { # from file /etc/raddb-testing/sites-enabled/status modules { Module: Creating Autz-Type = Status-Server Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_always Module: Instantiating module "ok" from file /etc/raddb-testing/modules/always always ok { rcode = "ok" simulcount = 0 mpp = no } } # modules } # server server inner-tunnel { # from file /etc/raddb-testing/sites-enabled/inner-tunnel modules { Module: Creating Auth-Type = LDAP Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/raddb-testing/modules/ldap ldap { server = "ldap.sarlanga.edu" port = 636 password = "sarlanga" identity = "cn=freeradius,ou=applications,dc=sarlanga,dc=edu" net_timeout = 10 timeout = 120 timelimit = 30 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no cacertfile = "/etc/raddb-testing/cacert.pem" randfile = "/dev/urandom" require_cert = "demand" } basedn = "ou=people,dc=sarlanga,dc=edu" filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr = "radiusAllowed" access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb-testing/ldap.attrmap" ldap_debug = 40 ldap_connections_number = 15 compare_check_items = no do_xlat = yes set_auth_type = yes keepalive { interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb-testing/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusPassword mapped to RADIUS Cleartext-Password rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x1ffc1270 Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "post_proxy_log" from file /etc/raddb-testing/modules/detail.log detail post_proxy_log { detailfile = "/usr/local-test/var/log/radius/radacct/postproxy/%{Client-IP-Address}/post-proxy-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking post-auth {...} for more modules to load } # modules } # server server inner-tunnel-peap { # from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 192.168.1.5 port = 0 } listen { type = "acct" ipaddr = 192.168.1.5 port = 0 } listen { type = "control" listen { socket = "/usr/local-test/var/run/radiusd/radiusd.sock" } } listen { type = "status" ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "YellowSubmarine" } } ... adding new socket proxy address * port 54388 Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Listening on command file /usr/local-test/var/run/radiusd/radiusd.sock Listening on status address 127.0.0.1 port 18120 as server status Listening on proxy address 192.168.1.5 port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=74, length=170 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0238000d017072756562697461 Message-Authenticator = 0x510c83d2d8d716e25fa8e00162124f28 # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 56 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry pruebita at line 434 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 74 to 10.129.89.1 port 38848 EAP-Message = 0x013900160410381a962cdd81a78cdd529de9d83f2b61 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51c5e19f51fce56b215acf310f5bc900 Finished request 28. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=75, length=181 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x023900060319 State = 0x51c5e19f51fce56b215acf310f5bc900 Message-Authenticator = 0x9a66eb7b5a106c018d00e0b57f80f262 # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 57 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry pruebita at line 434 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 75 to 10.129.89.1 port 38848 EAP-Message = 0x013a00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51c5e19f50fff86b215acf310f5bc900 Finished request 29. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=76, length=241 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x023a0042190016030100370100003303014fc89ccd9ef24a5acabf352713ed67aad4acfb2a2f0d4c5ad746a761a24f976800000c0013000a0033002f000500040100 State = 0x51c5e19f50fff86b215acf310f5bc900 Message-Authenticator = 0xb1b6655fab2a4f02abdddc4928d46870 # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 58 length 66 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0037], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 004a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 1324], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 76 to 10.129.89.1 port 38848 EAP-Message = 0x013b040019c000001381160301004a0200004603014fc89cce0c471ae8314022655c37dcbb1fe882ed8735b93cfda7f5029188744220189eb3cfe1bd6b3b6b87fa215018f64ad2b414cda3740799b6d6c814cb3f7700000a0016030113240b00132000131d00071730820713308205fba0030201020214101b7f691cb7a76e4d2434f172207f0d6457bfd6300d06092a864886f70d01010505003081b0310b3009060355040613024553310f300d060355040813064d4144524944310f300d060355040713064d414452494431243022060355040a131b6970732043657274696669636174696f6e20417574686f7269747931183016060355040b130f EAP-Message = 0x43657274696669636163696f6e657331193017060355040313106970734341204c6576656c20312043413124302206092a864886f70d010901161569707363616c6576656c314069707363612e636f6d301e170d3132303132373132303731335a170d3134303230313132303731335a30818d310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311d301b06035504031314737065637472756d2e70616c65726d6f2e EAP-Message = 0x65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100a8efabc6c785b1314fc7a643f75a6b1e1ae645b4ad47d23a5ce062cd3fa5a998112d48b88960da17628181430eb1e6dbcd806eb3b77ad9ca5728e86d333f9a910107d90c0e2dad1951587fb6ebe0b1f99665fad04e352e1d87dbf1a1292ae3cc8bb936511b10cc25facb79db7df50a443359a5c46213253cfbee9db5a262221e23d6961c6f2e4bff6c7702fe05eeff8c97c3c4558f84d3d61a1571017d5638863ec4f341613113aca1b385ae7598065503f28f78c83c632ebb0183d6d8ffd21edd8cd4db50c1550443f12706847a053769c1c5c7f94eff9fff EAP-Message = 0x8c3091d3892db2f35ab46dc208d1e03f37b82fb96d7fba474b42279ecb74157fdc521c038949dd0203010001a38203443082034030090603551d1304023000301106096086480186f8420101040403020640300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301301d0603551d0e04160414d57dbba6130341755d2138e3ed9faacb3e65cdcb301f0603551d230418301680147d9e6b0efc13e1c48ba77f61ae6021cfcda0d30630090603551d1104023000305b0603551d1204543052a450304e310b300906035504061302455331243022060355040a131b6970732043657274696669636174696f6e20417574686f EAP-Message = 0x726974793119301706035504 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51c5e19f53fef86b215acf310f5bc900 Finished request 30. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=77, length=181 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x023b00061900 State = 0x51c5e19f53fef86b215acf310f5bc900 Message-Authenticator = 0xa4a26c588cef259c66f231f46e99c8da # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 59 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 77 to 10.129.89.1 port 38848 EAP-Message = 0x013c03fc19400313106970734341204c6576656c2031204341307106096086480186f842010d046416624f7267616e697a6174696f6e20496e666f726d6174696f6e204e4f542056414c4944415445442e204c4556454c3120536572766572204365727469666963617465206973737565642062792068747470733a2f2f7777772e69707363612e636f6d2f302906096086480186f8420102041c161a687474703a2f2f6c6576656c3130312e69707363612e636f6d2f303c06096086480186f8420104042f162d687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f69707363616c6576656c312e63726c3043060960864801 EAP-Message = 0x86f842010304361634687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f7265766f636174696f6e4c4556454c312e68746d6c3f304006096086480186f842010704331631687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f72656e6577616c4c4556454c312e68746d6c3f303e06096086480186f84201080431162f687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f706f6c6963794c4556454c312e68746d6c30730603551d1f046c306a3033a031a02f862d687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f69707363616c6576656c312e63 EAP-Message = 0x726c3033a031a02f862d687474703a2f2f6c6576656c3130322e69707363612e636f6d2f63726c2f69707363616c6576656c312e63726c303e06082b0601050507010104323030302e06082b060105050730018622687474703a2f2f6f6373706c6576656c3130312e69707363612e636f6d2f6f637370300d06092a864886f70d010105050003820101004b61ec4cf7163dad3601e3de9938175ec4ec75d60f658eabf37b1e331283419e7438e584e8cfc47c087c7cba005dcd9d7d165a470bd7aaea70b69b1a18ad2a6cc136cf2ff5cb948ae2866b1c46bbf8ef999ecb510407f28a091e7aa75684d90938f85c3fcd39580112b6979f3284c581f86b EAP-Message = 0x998bc211c1de82e87fd57ee7a975905e9dec75020feda29cf4f29dc59dc3946ccf328f7380c6f3f4064d3f6f496fffd640ed2c813c44d648f9ee0143f894d41f4970f30e158064b305a4ae264887a62b5ee51f4f7f3241ddeebcd1153f836262d7c24c4cd7a09f2ab6bc052cd2ecf78e948f240e526538478893fb776f27d44d620c8e58641b4231958c85d758080005f2308205ee308204d6a00302010202141000000000000000000000000000000000000011300d06092a864886f70d01010505003081b2310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d06035504 EAP-Message = 0x0a13264950532043 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51c5e19f52f9f86b215acf310f5bc900 Finished request 31. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=78, length=181 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x023c00061900 State = 0x51c5e19f52f9f86b215acf310f5bc900 Message-Authenticator = 0xf15626a2f70fb625cfbdee8873d99f4f # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 60 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 78 to 10.129.89.1 port 38848 EAP-Message = 0x013d03fc1940657274696669636174696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b13056970734341311d301b06035504031314697073434120476c6f62616c20434120526f6f743121301f06092a864886f70d0109011612676c6f62616c30314069707363612e636f6d301e170d3039313231303131333835325a170d3239313232343131333835325a3081b0310b3009060355040613024553310f300d060355040813064d4144524944310f300d060355040713064d414452494431243022060355040a131b6970732043657274696669636174696f6e20417574686f7269747931183016060355040b130f43 EAP-Message = 0x657274696669636163696f6e657331193017060355040313106970734341204c6576656c20312043413124302206092a864886f70d010901161569707363616c6576656c314069707363612e636f6d30820122300d06092a864886f70d01010105000382010f003082010a02820101009f4db33023c13a798527825d45ce5b64f82bafe15d6001e2940ed501863645858c0c8e76e1a0a40d935417986aeeb2840b23eabf217cc0ee49c026791954d6311890f7fb970be3a8c51640de2eb88c655b32d953f7c8ff06fb896654f8ea44420fb74fc7b0e94fd1d0bbfa968a33e346b7fa64bc65b11fb1e0e105f80cdd4af58b3097b4480a94feaf1d63f269 EAP-Message = 0x2c6b1b446afd3bd9dae70df0c68ab6e0190160a309a2b320401b14073a8c22df33f476c185b862b849b975c196ed1108af3c3f4e59e840dc995a134747e3b2840a7e8130b71c969f2e0d1cd0e5845e5bad3cce4a6b7d684522f54d5ae79f5c19004827a5787882d3e2ffb1e680dfeb2a125bb10203010001a38201fa308201f6302a06096086480186f8420102041d161b68747470733a2f2f6c6576656c3130312e69707363612e636f6d2f302106096086480186f84201030414161265737461646f2f65737461646f2e6173703f302706096086480186f8420104041a161865737461646f4341544553542f65737461646f2e6173703f3022060960 EAP-Message = 0x86480186f84201070415161365737461646f2f72656e756576612e6173703f302006096086480186f84201080413161165737461646f2f706f6c6963792e617370302406096086480186f842010d04171615436572746966696361646f20706f72206970734341301106096086480186f8420101040403020007300c0603551d13040530030101ff301d0603551d0e041604147d9e6b0efc13e1c48ba77f61ae6021cfcda0d306303e0603551d1f043730353033a031a02f862d687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f69707363616c6576656c312e63726c303a06082b06010505070101042e302c302a06082b06 EAP-Message = 0x010505073001861e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51c5e19f55f8f86b215acf310f5bc900 Finished request 32. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=79, length=181 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x023d00061900 State = 0x51c5e19f55f8f86b215acf310f5bc900 Message-Authenticator = 0x4ce902814c105901520df2f8036166c3 # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 61 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 79 to 10.129.89.1 port 38848 EAP-Message = 0x013e03fc1940687474703a2f2f6f6373706c6576656c3130312e69707363612e636f6d2f300b0603551d0f04040302010630470603551d250440303e06082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304300d06092a864886f70d010105050003820101008737bf8f76d31d2eca683935839d2958fe74add252963aff06e84cb0308e3316c5972d29aebe28e77e10ab20e1ed509ecfbbd394fe1da47370d27e6239b31cd636e1d4782bace12bedc753a14dd4281f588e56e2c924f956ec0ad0df5268575ea4393bb9e46619c4cff0a7fbb7717f EAP-Message = 0xd7f247a501f8245587996ac61064ada017958080eb6d4bd3e9171685a951ae6e69419776e8de7f43fb891b853397030059549676d110ed837018f76ca7231a20647365211bee7e1e67f8026ad21c2e37a31e7001bb866076bc7adc7eff3475f2e33e94c60ed70ce792cc33c31c32df09e853cf3587c59453f98efa685cce193a482a52f3da46c2e6bd5d02b5471eb9954000060b30820607308204efa003020102020100300d06092a864886f70d01010505003081b2310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d060355040a132649505320436572746966696361 EAP-Message = 0x74696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b13056970734341311d301b06035504031314697073434120476c6f62616c20434120526f6f743121301f06092a864886f70d0109011612676c6f62616c30314069707363612e636f6d301e170d3039303930373134333834345a170d3239313232353134333834345a3081b2310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d060355040a13264950532043657274696669636174696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b130569707343 EAP-Message = 0x41311d301b06035504031314697073434120476c6f62616c20434120526f6f743121301f06092a864886f70d0109011612676c6f62616c30314069707363612e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a7efcc8030b091244fb068f8c3ca2d1538555882e23863b0f7a3926f83b8b05eb08cac54b177d050e097b390ad8ab31f392b4556f7aae2df7cb2ec6f532f9acbd0e666cbc913e872e2b4cd31578712b593e8fa72ceea47f28cb4b063d70400b764363997e895f188f9710d03278c61cf0883964f83c54ee85cf80670f102aa1c1ea9c8aa7ee75dcd8d3c146f67d01ba923488b21283a8a4ce6 EAP-Message = 0x1131f9212eb26766 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51c5e19f54fbf86b215acf310f5bc900 Finished request 33. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=80, length=181 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x023e00061900 State = 0x51c5e19f54fbf86b215acf310f5bc900 Message-Authenticator = 0x419616a5e5f69204aaca365aa417d934 # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 62 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 80 to 10.129.89.1 port 38848 EAP-Message = 0x013f03af1900c6296e9493cf4096fcb03dbfb2b493bf5671b6a54187b058b559232849b898f9501e2d15280b4cac49d184a99b9ae77254b738d0dbc9fea973d56d10cd8e75ebfe97fd803cfcb4d848f499460b8814a4b62edb4c60f421c16c809514d5afd50203010001a382022430820220301d0603551d0e0416041415a69680b1154b31c3c29cf6e7130b4bf318cd863081df0603551d230481d73081d4801415a69680b1154b31c3c29cf6e7130b4bf318cd86a181b8a481b53081b2310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d060355040a13264950532043 EAP-Message = 0x657274696669636174696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b13056970734341311d301b06035504031314697073434120476c6f62616c20434120526f6f743121301f06092a864886f70d0109011612676c6f62616c30314069707363612e636f6d820100300c0603551d13040530030101ff300b0603551d0f04040302010630470603551d250440303e06082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304301d0603551d11041630148112676c6f62616c30314069707363612e636f6d301d0603 EAP-Message = 0x551d12041630148112676c6f62616c30314069707363612e636f6d30410603551d1f043a30383036a034a0328630687474703a2f2f63726c676c6f62616c30312e69707363612e636f6d2f63726c2f63726c676c6f62616c30312e63726c303806082b06010505070101042c302a302806082b06010505073001861c687474703a2f2f63726c676c6f62616c30312e69707363612e636f6d300d06092a864886f70d0101050500038201010018f4aefe800f8ec1776fa25a47489f2355a1536bf95da730a524be432ff8c1d157f93e2c8025cc46a936f3495b1df67cd763b34d3e78f6a7b40277f8790d3e6acb1860b8fd00af0cdd54e3548f223df310 EAP-Message = 0x6f110db51e7a8d27cc08b85bc3b81a5f2ba7603f001cf70f5c4266649e8712807089e0fa57280e4e1f102fd90580b6802f1c69f0f6b66534056fcad93ef8d45d3732c7b82bccff73930071e001c8aa43bda9f1cefa80f9f1431291a665e560074d47ba2b2f04f64a8529886510c9b253629c6c9b605c1a1bd3aec51d729906ff05cc862673b4d45405dd1e6b003bb789e8e391022012ebefe9fe0a29238123a300da70cc925f3723d01c7b355c037a16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51c5e19f57faf86b215acf310f5bc900 Finished request 34. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=81, length=501 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x023f014419001603010106100001020100615e16737ca27664e029e9464b6d38d0e96d10e9fa36dcc345d6c2bebc5b46b7f6f57dee94e3445d5addd0c341d0330731effdda2d1300f6163f8f9e639e7f29d6d5e01f75cc38ae18ea18c5db3b29b96255f6928c2a420882655e8cb81ea6c6df4fe2f5d37b0de031b7c81556d94022fb272852e078572cba44e3e8151e9660e6816d10fdba3a51b36e43119417ce6ca34e1d37d659a2f8b1f8bb4248ed807392bf7f5f453cf26f00fbcdfc6ec84f1798737710ade7141b2ecd78d77e6ba428ba468a36405c92a816c5a4868fa9ebb0b5f8a726d4b1ce9892fa2fe554e645d16522c263f3c5f86cd03171d0 EAP-Message = 0x8053a3c19d3fe2901eac4ee34cc1a51f2d9068191403010001011603010028dc45b3ecdbce94b5a878b480e812ee79a9c17150a92671fa177236cf97bf02bffc1a52c026dbbb2a State = 0x51c5e19f57faf86b215acf310f5bc900 Message-Authenticator = 0xf86876fb7612ab7ff8a644817293b53b # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 63 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data SSL: adding session 189eb3cfe1bd6b3b6b87fa215018f64ad2b414cda3740799b6d6c814cb3f7700 to cache [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 81 to 10.129.89.1 port 38848 EAP-Message = 0x0140003919001403010001011603010028120ba7581f67afee3fe93d71202a3b8eef45d44ed59366641e4e901d1d30295d67644c20f0636c95 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51c5e19f5685f86b215acf310f5bc900 Finished request 35. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=82, length=181 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x024000061900 State = 0x51c5e19f5685f86b215acf310f5bc900 Message-Authenticator = 0x9876211434267235d34177c6baada0a0 # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 64 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 82 to 10.129.89.1 port 38848 EAP-Message = 0x0141002b19001703010020a7bad7bd5b08f24e8165859c7202d96fbb32d601cf63a81969b692422bbce7f0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51c5e19f5984f86b215acf310f5bc900 Finished request 36. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=83, length=247 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02410048190017030100182c80dd585307c00c58051a0ea4faa27e4a5df95720469a7a170301002095ab5282b093ae854c63cc7d3ba67d506c23bddff057c2a98511a4bf854240c9 State = 0x51c5e19f5984f86b215acf310f5bc900 Message-Authenticator = 0x39c120e0dca7d430448165505dc8dd6c # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 65 length 72 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - pruebita [peap] Got inner identity 'pruebita' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0241000d017072756562697461 server { [peap] Setting User-Name to pruebita Sending tunneled request EAP-Message = 0x0241000d017072756562697461 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" NAS-IP-Address = 10.129.89.1 server inner-tunnel-peap { # Executing section authorize from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 65 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pruebita [ldap] expand: (uid=%u) -> (uid=pruebita) [ldap] expand: ou=people,dc=sarlanga,dc=edu -> ou=people,dc=sarlanga,dc=edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=people,dc=sarlanga,dc=edu, with filter (uid=pruebita) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel-peap [peap] Got tunneled reply code 11 EAP-Message = 0x014200221a0142001d1044c4caf16d9a7e43d6e3fbad805501237072756562697461 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x63fdd7b563bfcd4b0f3934ebfe7a85b9 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x014200221a0142001d1044c4caf16d9a7e43d6e3fbad805501237072756562697461 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x63fdd7b563bfcd4b0f3934ebfe7a85b9 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 83 to 10.129.89.1 port 38848 EAP-Message = 0x0142004319001703010038359eaf0224c732f9e83935d0da09d2f6b169503605cb8311ba6d9e3485d51cb6a25ddfc336d6bae781180ce0d413562af3bdcfde5180c80f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51c5e19f5887f86b215acf310f5bc900 Finished request 37. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=84, length=303 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0242008019001703010018f3e980063f7cfb058900cf00b2760b697de7aba67e199b4f17030100588febd03280df614d10106a127d9ce496c4fccaad9681a12dd4f8d4641a2e337486c608e136ed1cbeac8af33318136b2dfa9b9a952cb7b61837ad54a90d1330537628ee52fde4e6af685b3d573bbbf04388bbaeecb4ea8e17 State = 0x51c5e19f5887f86b215acf310f5bc900 Message-Authenticator = 0x0c1ae63b5d7e03e33800ad87364eed83 # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 66 length 128 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x024200431a0242003e314a6d7e7fe98db69bbc4fc8cceb9dfb8d0000000000000000cedcbce414bab2e5f0f7952223f1b126947ce80dd6929378007072756562697461 server { [peap] Setting User-Name to pruebita Sending tunneled request EAP-Message = 0x024200431a0242003e314a6d7e7fe98db69bbc4fc8cceb9dfb8d0000000000000000cedcbce414bab2e5f0f7952223f1b126947ce80dd6929378007072756562697461 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "pruebita" State = 0x63fdd7b563bfcd4b0f3934ebfe7a85b9 NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" NAS-IP-Address = 10.129.89.1 server inner-tunnel-peap { # Executing section authorize from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 66 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pruebita [ldap] expand: (uid=%u) -> (uid=pruebita) [ldap] expand: ou=people,dc=sarlanga,dc=edu -> ou=people,dc=sarlanga,dc=edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=people,dc=sarlanga,dc=edu, with filter (uid=pruebita) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: pruebita [mschap] Told to do MS-CHAPv2 for pruebita with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject MSCHAP Failure ++[eap] returns handled } # server inner-tunnel-peap [peap] Got tunneled reply code 11 EAP-Message = 0x014300121a0442000d453d36393120523d31 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x63fdd7b562becd4b0f3934ebfe7a85b9 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x014300121a0442000d453d36393120523d31 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x63fdd7b562becd4b0f3934ebfe7a85b9 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 84 to 10.129.89.1 port 38848 EAP-Message = 0x014300331900170301002888636a6445053d18018a230fd21f9959466fd90802b7210f8b788a09a4494fc64d1f7b6ae050f021 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51c5e19f5b86f86b215acf310f5bc900 Finished request 38. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=85, length=239 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0243004019001703010018e16554d32843bdba9b707d3e41f21023c12b34e85e7f7df517030100186d29c7588683f31175ad338f971a6426cac9ffe6b6eaa912 State = 0x51c5e19f5b86f86b215acf310f5bc900 Message-Authenticator = 0x10df06a435d2fc959d36eb7ecb637292 # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 67 length 64 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x024300061a04 server { [peap] Setting User-Name to pruebita Sending tunneled request EAP-Message = 0x024300061a04 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "pruebita" State = 0x63fdd7b562becd4b0f3934ebfe7a85b9 NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" NAS-IP-Address = 10.129.89.1 server inner-tunnel-peap { # Executing section authorize from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 67 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pruebita [ldap] expand: (uid=%u) -> (uid=pruebita) [ldap] expand: ou=people,dc=sarlanga,dc=edu -> ou=people,dc=sarlanga,dc=edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=people,dc=sarlanga,dc=edu, with filter (uid=pruebita) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect ( [ldap] User not found): [pruebita] (from client oficina-test port 3 cli E8-3E-B6-26-C3-28 via TLS tunnel) } # server inner-tunnel-peap [peap] Got tunneled reply code 3 EAP-Message = 0x04430004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04430004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 85 to 10.129.89.1 port 38848 EAP-Message = 0x0144002b1900170301002083387441294d575a9779c1b19e136da15935afcd9f001a1d2e4b5b87e236d164 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x51c5e19f5a81f86b215acf310f5bc900 Finished request 39. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.129.89.1 port 38848, id=86, length=247 User-Name = "pruebita" NAS-Identifier = "AP-PVIII-IX-OF" NAS-Port = 3 Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I" Calling-Station-Id = "E8-3E-B6-26-C3-28" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x024400481900170301001854ac58595af316bc6d8484be6039a67508204d0ecaea270a1703010020b983c87ab4edfd3bc018184ba6271d50216bc96f1f430e19808d9e1a4ec9180a State = 0x51c5e19f5a81f86b215acf310f5bc900 Message-Authenticator = 0xae08495c38c1461cb67d946cdf22ceae # Executing section authorize from file /etc/raddb-testing/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: %{Virtual-Server} -> [auth_log] ... expanding second conditional [auth_log] expand: /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d -> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601 [auth_log] expand: %t -> Fri Jun 1 07:43:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pruebita", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 68 length 72 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. SSL: Removing session 189eb3cfe1bd6b3b6b87fa215018f64ad2b414cda3740799b6d6c814cb3f7700 from the cache [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [pruebita] (from client oficina-test port 3 cli E8-3E-B6-26-C3-28) Using Post-Auth-Type Reject # Executing group from file /etc/raddb-testing/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> pruebita attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 40 for 1 seconds Going to the next request Waking up in 0.9 seconds. -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org
Sergio Belkin wrote:
I've appended something like to huntgroups file
mb NAS-IP-Address == 10.129.189.1 mb NAS-IP-Address == 10.129.84.1 mb Called-Station-Id == 00-1B-7E-DC-AB-1A:UP-PVIII-I
And in users files:
pruebita Huntgroup-Name == "mb",Cleartext-Password := "pruebon"
But is not working user pruebita does not get an Access-Accept
Please could you help me to solve it?
You edited the default configuration and broke it. Don't do that. You've set "copy_request_to_tunnel", which is good. It means that the huntgroup check will work. You've deleted "files" from raddb/sites-available/inner-tunnel. That's why it doesn't work. Add it back, and it will work. In 2.1.12, read the comments at the top of raddb/sites-available/inner-tunnel. It tells you how to test the inner-tunnel configuration. It tells you what NOT to do. i.e. tested PEAP before testing that the inner-tunnel config works. Alan DeKok.
2012/6/4 Alan DeKok <aland@deployingradius.com>:
Sergio Belkin wrote:
I've appended something like to huntgroups file
mb NAS-IP-Address == 10.129.189.1 mb NAS-IP-Address == 10.129.84.1 mb Called-Station-Id == 00-1B-7E-DC-AB-1A:UP-PVIII-I
And in users files:
pruebita Huntgroup-Name == "mb",Cleartext-Password := "pruebon"
But is not working user pruebita does not get an Access-Accept
Please could you help me to solve it?
You edited the default configuration and broke it. Don't do that.
You've set "copy_request_to_tunnel", which is good. It means that the huntgroup check will work.
You've deleted "files" from raddb/sites-available/inner-tunnel. That's why it doesn't work. Add it back, and it will work.
In 2.1.12, read the comments at the top of raddb/sites-available/inner-tunnel. It tells you how to test the inner-tunnel configuration. It tells you what NOT to do.
i.e. tested PEAP before testing that the inner-tunnel config works.
Alan DeKok. -
Thanks Alan for you answer. I haven't deleted anything respect to configuration files per default: 32,36c32,36 < listen { < ipaddr = 127.0.0.1 < port = 18120 < type = auth < } ---
#listen { # ipaddr = 127.0.0.1 # port = 18120 # type = auth #} 142c142 < # ldap
ldap
230,232c230,232 < # Auth-Type LDAP { < # ldap < # } ---
Auth-Type LDAP { ldap }
271a272,274
# Sergio reply_log
376a380,382
# Sergio post_proxy_log
Did I missed something? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org
Sergio Belkin wrote:
I haven't deleted anything respect to configuration files per default:
<shrug> You can believe what you want, or you can believe the server output.
Did I missed something?
The debug for the "inner-tunnel" *clearly* shows NOT using the "files" module. Go fix that. Alan DeKok.
2012/6/4 Alan DeKok <aland@deployingradius.com>:
The debug for the "inner-tunnel" *clearly* shows NOT using the "files" module.
So, sorry for the stupid questions but how can I do that It's true what you say about debug output, but I "files" is in inner-tunnel configuration, I tried putting "files" above of chap, but doesn't change anything. Please could you help me I've read the file and output, and also run radtest, but I don't figure out what I should do Mi current file is: listen { ipaddr = 127.0.0.1 port = 18121 type = auth } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { reply_log Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { post_proxy_log eap } EOF Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org
Sergio Belkin wrote:
2012/6/4 Alan DeKok <aland@deployingradius.com>:
The debug for the "inner-tunnel" *clearly* shows NOT using the "files" module.
So, sorry for the stupid questions but how can I do that
If it's in the file, it's used.
It's true what you say about debug output, but I "files" is in inner-tunnel configuration, I tried putting "files" above of chap, but doesn't change anything.
OK.
Please could you help me I've read the file and output, and also run radtest, but I don't figure out what I should do
? Run radtest until it works. As input, use the packets the server prints out in debugging mode. Change the server configuration until it works. The whole *point* of debugging mode is to tell you what's going on. The point of printing out the packets is so that you can use them for testing. Alan DeKok.
On Mon, Jun 04, 2012 at 11:43:07AM -0300, Sergio Belkin wrote:
2012/6/4 Alan DeKok <aland@deployingradius.com>:
The debug for the "inner-tunnel" *clearly* shows NOT using the "files" module.
So, sorry for the stupid questions but how can I do that
It's true what you say about debug output, but I "files" is in inner-tunnel configuration, I tried putting "files" above of chap, but doesn't change anything.
Look at /etc/raddb-testing/sites-enabled/inner-tunnel-peap You've changed the config, added this file, and not added the files module to it.
Mi current file is:
That's probably /etc/raddb-testing/sites-enabled/inner-tunnel instead. Using different inner-tunnel configs for TTLS and PEAP is just going to cause you pain, unless you REALLY know what you're letting yourself in for. Go back to the default config and use the same for both. The debug output doesn't lie. If it says the module isn't being called when you've just added it, then the module is not being called and you're configuring things in the wrong place. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
2012/6/5 Matthew Newton <mcn4@leicester.ac.uk>:
On Mon, Jun 04, 2012 at 11:43:07AM -0300, Sergio Belkin wrote:
2012/6/4 Alan DeKok <aland@deployingradius.com>:
The debug for the "inner-tunnel" *clearly* shows NOT using the "files" module.
So, sorry for the stupid questions but how can I do that
It's true what you say about debug output, but I "files" is in inner-tunnel configuration, I tried putting "files" above of chap, but doesn't change anything.
Look at /etc/raddb-testing/sites-enabled/inner-tunnel-peap
You've changed the config, added this file, and not added the files module to it.
How a module is added?
Mi current file is:
That's probably /etc/raddb-testing/sites-enabled/inner-tunnel instead.
Yes it is
Using different inner-tunnel configs for TTLS and PEAP is just going to cause you pain, unless you REALLY know what you're letting yourself in for. Go back to the default config and use the same for both.
I've added this files because I like to separate logs when supplicants are using PEAP or TTLS Is there a better way of doing that?
The debug output doesn't lie. If it says the module isn't being called when you've just added it, then the module is not being called and you're configuring things in the wrong place.
I don't blame debug :) I want to learn. Sorry but I repeat the question how a module is added? because "files" is statament is present on both files /etc/raddb-testing/sites-enabled/inner-tunnel-peap and /etc/raddb-testing/sites-enabled/inner-tunnel Thanks again
Cheers,
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org
On Wed, Jun 06, 2012 at 10:28:27AM -0300, Sergio Belkin wrote:
I've added this files because I like to separate logs when supplicants are using PEAP or TTLS
I'd still use just one file, and filter the logs instead.
Is there a better way of doing that?
There may be several ways. The first one that comes to mind is just pulling the EAP type out of the EAP-Message attributes. PEAP connections will have an EAP-Message attribute that matches the regexp /^0x........19/, whereas TTLS connections will match /^0x........15/. Alternatively, and probably easier in the long run, add %{EAP-Type} to linelog, so you get the name directly in your logs. Add it in the outer, and you'll see TTLS or PEAP. Add it in the inner, and you'll see the inner EAP type, such as MS-CHAP-V2.
I want to learn. Sorry but I repeat the question how a module is added? because "files" is statament is present on both files /etc/raddb-testing/sites-enabled/inner-tunnel-peap and /etc/raddb-testing/sites-enabled/inner-tunnel
Apologies - you're right, it is being called. ++[files] returns noop Add 'preprocess' to the top of the authorize{} section in your inner-tunnel-peap / inner-tunnel files. That's the module that checks huntgroups. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
2012/6/6 Matthew Newton <mcn4@leicester.ac.uk>:
On Wed, Jun 06, 2012 at 10:28:27AM -0300, Sergio Belkin wrote:
I've added this files because I like to separate logs when supplicants are using PEAP or TTLS
I'd still use just one file, and filter the logs instead.
Is there a better way of doing that?
There may be several ways. The first one that comes to mind is just pulling the EAP type out of the EAP-Message attributes.
PEAP connections will have an EAP-Message attribute that matches the regexp /^0x........19/, whereas TTLS connections will match /^0x........15/.
Alternatively, and probably easier in the long run, add %{EAP-Type} to linelog, so you get the name directly in your logs. Add it in the outer, and you'll see TTLS or PEAP. Add it in the inner, and you'll see the inner EAP type, such as MS-CHAP-V2.
Good idea, I've tried appending %{EAP-Type) that to detail.log but sending nothing eg: auth-detail-AP-XXX-DEFAULT--20120606 Between "-" and "-" is nothing (Neither TTLS nor PEAP appears)
I want to learn. Sorry but I repeat the question how a module is added? because "files" is statament is present on both files /etc/raddb-testing/sites-enabled/inner-tunnel-peap and /etc/raddb-testing/sites-enabled/inner-tunnel
Apologies - you're right, it is being called.
++[files] returns noop
:-)
Add 'preprocess' to the top of the authorize{} section in your inner-tunnel-peap / inner-tunnel files. That's the module that checks huntgroups.
Thanks guys it dit it! I just realize that modules must be appended in inner-tunnel files to load them :) TIA
Cheers,
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> -
-- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org
Sergio Belkin wrote:
Good idea, I've tried appending %{EAP-Type) that to detail.log
What does that mean?
but sending nothing eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between "-" and "-" is nothing (Neither TTLS nor PEAP appears)
As *ALWAYS*, read the debug output. You're very dedicated to giving as little information as possible. Why? Alan DeKok.
2012/6/6 Alan DeKok <aland@deployingradius.com>:
Sergio Belkin wrote:
Good idea, I've tried appending %{EAP-Type) that to detail.log
What does that mean?
but sending nothing eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between "-" and "-" is nothing (Neither TTLS nor PEAP appears)
As *ALWAYS*, read the debug output.
You're very dedicated to giving as little information as possible. Why?
OK, you're right in my next message I will include it :)
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org
On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote:
Good idea, I've tried appending %{EAP-Type) that to detail.log but sending nothing eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between "-" and "-" is nothing (Neither TTLS nor PEAP appears)
You've not really explained what you've done. However, I *guess* that you have added %{EAP-Type} to the filename (detailfile) in the detail config. Look, though, where detail is getting called, and where eap is called, in the authorize section. It goes in order. The eap module sets EAP-Type, detail is called before. So you need to call the log after eap. But the gotcha is that eap will short circuit the return in the challenges, so you won't call the detail module if you put it after eap. I'd suggest you let all the incoming logs go to a single location where they are, then you add a new detail (or linelog) module to post-auth. That can use %{EAP-Type}, as it's *after* EAP has happened. Alternatively, you can use my other suggestion anywhere you like. If you pick data out of EAP-Message yourself, you get to do what you want with it (and keep the shards when it shatters). Totally untested unlang. if (%{EAP-Message} =~ /^0x........19/) { detail_log_peap } elsif (%{EAP-Message} =~ /^0x........15/) { detail_log_ttls } else { detail_log_other } Note that things *will* hit detail_log_other. EAP Identity, for instance, before the eap type has been agreed. If you do this in the inner server, be prepared for unexpectedness. In short, understand EAP first. I just chuck the raw data out with detail and leave it be. The useful stuff is pristinely formatted with gentle loving care by the linelog module, where it sits in a nice greppable format for me. One log entry, in post-auth, after the useful stuff happened. Any more detail needed? Just go to the dirty detail log and dig it out. Happens so rarely it wouldn't matter if it was in binary format and had to be read with a hex editor in Windows...
Add 'preprocess' to the top of the authorize{} section in your inner-tunnel-peap / inner-tunnel files. That's the module that checks huntgroups.
Thanks guys it dit it! I just realize that modules must be appended in inner-tunnel files to load them :)
Yeah, that's why it's called a virtual server. It's treated the same as the default server, the flow is the same. No module listed there? It doesn't happen. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
2012/6/6 Matthew Newton <mcn4@leicester.ac.uk>:
On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote:
Good idea, I've tried appending %{EAP-Type) that to detail.log but sending nothing eg:
auth-detail-AP-XXX-DEFAULT--20120606
Between "-" and "-" is nothing (Neither TTLS nor PEAP appears)
You've not really explained what you've done.
However, I *guess* that you have added %{EAP-Type} to the filename (detailfile) in the detail config.
Yes, you guess well
Look, though, where detail is getting called, and where eap is called, in the authorize section. It goes in order. The eap module sets EAP-Type, detail is called before.
So you need to call the log after eap. But the gotcha is that eap will short circuit the return in the challenges, so you won't call the detail module if you put it after eap.
Nice to know it :)
I'd suggest you let all the incoming logs go to a single location where they are, then you add a new detail (or linelog) module to post-auth. That can use %{EAP-Type}, as it's *after* EAP has happened.
I've tested it and works, nice! But please keep on reading:
Alternatively, you can use my other suggestion anywhere you like. If you pick data out of EAP-Message yourself, you get to do what you want with it (and keep the shards when it shatters).
Totally untested unlang.
if (%{EAP-Message} =~ /^0x........19/) { detail_log_peap } elsif (%{EAP-Message} =~ /^0x........15/) { detail_log_ttls } else { detail_log_other }
Note that things *will* hit detail_log_other. EAP Identity, for instance, before the eap type has been agreed. If you do this in the inner server, be prepared for unexpectedness. In short, understand EAP first.
Good, but it sounds somewhat complex :)
I just chuck the raw data out with detail and leave it be. The useful stuff is pristinely formatted with gentle loving care by the linelog module, where it sits in a nice greppable format for me. One log entry, in post-auth, after the useful stuff happened. Any more detail needed? Just go to the dirty detail log and dig it out. Happens so rarely it wouldn't matter if it was in binary format and had to be read with a hex editor in Windows...
Wow, linelog seems interesting, I've tried but only is logging Access-Request, why? I add my debug (I plan to get rid out of inner-tunnel-peap file): FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on Jan 3 2012 at 16:18:16 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb-testing/radiusd.conf including configuration file /etc/raddb-testing/proxy.conf including configuration file /etc/raddb-testing/clients.conf including files in directory /etc/raddb-testing/modules/ including configuration file /etc/raddb-testing/modules/chap including configuration file /etc/raddb-testing/modules/mschap including configuration file /etc/raddb-testing/modules/sqlcounter_expire_on_login including configuration file /etc/raddb-testing/modules/exec including configuration file /etc/raddb-testing/modules/realm including configuration file /etc/raddb-testing/modules/checkval including configuration file /etc/raddb-testing/modules/rediswho including configuration file /etc/raddb-testing/modules/passwd including configuration file /etc/raddb-testing/modules/attr_filter including configuration file /etc/raddb-testing/modules/linelog including configuration file /etc/raddb-testing/modules/wimax including configuration file /etc/raddb-testing/modules/pam including configuration file /etc/raddb-testing/modules/inner-eap including configuration file /etc/raddb-testing/modules/echo including configuration file /etc/raddb-testing/modules/soh including configuration file /etc/raddb-testing/modules/replicate including configuration file /etc/raddb-testing/modules/acct_unique including configuration file /etc/raddb-testing/modules/etc_group including configuration file /etc/raddb-testing/modules/pap including configuration file /etc/raddb-testing/modules/expr including configuration file /etc/raddb-testing/modules/smbpasswd including configuration file /etc/raddb-testing/modules/attr_rewrite including configuration file /etc/raddb-testing/modules/radutmp including configuration file /etc/raddb-testing/modules/mac2ip including configuration file /etc/raddb-testing/modules/logintime including configuration file /etc/raddb-testing/modules/sql_log including configuration file /etc/raddb-testing/modules/smsotp including configuration file /etc/raddb-testing/modules/preprocess including configuration file /etc/raddb-testing/modules/policy including configuration file /etc/raddb-testing/modules/cui including configuration file /etc/raddb-testing/modules/perl including configuration file /etc/raddb-testing/modules/digest including configuration file /etc/raddb-testing/modules/mac2vlan including configuration file /etc/raddb-testing/modules/otp including configuration file /etc/raddb-testing/modules/files including configuration file /etc/raddb-testing/modules/always including configuration file /etc/raddb-testing/modules/ntlm_auth including configuration file /etc/raddb-testing/modules/detail including configuration file /etc/raddb-testing/modules/krb5 including configuration file /etc/raddb-testing/modules/sradutmp including configuration file /etc/raddb-testing/modules/opendirectory including configuration file /etc/raddb-testing/modules/counter including configuration file /etc/raddb-testing/modules/detail.example.com including configuration file /etc/raddb-testing/modules/ippool including configuration file /etc/raddb-testing/modules/expiration including configuration file /etc/raddb-testing/modules/dynamic_clients including configuration file /etc/raddb-testing/modules/detail.log including configuration file /etc/raddb-testing/modules/redis including configuration file /etc/raddb-testing/modules/ldap including configuration file /etc/raddb-testing/modules/unix including configuration file /etc/raddb-testing/eap.conf including configuration file /etc/raddb-testing/policy.conf including files in directory /etc/raddb-testing/sites-enabled/ including configuration file /etc/raddb-testing/sites-enabled/status including configuration file /etc/raddb-testing/sites-enabled/control-socket including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel including configuration file /etc/raddb-testing/sites-enabled/default including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel-peap main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb-testing/dictionary main { name = "radiusd" prefix = "/usr/local-test" localstatedir = "/usr/local-test/var" sbindir = "/usr/local-test/sbin" logdir = "/usr/local-test/var/log/radius" run_dir = "/usr/local-test/var/run/radiusd" libdir = "/usr/local-test/lib" radacctdir = "/usr/local-test/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/usr/local-test/var/run/radiusd/radiusd.pid" checkrad = "/usr/local-test/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 client 192.168.1.5 { Module: Linked to module rlm_linelog Module: Instantiating module "linelog" from file /etc/raddb-testing/modules/linelog linelog { filename = "/usr/local-test/var/log/radius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "%{%{Packet-Type}:-format}" conns: 0xec4c700 ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "YellowSubmarine" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18121 } ... adding new socket proxy address * port 59646 Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Listening on command file /usr/local-test/var/run/radiusd/radiusd.sock Listening on status address 127.0.0.1 port 18120 as server status Listening on authentication address 127.0.0.1 port 18121 as server inner-tunnel Listening on proxy address 192.168.1.5 port 1814 Ready to process requests. rad_recv: Accounting-Request packet from host 10.129.85.1 port 39402, id=192, length=199 Acct-Session-Id = "00000026-0000003A" Acct-Status-Type = Stop Acct-Authentic = RADIUS User-Name = "fsaze1" NAS-Identifier = "AP-PVIII-V" NAS-Port = 4 Called-Station-Id = "00-23-69-49-06-2C:sarlanga-I" Calling-Station-Id = "60-FA-CD-42-C0-CE" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Time = 30 Acct-Input-Packets = 98 Acct-Output-Packets = 26 Acct-Input-Octets = 11164 Acct-Output-Octets = 7989 Event-Timestamp = "Jun 7 2012 10:37:44 ART" Acct-Terminate-Cause = User-Request # Executing section preacct from file /etc/raddb-testing/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 4,Client-IP-Address = 10.129.85.1,NAS-IP-Address = 10.129.85.1,Acct-Session-Id = "00000026-0000003A",User-Name = "fsaze1"' [acct_unique] Acct-Unique-Session-ID = "66c3a7d6e3d79d1a". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "fsaze1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb-testing/sites-enabled/default +- entering group accounting {...} [detail] expand: /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607 [detail] /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607 [detail] expand: %t -> Thu Jun 7 10:37:44 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /usr/local-test/var/log/radius/radutmp -> /usr/local-test/var/log/radius/radutmp [radutmp] expand: %{User-Name} -> fsaze1 ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> fsaze1 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 192 to 10.129.85.1 port 39402 Finished request 0. End of Output Thanks in advance
Add 'preprocess' to the top of the authorize{} section in your inner-tunnel-peap / inner-tunnel files. That's the module that checks huntgroups.
Thanks guys it dit it! I just realize that modules must be appended in inner-tunnel files to load them :)
Yeah, that's why it's called a virtual server. It's treated the same as the default server, the flow is the same. No module listed there? It doesn't happen.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org
On Thu, Jun 07, 2012 at 12:59:24PM -0300, Sergio Belkin wrote:
I just chuck the raw data out with detail and leave it be. The useful stuff is pristinely formatted with gentle loving care by the linelog module, where it sits in a nice greppable format for
Wow, linelog seems interesting, I've tried but only is logging Access-Request, why?
You didn't call it in the accounting{} section? You won't get an EAP-Type in accounting, though. There's no EAP involved there. Matthew
rad_recv: Accounting-Request packet from host 10.129.85.1 port 39402, id=192, length=199 Acct-Session-Id = "00000026-0000003A" Acct-Status-Type = Stop Acct-Authentic = RADIUS User-Name = "fsaze1" NAS-Identifier = "AP-PVIII-V" NAS-Port = 4 Called-Station-Id = "00-23-69-49-06-2C:sarlanga-I" Calling-Station-Id = "60-FA-CD-42-C0-CE" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Time = 30 Acct-Input-Packets = 98 Acct-Output-Packets = 26 Acct-Input-Octets = 11164 Acct-Output-Octets = 7989 Event-Timestamp = "Jun 7 2012 10:37:44 ART" Acct-Terminate-Cause = User-Request # Executing section preacct from file /etc/raddb-testing/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 4,Client-IP-Address = 10.129.85.1,NAS-IP-Address = 10.129.85.1,Acct-Session-Id = "00000026-0000003A",User-Name = "fsaze1"' [acct_unique] Acct-Unique-Session-ID = "66c3a7d6e3d79d1a". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "fsaze1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb-testing/sites-enabled/default +- entering group accounting {...} [detail] expand: /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607 [detail] /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607 [detail] expand: %t -> Thu Jun 7 10:37:44 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /usr/local-test/var/log/radius/radutmp -> /usr/local-test/var/log/radius/radutmp [radutmp] expand: %{User-Name} -> fsaze1 ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> fsaze1 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 192 to 10.129.85.1 port 39402 Finished request 0.
End of Output
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Alan DeKok -
Matthew Newton -
Sergio Belkin