Authentication with rlm_python module failes for iphone, works for android, windows, linux
Hello list, i hope this is the right list for this question. I've written a python module to be used with freeradius and it works for wlan authentication (mschapv2) with windows, linux and android devices. But it fails with iphone/ios. With iOS is see the request in my python module and it authenticates against my server successfully but the iPhone always tells me "Unable to join the network <ssid>". My python module can be found here: https://github.com/the2nd/otpme/blob/main/otpme/lib/freeradius/otpme.py As it works with linux, windows and android i think its not completely wrong. Debug log of a successful authentication with my android device: FreeRADIUS Version 3.2.6 Copyright (C) 1999-2023 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including configuration file /var/run/otpme/freeradius/radiusd.conf including configuration file /var/run/otpme/freeradius/clients.conf main { security { user = "otpme" group = "otpme" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/otpme" run_dir = "/var/run/otpme" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/otpme" run_dir = "/var/run/otpme" libdir = "/usr/lib" radacctdir = "/var/log/otpme/radacct" hostname_lookups = no max_request_time = 30 proxy_dedup_window = 1 cleanup_delay = 5 max_requests = 16384 max_fds = 512 postauth_client_lost = no pidfile = "/var/run/otpme/pidfiles/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes require_message_authenticator = "auto" limit_proxy_state = "auto" } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### Debugger not attached # Creating Auth-Type = python_otpme # Creating Auth-Type = EAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_mschap # Loading module "mschap" from file /var/run/otpme/freeradius/radiusd.conf mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_eap # Loading module "eap" from file /var/run/otpme/freeradius/radiusd.conf eap { default_eap_type = "mschapv2" timer_expire = 60 max_eap_type = 52 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 dedup_key = "" } # Loading module "mschap_otp" from file /var/run/otpme/freeradius/radiusd.conf mschap mschap_otp { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/local/bin/otpme-auth verify_mschap --socket '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' '%{%{mschap_otp:Challenge}:-00}' '%{%{mschap_otp:NT-Response}:-00}' '%{NAS-Identifier}' '%{Client-IP-Address}'" passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_python3 # Loading module "python_otpme" from file /var/run/otpme/freeradius/radiusd.conf python3 python_otpme { mod_instantiate = "otpme.lib.freeradius.otpme" func_instantiate = "instantiate" mod_authorize = "otpme.lib.freeradius.otpme" func_authorize = "authorize" mod_authenticate = "otpme.lib.freeradius.otpme" func_authenticate = "authenticate" python_path = "/var/run/otpme/freeradius/mods-config/python3:/opt/otpme/lib/python3.11/site-packages" cext_compat = yes pass_all_vps = no pass_all_vps_dict = no } # Instantiating module "mschap" from file /var/run/otpme/freeradius/radiusd.conf rlm_mschap (mschap): using internal authentication # Instantiating module "eap" from file /var/run/otpme/freeradius/radiusd.conf # Linked to sub-module rlm_eap_md5 rlm_eap (EAP): Ignoring EAP method 'leap', because it is no longer supported # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 pem_file_type = yes private_key_file = "/var/run/otpme/freeradius/key.pem" certificate_file = "/var/run/otpme/freeradius/cert.pem" ca_file = "/var/run/otpme/freeradius/ca.pem" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT" cipher_server_preference = no reject_unknown_intermediate_ca = no ecdh_curve = "prime256v1" disable_tlsv1 = yes disable_tlsv1_1 = yes tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } tls: Please use 'tls_min_version' and 'tls_max_version' instead of 'disable_tlsv1' tls: Please use 'tls_min_version' and 'tls_max_version' instead of 'disable_tlsv1_1' # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "otpme" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "otpme" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "mschap_otp" from file /var/run/otpme/freeradius/radiusd.conf rlm_mschap (mschap_otp): authenticating by calling 'ntlm_auth' # Instantiating module "python_otpme" from file /var/run/otpme/freeradius/radiusd.conf Python version: 3.11.13 (main, Jul 3 2025, 11:31:00) [GCC 12.2.1 20230428] otpme.py: OTPme config verfied successful. otpme.py: Instantiated OTPme module. } # modules radiusd: #### Loading Virtual Servers #### server { # from file /var/run/otpme/freeradius/radiusd.conf } # server server otpme { # from file /var/run/otpme/freeradius/radiusd.conf # Loading authenticate {...} Compiling Auth-Type EAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} } # server otpme radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 client 10.219.195.225 { ipv4addr = 10.219.195.225 secret = <<< secret >>> shortname = "ap01-hbap-1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.219.195.223 { ipv4addr = 10.219.195.223 secret = <<< secret >>> shortname = "cloudix-nextcloud-1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 127.0.0.1 { ipv4addr = 127.0.0.1 secret = <<< secret >>> shortname = "localhost-1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.219.195.100 { ipv4addr = 10.219.195.100 secret = <<< secret >>> shortname = "sharewatcher-1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.219.195.254 { ipv4addr = 10.219.195.254 secret = <<< secret >>> shortname = "smtp-1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } } Listening on auth address * port 1812 bound to server otpme Ready to process requests (0) Received Access-Request Id 162 from 10.219.195.225:38276 to 10.219.195.1:1812 length 204 (0) User-Name = "anonymous" (0) NAS-Identifier = "ap01-hbap" (0) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 1 (0) Calling-Station-Id = "42-33-75-43-BE-2D" (0) Connect-Info = "CONNECT 54Mbps 802.11a" (0) Acct-Session-Id = "BF0C189E956F9999" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Framed-MTU = 1400 (0) EAP-Message = 0x0277000e01616e6f6e796d6f7573 (0) Message-Authenticator = 0xe8db3a835195304aa1c2e8655f6cea44 (0) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (0) authorize { (0) eap: Peer sent EAP Response (code 2) ID 119 length 14 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) if (!control:Auth-Type) { (0) if (!control:Auth-Type) -> FALSE (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (0) Auth-Type EAP { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_mschapv2 to process data (0) eap_mschapv2: Issuing Challenge (0) eap: Sending EAP Request (code 1) ID 120 length 42 (0) eap: EAP session adding &reply:State = 0x64b8ac1d64c0b641 (0) [eap] = handled (0) } # Auth-Type EAP = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) Sent Access-Challenge Id 162 from 10.219.195.1:1812 to 10.219.195.225:38276 length 100 (0) EAP-Message = 0x0178002a1a0178002510784b2270bd2bafab1ed5f5a37c9ae5e8667265657261646975732d332e322e36 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x64b8ac1d64c0b641aa9dae41afb34712 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 163 from 10.219.195.225:38276 to 10.219.195.1:1812 length 214 (1) User-Name = "anonymous" (1) NAS-Identifier = "ap01-hbap" (1) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) NAS-Port = 1 (1) Calling-Station-Id = "42-33-75-43-BE-2D" (1) Connect-Info = "CONNECT 54Mbps 802.11a" (1) Acct-Session-Id = "BF0C189E956F9999" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Framed-MTU = 1400 (1) EAP-Message = 0x027800060319 (1) State = 0x64b8ac1d64c0b641aa9dae41afb34712 (1) Message-Authenticator = 0x2bd3281b58e070552d01366780334918 (1) session-state: No cached attributes (1) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (1) authorize { (1) eap: Peer sent EAP Response (code 2) ID 120 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) if (!control:Auth-Type) { (1) if (!control:Auth-Type) -> FALSE (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (1) Auth-Type EAP { (1) eap: Removing EAP session with state 0x64b8ac1d64c0b641 (1) eap: Previous EAP request found for state 0x64b8ac1d64c0b641, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: (TLS) PEAP -Initiating new session (1) eap: Sending EAP Request (code 1) ID 121 length 6 (1) eap: EAP session adding &reply:State = 0x64b8ac1d65c1b541 (1) [eap] = handled (1) } # Auth-Type EAP = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) Sent Access-Challenge Id 163 from 10.219.195.1:1812 to 10.219.195.225:38276 length 64 (1) EAP-Message = 0x017900061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x64b8ac1d65c1b541aa9dae41afb34712 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 164 from 10.219.195.225:38276 to 10.219.195.1:1812 length 446 (2) User-Name = "anonymous" (2) NAS-Identifier = "ap01-hbap" (2) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) NAS-Port = 1 (2) Calling-Station-Id = "42-33-75-43-BE-2D" (2) Connect-Info = "CONNECT 54Mbps 802.11a" (2) Acct-Session-Id = "BF0C189E956F9999" (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027076 (2) WLAN-AKM-Suite = 1027073 (2) Framed-MTU = 1400 (2) EAP-Message = 0x027900ee1980000000e416030100df010000db0303204b82994ddeede4b1efd09220705397da7cefa712c268070e9c45dd100931cd20e74544c9e44528171eb11e711a721ac7bce002642c974be41e1cbc3625b7f02d0022130113021303c02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f00350100007000170000ff01000100000a00080006001d00170018000b00020100000d00140012040308040401050308050501080606010201003300260024001d002032c7b45122c64b455fb50da767a2cc4ce59b726e3cd9bd403abba61c883ac722002d00020101002b0009080304030303020301 (2) State = 0x64b8ac1d65c1b541aa9dae41afb34712 (2) Message-Authenticator = 0xcc735b6b3bf60fe0d35655caee8b130a (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (2) authorize { (2) eap: Peer sent EAP Response (code 2) ID 121 length 238 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) if (!control:Auth-Type) { (2) if (!control:Auth-Type) -> FALSE (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (2) Auth-Type EAP { (2) eap: Removing EAP session with state 0x64b8ac1d65c1b541 (2) eap: Previous EAP request found for state 0x64b8ac1d65c1b541, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: (TLS) EAP Peer says that the final record size will be 228 bytes (2) eap_peap: (TLS) EAP Got all data (228 bytes) (2) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (2) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (2) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (2) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (2) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (2) eap_peap: (TLS) PEAP - In Handshake Phase (2) eap: Sending EAP Request (code 1) ID 122 length 1004 (2) eap: EAP session adding &reply:State = 0x64b8ac1d66c2b541 (2) [eap] = handled (2) } # Auth-Type EAP = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 164 from 10.219.195.1:1812 to 10.219.195.225:38276 length 1068 (2) EAP-Message = 0x017a03ec19c000000bd7160303003d020000390303406d024d9f92625990729dd1d0d2b54f155819983be5efc77c0843cfd0c7410400c02f000011ff01000100000b000403000102001700001603030a350b000a31000a2e000499308204953082027da003020102020705fea02d221361300d06092a864886f70d01010b05003076312a302806035504030c212f68626f73732e696e7465726e2f6b6f626c656e7a2f6361732f534954455f4341310b3009060355040613024445310c300a06035504080c03524c503110300e06035504070c074b6f626c656e7a310e300c060355040a0c0548424f5353310b3009060355040b0c024954301e170d3233303632313039313330395a170d3338303631373039313330395a3069311d301b06035504030c146b6f626c656e7a2e68626f73732e696e7465726e310b3009060355040613024445310c300a06035504080c03524c503110300e06035504070c074b6f626c656e7a310e300c060355040a0c0548424f535331 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x64b8ac1d66c2b541aa9dae41afb34712 (2) Finished request Waking up in 4.8 seconds. (3) Received Access-Request Id 165 from 10.219.195.225:38276 to 10.219.195.1:1812 length 214 (3) User-Name = "anonymous" (3) NAS-Identifier = "ap01-hbap" (3) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) NAS-Port = 1 (3) Calling-Station-Id = "42-33-75-43-BE-2D" (3) Connect-Info = "CONNECT 54Mbps 802.11a" (3) Acct-Session-Id = "BF0C189E956F9999" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027076 (3) WLAN-AKM-Suite = 1027073 (3) Framed-MTU = 1400 (3) EAP-Message = 0x027a00061900 (3) State = 0x64b8ac1d66c2b541aa9dae41afb34712 (3) Message-Authenticator = 0xeb39f94920377984aec242aa3813e06a (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (3) authorize { (3) eap: Peer sent EAP Response (code 2) ID 122 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) if (!control:Auth-Type) { (3) if (!control:Auth-Type) -> FALSE (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (3) Auth-Type EAP { (3) eap: Removing EAP session with state 0x64b8ac1d66c2b541 (3) eap: Previous EAP request found for state 0x64b8ac1d66c2b541, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 123 length 1000 (3) eap: EAP session adding &reply:State = 0x64b8ac1d67c3b541 (3) [eap] = handled (3) } # Auth-Type EAP = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 165 from 10.219.195.1:1812 to 10.219.195.225:38276 length 1064 (3) EAP-Message = 0x017b03e819406729c41ca39fed55f40b0703e590f4ef3fe75165ed505d0e8e33187c7f82a4fa97311282257e3dca08d5818a76cee90d8aea88403b1d62eda2f8ed0e7cc7d72ce4f25e3497d7cbb88d5fb3e76fd5eb2cb7c29126896e5cf175ca9a6b177812f14e4ad1acc69c7a07a33ad3e880179c3971584f08442b7bfe40153886a8e68f88b2ebd088522f0214474a905d560fa04a8f20a966b67e072e644b106f92e95d3fc468afe1b60ff5b30eabfd9eb217f1847f6a24ab5f922365ecc2bb16be43951cbf4cf33735cd9fc4a0337c1632c68690fb8748b78e6f1fe6534e092fc9b9f25123a0a3ed26215dc6b0b765bbe2272058c9bf0935cb8ac47c5b1f7bd20e474f71a760f1db1b8a45da00058f3082058b30820373a003020102020705fea02cf10b27300d06092a864886f70d01010b05003077312b302906035504030c222f68626f73732e696e7465726e2f6b6f626c656e7a2f6361732f5245414c4d5f4341310b3009060355040613024445310c300a06 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x64b8ac1d67c3b541aa9dae41afb34712 (3) Finished request Waking up in 4.8 seconds. (4) Received Access-Request Id 166 from 10.219.195.225:38276 to 10.219.195.1:1812 length 214 (4) User-Name = "anonymous" (4) NAS-Identifier = "ap01-hbap" (4) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) NAS-Port = 1 (4) Calling-Station-Id = "42-33-75-43-BE-2D" (4) Connect-Info = "CONNECT 54Mbps 802.11a" (4) Acct-Session-Id = "BF0C189E956F9999" (4) WLAN-Pairwise-Cipher = 1027076 (4) WLAN-Group-Cipher = 1027076 (4) WLAN-AKM-Suite = 1027073 (4) Framed-MTU = 1400 (4) EAP-Message = 0x027b00061900 (4) State = 0x64b8ac1d67c3b541aa9dae41afb34712 (4) Message-Authenticator = 0xed6b5266742723e30e700e8b4f75739f (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (4) authorize { (4) eap: Peer sent EAP Response (code 2) ID 123 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) if (!control:Auth-Type) { (4) if (!control:Auth-Type) -> FALSE (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (4) Auth-Type EAP { (4) eap: Removing EAP session with state 0x64b8ac1d67c3b541 (4) eap: Previous EAP request found for state 0x64b8ac1d67c3b541, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: (TLS) Peer ACKed our handshake fragment (4) eap: Sending EAP Request (code 1) ID 124 length 1000 (4) eap: EAP session adding &reply:State = 0x64b8ac1d60c4b541 (4) [eap] = handled (4) } # Auth-Type EAP = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 166 from 10.219.195.1:1812 to 10.219.195.225:38276 length 1064 (4) EAP-Message = 0x017c03e81940603ef2f2884b299ace212671ea16a0df8d30640875c03aaef2ac1e4cd0b45487fcb99234083e915ecded1171c41b3eb10b7c736e781a97f17e3aa3b85d0f5b5f35d09ce1570d621b9dc5be4b4f9ecae899a6d0949b7eed4ebcbf64a48aa40d41d3c07d33da2e8d816dd2eba719a8b75d53dfa7ecb5a35b7cec093710efea7ff30203010001a31d301b300c0603551d13040530030101ff300b0603551d0f040403020106300d06092a864886f70d01010b0500038202010048ed80b6b8d9f45c988d3a8c439f33112acf5a1a90a3e79a8622a919c7fa078d6bcfcb743a26ddd8bc1bc56f9071c89b8a986b33eeb0c6defe6f99834b9a90da8089c002815951b451f4b9d4ed8225888e5b77b04f9131487a830c71082209525143b143d9335eb02b382660f462e5b6d5e4dd2991b894148e23f6ce2be12f76406890fe48dba3e0c97b33089c20f7466a37daa34eb110f7d9cf47553fae6f7453ad44e48fa154f1db59066d3250216bde12320eed158d5197 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x64b8ac1d60c4b541aa9dae41afb34712 (4) Finished request Waking up in 4.8 seconds. (5) Received Access-Request Id 167 from 10.219.195.225:38276 to 10.219.195.1:1812 length 214 (5) User-Name = "anonymous" (5) NAS-Identifier = "ap01-hbap" (5) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) NAS-Port = 1 (5) Calling-Station-Id = "42-33-75-43-BE-2D" (5) Connect-Info = "CONNECT 54Mbps 802.11a" (5) Acct-Session-Id = "BF0C189E956F9999" (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027076 (5) WLAN-AKM-Suite = 1027073 (5) Framed-MTU = 1400 (5) EAP-Message = 0x027c00061900 (5) State = 0x64b8ac1d60c4b541aa9dae41afb34712 (5) Message-Authenticator = 0xd495f330c78e196eb11dc3995b88a242 (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (5) authorize { (5) eap: Peer sent EAP Response (code 2) ID 124 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) if (!control:Auth-Type) { (5) if (!control:Auth-Type) -> FALSE (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (5) Auth-Type EAP { (5) eap: Removing EAP session with state 0x64b8ac1d60c4b541 (5) eap: Previous EAP request found for state 0x64b8ac1d60c4b541, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: (TLS) Peer ACKed our handshake fragment (5) eap: Sending EAP Request (code 1) ID 125 length 55 (5) eap: EAP session adding &reply:State = 0x64b8ac1d61c5b541 (5) [eap] = handled (5) } # Auth-Type EAP = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) session-state: Saving cached attributes (5) Framed-MTU = 994 (5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (5) Sent Access-Challenge Id 167 from 10.219.195.1:1812 to 10.219.195.225:38276 length 113 (5) EAP-Message = 0x017d00371900501263aad1ec47677b3c48e295891733e13224af67d346d25d68f13a27dd1b6060701aa6f7a4003816030300040e000000 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x64b8ac1d61c5b541aa9dae41afb34712 (5) Finished request Waking up in 4.8 seconds. (6) Received Access-Request Id 168 from 10.219.195.225:38276 to 10.219.195.1:1812 length 344 (6) User-Name = "anonymous" (6) NAS-Identifier = "ap01-hbap" (6) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) NAS-Port = 1 (6) Calling-Station-Id = "42-33-75-43-BE-2D" (6) Connect-Info = "CONNECT 54Mbps 802.11a" (6) Acct-Session-Id = "BF0C189E956F9999" (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027076 (6) WLAN-AKM-Suite = 1027073 (6) Framed-MTU = 1400 (6) EAP-Message = 0x027d008819800000007e1603030046100000424104d03773246fb4ee58f2b210f0d7e78f044a507dfb457b56f714c4f99379b7b54a81c78f01ba73c7a855d726a53e8e06b20bcdd4e9ff3eb63d2aab0e6075f697e114030300010116030300280000000000000000eb102ea08ec0ea6bf3ef1493251569d7fb91064e446e30581e1839c200c0883c (6) State = 0x64b8ac1d61c5b541aa9dae41afb34712 (6) Message-Authenticator = 0x06debe813bbb88b569740faf21dbdcb9 (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (6) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (6) authorize { (6) eap: Peer sent EAP Response (code 2) ID 125 length 136 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) if (!control:Auth-Type) { (6) if (!control:Auth-Type) -> FALSE (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (6) Auth-Type EAP { (6) eap: Removing EAP session with state 0x64b8ac1d61c5b541 (6) eap: Previous EAP request found for state 0x64b8ac1d61c5b541, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (6) eap_peap: (TLS) EAP Got all data (126 bytes) (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (6) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (6) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (6) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (6) eap_peap: (TLS) PEAP - Connection Established (6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) eap_peap: TLS-Session-Version = "TLS 1.2" (6) eap: Sending EAP Request (code 1) ID 126 length 57 (6) eap: EAP session adding &reply:State = 0x64b8ac1d62c6b541 (6) [eap] = handled (6) } # Auth-Type EAP = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) session-state: Saving cached attributes (6) Framed-MTU = 994 (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 168 from 10.219.195.1:1812 to 10.219.195.225:38276 length 115 (6) EAP-Message = 0x017e0039190014030300010116030300283fbfcc47e7ff15335d94fe3f3b7f1d2683dbacec358f9dfdd26341970bf6679ebf855cd4a6aafe17 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x64b8ac1d62c6b541aa9dae41afb34712 (6) Finished request Waking up in 4.8 seconds. (7) Received Access-Request Id 169 from 10.219.195.225:38276 to 10.219.195.1:1812 length 214 (7) User-Name = "anonymous" (7) NAS-Identifier = "ap01-hbap" (7) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) NAS-Port = 1 (7) Calling-Station-Id = "42-33-75-43-BE-2D" (7) Connect-Info = "CONNECT 54Mbps 802.11a" (7) Acct-Session-Id = "BF0C189E956F9999" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Framed-MTU = 1400 (7) EAP-Message = 0x027e00061900 (7) State = 0x64b8ac1d62c6b541aa9dae41afb34712 (7) Message-Authenticator = 0xe942008c55e4659b864a6a49b1848ae5 (7) Restoring &session-state (7) &session-state:Framed-MTU = 994 (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (7) authorize { (7) eap: Peer sent EAP Response (code 2) ID 126 length 6 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) if (!control:Auth-Type) { (7) if (!control:Auth-Type) -> FALSE (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (7) Auth-Type EAP { (7) eap: Removing EAP session with state 0x64b8ac1d62c6b541 (7) eap: Previous EAP request found for state 0x64b8ac1d62c6b541, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state TUNNEL ESTABLISHED (7) eap: Sending EAP Request (code 1) ID 127 length 40 (7) eap: EAP session adding &reply:State = 0x64b8ac1d63c7b541 (7) [eap] = handled (7) } # Auth-Type EAP = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) session-state: Saving cached attributes (7) Framed-MTU = 994 (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 169 from 10.219.195.1:1812 to 10.219.195.225:38276 length 98 (7) EAP-Message = 0x017f00281900170303001d3fbfcc47e7ff15344cfac04ed63722fa13bff21b90d93b042ce8c29282 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x64b8ac1d63c7b541aa9dae41afb34712 (7) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 170 from 10.219.195.225:38276 to 10.219.195.1:1812 length 257 (8) User-Name = "anonymous" (8) NAS-Identifier = "ap01-hbap" (8) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) NAS-Port = 1 (8) Calling-Station-Id = "42-33-75-43-BE-2D" (8) Connect-Info = "CONNECT 54Mbps 802.11a" (8) Acct-Session-Id = "BF0C189E956F9999" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Framed-MTU = 1400 (8) EAP-Message = 0x027f0031190017030300260000000000000001c658b8d37ccad3ed1c1cb348b9a92784ffb1c57cf6dfcd328673aaf30788 (8) State = 0x64b8ac1d63c7b541aa9dae41afb34712 (8) Message-Authenticator = 0x4db29f5f022a1b50adf137196caea97c (8) Restoring &session-state (8) &session-state:Framed-MTU = 994 (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (8) authorize { (8) eap: Peer sent EAP Response (code 2) ID 127 length 49 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) if (!control:Auth-Type) { (8) if (!control:Auth-Type) -> FALSE (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (8) Auth-Type EAP { (8) eap: Removing EAP session with state 0x64b8ac1d63c7b541 (8) eap: Previous EAP request found for state 0x64b8ac1d63c7b541, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: (TLS) EAP Done initial handshake (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state WAITING FOR INNER IDENTITY (8) eap_peap: Identity - heiko.baumann (8) eap_peap: Got inner identity 'heiko.baumann' (8) eap_peap: Setting default EAP type for tunneled EAP session (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x027f0012016865696b6f2e6261756d616e6e (8) eap_peap: Setting User-Name to heiko.baumann (8) eap_peap: Sending tunneled request to otpme (8) eap_peap: EAP-Message = 0x027f0012016865696b6f2e6261756d616e6e (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "heiko.baumann" (8) eap_peap: NAS-Identifier = "ap01-hbap" (8) eap_peap: Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (8) eap_peap: NAS-Port-Type = Wireless-802.11 (8) eap_peap: Service-Type = Framed-User (8) eap_peap: NAS-Port = 1 (8) eap_peap: Calling-Station-Id = "42-33-75-43-BE-2D" (8) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11a" (8) eap_peap: Acct-Session-Id = "BF0C189E956F9999" (8) eap_peap: WLAN-Pairwise-Cipher = 1027076 (8) eap_peap: WLAN-Group-Cipher = 1027076 (8) eap_peap: WLAN-AKM-Suite = 1027073 (8) eap_peap: Framed-MTU = 1400 (8) Virtual server otpme received request (8) EAP-Message = 0x027f0012016865696b6f2e6261756d616e6e (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "heiko.baumann" (8) NAS-Identifier = "ap01-hbap" (8) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) NAS-Port = 1 (8) Calling-Station-Id = "42-33-75-43-BE-2D" (8) Connect-Info = "CONNECT 54Mbps 802.11a" (8) Acct-Session-Id = "BF0C189E956F9999" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Framed-MTU = 1400 (8) server otpme { (8) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (8) authorize { (8) eap: Peer sent EAP Response (code 2) ID 127 length 18 (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) if (!control:Auth-Type) { (8) if (!control:Auth-Type) -> FALSE (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (8) Auth-Type EAP { (8) eap: Peer sent packet with method EAP Identity (1) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: Issuing Challenge (8) eap: Sending EAP Request (code 1) ID 128 length 42 (8) eap: EAP session adding &reply:State = 0xfae70ce5fa67161a (8) [eap] = handled (8) } # Auth-Type EAP = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) } # server otpme (8) Virtual server sending reply (8) EAP-Message = 0x0180002a1a0180002510920798cb42b9ebd036cf4ec5f867de88667265657261646975732d332e322e36 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xfae70ce5fa67161a0a330e080f4ac17b (8) eap_peap: Got tunneled reply code 11 (8) eap_peap: EAP-Message = 0x0180002a1a0180002510920798cb42b9ebd036cf4ec5f867de88667265657261646975732d332e322e36 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0xfae70ce5fa67161a0a330e080f4ac17b (8) eap_peap: Got tunneled reply RADIUS code 11 (8) eap_peap: EAP-Message = 0x0180002a1a0180002510920798cb42b9ebd036cf4ec5f867de88667265657261646975732d332e322e36 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0xfae70ce5fa67161a0a330e080f4ac17b (8) eap_peap: Got tunneled Access-Challenge (8) eap: Sending EAP Request (code 1) ID 128 length 73 (8) eap: EAP session adding &reply:State = 0x64b8ac1d6c38b541 (8) [eap] = handled (8) } # Auth-Type EAP = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) session-state: Saving cached attributes (8) Framed-MTU = 994 (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (8) TLS-Session-Version = "TLS 1.2" (8) Sent Access-Challenge Id 170 from 10.219.195.1:1812 to 10.219.195.225:38276 length 131 (8) EAP-Message = 0x018000491900170303003e3fbfcc47e7ff15357d447a7f7984baab3d24cc5e608d3e9b1f1732d6a0ca80dc81cb5017596f1ecb3eb7dab2ad8c55187f67c2271843c3645767e378659b (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x64b8ac1d6c38b541aa9dae41afb34712 (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 171 from 10.219.195.225:38276 to 10.219.195.1:1812 length 311 (9) User-Name = "anonymous" (9) NAS-Identifier = "ap01-hbap" (9) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) NAS-Port = 1 (9) Calling-Station-Id = "42-33-75-43-BE-2D" (9) Connect-Info = "CONNECT 54Mbps 802.11a" (9) Acct-Session-Id = "BF0C189E956F9999" (9) WLAN-Pairwise-Cipher = 1027076 (9) WLAN-Group-Cipher = 1027076 (9) WLAN-AKM-Suite = 1027073 (9) Framed-MTU = 1400 (9) EAP-Message = 0x028000671900170303005c00000000000000020b045bbce75f04f16e2985586e3d8ddbb45c4e798479b6033a504fc6a1cb4e043e8039b454a3da869b72d32d72c5c2654d8c11604829788b46e22513ff41d8a0e6b4d9fcd835b3c3cdfe90e8d4b22b911d2c7298 (9) State = 0x64b8ac1d6c38b541aa9dae41afb34712 (9) Message-Authenticator = 0x3118fa5cac060f01aad3516f4dfc5902 (9) Restoring &session-state (9) &session-state:Framed-MTU = 994 (9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (9) authorize { (9) eap: Peer sent EAP Response (code 2) ID 128 length 103 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) if (!control:Auth-Type) { (9) if (!control:Auth-Type) -> FALSE (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (9) Auth-Type EAP { (9) eap: Removing EAP session with state 0x64b8ac1d6c38b541 (9) eap: Previous EAP request found for state 0x64b8ac1d6c38b541, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: (TLS) EAP Done initial handshake (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP method MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x028000481a028000433172039eb9ff06e5540b22dd821eaa1c9d0000000000000000f106b113ed0eb2328181e98bcff722c56cee58e54f33ca1c006865696b6f2e6261756d616e6e (9) eap_peap: Setting User-Name to heiko.baumann (9) eap_peap: Sending tunneled request to otpme (9) eap_peap: EAP-Message = 0x028000481a028000433172039eb9ff06e5540b22dd821eaa1c9d0000000000000000f106b113ed0eb2328181e98bcff722c56cee58e54f33ca1c006865696b6f2e6261756d616e6e (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "heiko.baumann" (9) eap_peap: State = 0xfae70ce5fa67161a0a330e080f4ac17b (9) eap_peap: NAS-Identifier = "ap01-hbap" (9) eap_peap: Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (9) eap_peap: NAS-Port-Type = Wireless-802.11 (9) eap_peap: Service-Type = Framed-User (9) eap_peap: NAS-Port = 1 (9) eap_peap: Calling-Station-Id = "42-33-75-43-BE-2D" (9) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11a" (9) eap_peap: Acct-Session-Id = "BF0C189E956F9999" (9) eap_peap: WLAN-Pairwise-Cipher = 1027076 (9) eap_peap: WLAN-Group-Cipher = 1027076 (9) eap_peap: WLAN-AKM-Suite = 1027073 (9) eap_peap: Framed-MTU = 1400 (9) Virtual server otpme received request (9) EAP-Message = 0x028000481a028000433172039eb9ff06e5540b22dd821eaa1c9d0000000000000000f106b113ed0eb2328181e98bcff722c56cee58e54f33ca1c006865696b6f2e6261756d616e6e (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "heiko.baumann" (9) State = 0xfae70ce5fa67161a0a330e080f4ac17b (9) NAS-Identifier = "ap01-hbap" (9) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) NAS-Port = 1 (9) Calling-Station-Id = "42-33-75-43-BE-2D" (9) Connect-Info = "CONNECT 54Mbps 802.11a" (9) Acct-Session-Id = "BF0C189E956F9999" (9) WLAN-Pairwise-Cipher = 1027076 (9) WLAN-Group-Cipher = 1027076 (9) WLAN-AKM-Suite = 1027073 (9) Framed-MTU = 1400 (9) server otpme { (9) session-state: No cached attributes (9) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (9) authorize { (9) eap: Peer sent EAP Response (code 2) ID 128 length 72 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) if (!control:Auth-Type) { (9) if (!control:Auth-Type) -> FALSE (9) } # authorize = updated (9) Found Auth-Type = EAP (9) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (9) Auth-Type EAP { (9) eap: Removing EAP session with state 0xfae70ce5fa67161a (9) eap: Previous EAP request found for state 0xfae70ce5fa67161a, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap_mschapv2: # Executing group from file /var/run/otpme/freeradius/radiusd.conf (9) eap_mschapv2: Auth-Type MS-CHAP { otpme.py: adding MS-CHAP2-Success: '3S=44f6bccdca0cf8377cbd06122065d7f895050076' otpme.py: adding MS-MPPE-Send-Key: '99420b0d55925232c6c62e7e8b913301' otpme.py: adding MS-MPPE-Recv-Key: '1114b25f146360e67f9bad689e3e9c88' otpme.py: adding MS-MPPE-Encryption-Policy: '0x00000001' otpme.py: adding MS-MPPE-Encryption-Types: '0x00000006' otpme.py: adding Auth-Type: 'MS-CHAP' authenticate - 'reply:Reply-Message' = 'Authentication successful' authenticate - 'reply:MS-CHAP2-Success' = '0x33533d34346636626363646361306366383337376362643036313232303635643766383935303530303736' authenticate - 'reply:MS-MPPE-Encryption-Policy' = '0x00000001' authenticate - 'reply:MS-MPPE-Encryption-Types' = '0x00000006' authenticate - 'reply:MS-MPPE-Send-Key' = '0x99420b0d55925232c6c62e7e8b913301' authenticate - 'reply:MS-MPPE-Recv-Key' = '0x1114b25f146360e67f9bad689e3e9c88' authenticate - 'config:Auth-Type' = 'MS-CHAP' (9) eap_mschapv2: [python_otpme] = ok (9) eap_mschapv2: } # Auth-Type MS-CHAP = ok (9) eap_mschapv2: MSCHAP Success (9) eap: Sending EAP Request (code 1) ID 129 length 51 (9) eap: EAP session adding &reply:State = 0xfae70ce5fb66161a (9) [eap] = handled (9) } # Auth-Type EAP = handled (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) } # server otpme (9) Virtual server sending reply (9) Reply-Message = "Authentication successful" (9) EAP-Message = 0x018100331a0380002e533d34346636626363646361306366383337376362643036313232303635643766383935303530303736 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xfae70ce5fb66161a0a330e080f4ac17b (9) eap_peap: Got tunneled reply code 11 (9) eap_peap: Reply-Message = "Authentication successful" (9) eap_peap: EAP-Message = 0x018100331a0380002e533d34346636626363646361306366383337376362643036313232303635643766383935303530303736 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: State = 0xfae70ce5fb66161a0a330e080f4ac17b (9) eap_peap: Got tunneled reply RADIUS code 11 (9) eap_peap: Reply-Message = "Authentication successful" (9) eap_peap: EAP-Message = 0x018100331a0380002e533d34346636626363646361306366383337376362643036313232303635643766383935303530303736 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: State = 0xfae70ce5fb66161a0a330e080f4ac17b (9) eap_peap: Got tunneled Access-Challenge (9) eap: Sending EAP Request (code 1) ID 129 length 82 (9) eap: EAP session adding &reply:State = 0x64b8ac1d6d39b541 (9) [eap] = handled (9) } # Auth-Type EAP = handled (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) session-state: Saving cached attributes (9) Framed-MTU = 994 (9) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (9) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (9) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (9) TLS-Session-Version = "TLS 1.2" (9) Sent Access-Challenge Id 171 from 10.219.195.1:1812 to 10.219.195.225:38276 length 140 (9) EAP-Message = 0x01810052190017030300473fbfcc47e7ff153625de7e663dc1113d94046a6050434ba068b90ab3a11c1d9f82ea1de4187ef8e19cf8f9fbc5dbf084c02faa214014b226b04d2f410be0964a728ea31d7d7d6d (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0x64b8ac1d6d39b541aa9dae41afb34712 (9) Finished request Waking up in 3.4 seconds. (10) Received Access-Request Id 172 from 10.219.195.225:38276 to 10.219.195.1:1812 length 245 (10) User-Name = "anonymous" (10) NAS-Identifier = "ap01-hbap" (10) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) NAS-Port = 1 (10) Calling-Station-Id = "42-33-75-43-BE-2D" (10) Connect-Info = "CONNECT 54Mbps 802.11a" (10) Acct-Session-Id = "BF0C189E956F9999" (10) WLAN-Pairwise-Cipher = 1027076 (10) WLAN-Group-Cipher = 1027076 (10) WLAN-AKM-Suite = 1027073 (10) Framed-MTU = 1400 (10) EAP-Message = 0x028100251900170303001a00000000000000031685834550dd6a5554a79de46d67b072c3cb (10) State = 0x64b8ac1d6d39b541aa9dae41afb34712 (10) Message-Authenticator = 0xce20e30f4de7c6a5a7563cd6ac38935f (10) Restoring &session-state (10) &session-state:Framed-MTU = 994 (10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (10) &session-state:TLS-Session-Version = "TLS 1.2" (10) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (10) authorize { (10) eap: Peer sent EAP Response (code 2) ID 129 length 37 (10) eap: Continuing tunnel setup (10) [eap] = ok (10) if (!control:Auth-Type) { (10) if (!control:Auth-Type) -> FALSE (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (10) Auth-Type EAP { (10) eap: Removing EAP session with state 0x64b8ac1d6d39b541 (10) eap: Previous EAP request found for state 0x64b8ac1d6d39b541, released from the list (10) eap: Peer sent packet with method EAP PEAP (25) (10) eap: Calling submodule eap_peap to process data (10) eap_peap: (TLS) EAP Done initial handshake (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state phase2 (10) eap_peap: EAP method MSCHAPv2 (26) (10) eap_peap: Got tunneled request (10) eap_peap: EAP-Message = 0x028100061a03 (10) eap_peap: Setting User-Name to heiko.baumann (10) eap_peap: Sending tunneled request to otpme (10) eap_peap: EAP-Message = 0x028100061a03 (10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (10) eap_peap: User-Name = "heiko.baumann" (10) eap_peap: State = 0xfae70ce5fb66161a0a330e080f4ac17b (10) eap_peap: NAS-Identifier = "ap01-hbap" (10) eap_peap: Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (10) eap_peap: NAS-Port-Type = Wireless-802.11 (10) eap_peap: Service-Type = Framed-User (10) eap_peap: NAS-Port = 1 (10) eap_peap: Calling-Station-Id = "42-33-75-43-BE-2D" (10) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11a" (10) eap_peap: Acct-Session-Id = "BF0C189E956F9999" (10) eap_peap: WLAN-Pairwise-Cipher = 1027076 (10) eap_peap: WLAN-Group-Cipher = 1027076 (10) eap_peap: WLAN-AKM-Suite = 1027073 (10) eap_peap: Framed-MTU = 1400 (10) Virtual server otpme received request (10) EAP-Message = 0x028100061a03 (10) FreeRADIUS-Proxied-To = 127.0.0.1 (10) User-Name = "heiko.baumann" (10) State = 0xfae70ce5fb66161a0a330e080f4ac17b (10) NAS-Identifier = "ap01-hbap" (10) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) NAS-Port = 1 (10) Calling-Station-Id = "42-33-75-43-BE-2D" (10) Connect-Info = "CONNECT 54Mbps 802.11a" (10) Acct-Session-Id = "BF0C189E956F9999" (10) WLAN-Pairwise-Cipher = 1027076 (10) WLAN-Group-Cipher = 1027076 (10) WLAN-AKM-Suite = 1027073 (10) Framed-MTU = 1400 (10) server otpme { (10) session-state: No cached attributes (10) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (10) authorize { (10) eap: Peer sent EAP Response (code 2) ID 129 length 6 (10) eap: No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) if (!control:Auth-Type) { (10) if (!control:Auth-Type) -> FALSE (10) } # authorize = updated (10) Found Auth-Type = EAP (10) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (10) Auth-Type EAP { (10) eap: Removing EAP session with state 0xfae70ce5fb66161a (10) eap: Previous EAP request found for state 0xfae70ce5fb66161a, released from the list (10) eap: Peer sent packet with method EAP MSCHAPv2 (26) (10) eap: Calling submodule eap_mschapv2 to process data (10) eap: Sending EAP Success (code 3) ID 129 length 4 (10) eap: Freeing handler (10) [eap] = ok (10) } # Auth-Type EAP = ok (10) } # server otpme (10) Virtual server sending reply (10) MS-MPPE-Encryption-Policy = Encryption-Allowed (10) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (10) MS-MPPE-Send-Key = 0x99420b0d55925232c6c62e7e8b913301 (10) MS-MPPE-Recv-Key = 0x1114b25f146360e67f9bad689e3e9c88 (10) EAP-Message = 0x03810004 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) User-Name = "heiko.baumann" (10) eap_peap: Got tunneled reply code 2 (10) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (10) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (10) eap_peap: MS-MPPE-Send-Key = 0x99420b0d55925232c6c62e7e8b913301 (10) eap_peap: MS-MPPE-Recv-Key = 0x1114b25f146360e67f9bad689e3e9c88 (10) eap_peap: EAP-Message = 0x03810004 (10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (10) eap_peap: User-Name = "heiko.baumann" (10) eap_peap: Got tunneled reply RADIUS code 2 (10) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (10) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (10) eap_peap: MS-MPPE-Send-Key = 0x99420b0d55925232c6c62e7e8b913301 (10) eap_peap: MS-MPPE-Recv-Key = 0x1114b25f146360e67f9bad689e3e9c88 (10) eap_peap: EAP-Message = 0x03810004 (10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (10) eap_peap: User-Name = "heiko.baumann" (10) eap_peap: Tunneled authentication was successful (10) eap_peap: SUCCESS (10) eap_peap: Saving tunneled attributes for later (10) eap: Sending EAP Request (code 1) ID 130 length 46 (10) eap: EAP session adding &reply:State = 0x64b8ac1d6e3ab541 (10) [eap] = handled (10) } # Auth-Type EAP = handled (10) Using Post-Auth-Type Challenge (10) Post-Auth-Type sub-section not found. Ignoring. (10) session-state: Saving cached attributes (10) Framed-MTU = 994 (10) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (10) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (10) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (10) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (10) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (10) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (10) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (10) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (10) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (10) TLS-Session-Version = "TLS 1.2" (10) Sent Access-Challenge Id 172 from 10.219.195.1:1812 to 10.219.195.225:38276 length 104 (10) EAP-Message = 0x0182002e190017030300233fbfcc47e7ff153753fdd6108d64e215a21d55da7ef02d5dee925bc76d6a4e6392574b (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0x64b8ac1d6e3ab541aa9dae41afb34712 (10) Finished request Waking up in 3.4 seconds. (11) Received Access-Request Id 173 from 10.219.195.225:38276 to 10.219.195.1:1812 length 254 (11) User-Name = "anonymous" (11) NAS-Identifier = "ap01-hbap" (11) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (11) NAS-Port-Type = Wireless-802.11 (11) Service-Type = Framed-User (11) NAS-Port = 1 (11) Calling-Station-Id = "42-33-75-43-BE-2D" (11) Connect-Info = "CONNECT 54Mbps 802.11a" (11) Acct-Session-Id = "BF0C189E956F9999" (11) WLAN-Pairwise-Cipher = 1027076 (11) WLAN-Group-Cipher = 1027076 (11) WLAN-AKM-Suite = 1027073 (11) Framed-MTU = 1400 (11) EAP-Message = 0x0282002e190017030300230000000000000004f4cfa29e4ec86e3245b7e5cbd0fb74dea5e8ff12c7bc2100be801a (11) State = 0x64b8ac1d6e3ab541aa9dae41afb34712 (11) Message-Authenticator = 0x8353375023b7e469efb93d9e282cd1a3 (11) Restoring &session-state (11) &session-state:Framed-MTU = 994 (11) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (11) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (11) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (11) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (11) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (11) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (11) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (11) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (11) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (11) &session-state:TLS-Session-Version = "TLS 1.2" (11) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (11) authorize { (11) eap: Peer sent EAP Response (code 2) ID 130 length 46 (11) eap: Continuing tunnel setup (11) [eap] = ok (11) if (!control:Auth-Type) { (11) if (!control:Auth-Type) -> FALSE (11) } # authorize = ok (11) Found Auth-Type = EAP (11) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (11) Auth-Type EAP { (11) eap: Removing EAP session with state 0x64b8ac1d6e3ab541 (11) eap: Previous EAP request found for state 0x64b8ac1d6e3ab541, released from the list (11) eap: Peer sent packet with method EAP PEAP (25) (11) eap: Calling submodule eap_peap to process data (11) eap_peap: (TLS) EAP Done initial handshake (11) eap_peap: Session established. Decoding tunneled attributes (11) eap_peap: PEAP state send tlv success (11) eap_peap: Received EAP-TLV response (11) eap_peap: Success (11) eap_peap: Using saved attributes from the original Access-Accept (11) eap_peap: User-Name = "heiko.baumann" (11) eap: Sending EAP Success (code 3) ID 130 length 4 (11) eap: Freeing handler (11) [eap] = ok (11) } # Auth-Type EAP = ok (11) Sent Access-Accept Id 173 from 10.219.195.1:1812 to 10.219.195.225:38276 length 175 (11) User-Name = "heiko.baumann" (11) MS-MPPE-Recv-Key = 0x7fd1806ac0bae3a4dce0733ee3ba2285ec93eb01ffaa19010f48e0bdabebb623 (11) MS-MPPE-Send-Key = 0x833cfac00c66d42a0bcbc62e008e5591890e585ae00c8d3b56707e5b49a140f5 (11) EAP-Message = 0x03820004 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) Finished request Waking up in 3.4 seconds. Debug output of a failed request with an iPhone: FreeRADIUS Version 3.2.6 Copyright (C) 1999-2023 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including configuration file /var/run/otpme/freeradius/radiusd.conf including configuration file /var/run/otpme/freeradius/clients.conf main { security { user = "otpme" group = "otpme" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/otpme" run_dir = "/var/run/otpme" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/otpme" run_dir = "/var/run/otpme" libdir = "/usr/lib" radacctdir = "/var/log/otpme/radacct" hostname_lookups = no max_request_time = 30 proxy_dedup_window = 1 cleanup_delay = 5 max_requests = 16384 max_fds = 512 postauth_client_lost = no pidfile = "/var/run/otpme/pidfiles/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes require_message_authenticator = "auto" limit_proxy_state = "auto" } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### Debugger not attached # Creating Auth-Type = python_otpme # Creating Auth-Type = EAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_mschap # Loading module "mschap" from file /var/run/otpme/freeradius/radiusd.conf mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_eap # Loading module "eap" from file /var/run/otpme/freeradius/radiusd.conf eap { default_eap_type = "mschapv2" timer_expire = 60 max_eap_type = 52 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 dedup_key = "" } # Loading module "mschap_otp" from file /var/run/otpme/freeradius/radiusd.conf mschap mschap_otp { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/local/bin/otpme-auth verify_mschap --socket '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' '%{%{mschap_otp:Challenge}:-00}' '%{%{mschap_otp:NT-Response}:-00}' '%{NAS-Identifier}' '%{Client-IP-Address}'" passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_python3 # Loading module "python_otpme" from file /var/run/otpme/freeradius/radiusd.conf python3 python_otpme { mod_instantiate = "otpme.lib.freeradius.otpme" func_instantiate = "instantiate" mod_authorize = "otpme.lib.freeradius.otpme" func_authorize = "authorize" mod_authenticate = "otpme.lib.freeradius.otpme" func_authenticate = "authenticate" python_path = "/var/run/otpme/freeradius/mods-config/python3:/opt/otpme/lib/python3.11/site-packages" cext_compat = yes pass_all_vps = no pass_all_vps_dict = no } # Instantiating module "mschap" from file /var/run/otpme/freeradius/radiusd.conf rlm_mschap (mschap): using internal authentication # Instantiating module "eap" from file /var/run/otpme/freeradius/radiusd.conf # Linked to sub-module rlm_eap_md5 rlm_eap (EAP): Ignoring EAP method 'leap', because it is no longer supported # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 pem_file_type = yes private_key_file = "/var/run/otpme/freeradius/key.pem" certificate_file = "/var/run/otpme/freeradius/cert.pem" ca_file = "/var/run/otpme/freeradius/ca.pem" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT" cipher_server_preference = no reject_unknown_intermediate_ca = no ecdh_curve = "prime256v1" disable_tlsv1 = yes disable_tlsv1_1 = yes tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } tls: Please use 'tls_min_version' and 'tls_max_version' instead of 'disable_tlsv1' tls: Please use 'tls_min_version' and 'tls_max_version' instead of 'disable_tlsv1_1' # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "otpme" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "otpme" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "mschap_otp" from file /var/run/otpme/freeradius/radiusd.conf rlm_mschap (mschap_otp): authenticating by calling 'ntlm_auth' # Instantiating module "python_otpme" from file /var/run/otpme/freeradius/radiusd.conf Python version: 3.11.13 (main, Jul 3 2025, 11:31:00) [GCC 12.2.1 20230428] otpme.py: OTPme config verfied successful. otpme.py: Instantiated OTPme module. } # modules radiusd: #### Loading Virtual Servers #### server { # from file /var/run/otpme/freeradius/radiusd.conf } # server server otpme { # from file /var/run/otpme/freeradius/radiusd.conf # Loading authenticate {...} Compiling Auth-Type EAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} } # server otpme radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 client 10.219.195.225 { ipv4addr = 10.219.195.225 secret = <<< secret >>> shortname = "ap01-hbap-1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.219.195.223 { ipv4addr = 10.219.195.223 secret = <<< secret >>> shortname = "cloudix-nextcloud-1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 127.0.0.1 { ipv4addr = 127.0.0.1 secret = <<< secret >>> shortname = "localhost-1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.219.195.100 { ipv4addr = 10.219.195.100 secret = <<< secret >>> shortname = "sharewatcher-1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client 10.219.195.254 { ipv4addr = 10.219.195.254 secret = <<< secret >>> shortname = "smtp-1" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } } Listening on auth address * port 1812 bound to server otpme Ready to process requests (0) Received Access-Request Id 204 from 10.219.195.225:38276 to 10.219.195.1:1812 length 194 (0) User-Name = "test" (0) NAS-Identifier = "ap01-hbap" (0) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) NAS-Port = 3 (0) Calling-Station-Id = "A6-5F-75-98-A5-06" (0) Connect-Info = "CONNECT 54Mbps 802.11a" (0) Acct-Session-Id = "EEFF590BE3BB6A1C" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Framed-MTU = 1400 (0) EAP-Message = 0x022200090174657374 (0) Message-Authenticator = 0x7dfcffdfd9fbf339765f6ac0c092a78d (0) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (0) authorize { (0) eap: Peer sent EAP Response (code 2) ID 34 length 9 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) if (!control:Auth-Type) { (0) if (!control:Auth-Type) -> FALSE (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (0) Auth-Type EAP { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_mschapv2 to process data (0) eap_mschapv2: Issuing Challenge (0) eap: Sending EAP Request (code 1) ID 35 length 42 (0) eap: EAP session adding &reply:State = 0xac2b487aac085271 (0) [eap] = handled (0) } # Auth-Type EAP = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) Sent Access-Challenge Id 204 from 10.219.195.1:1812 to 10.219.195.225:38276 length 100 (0) EAP-Message = 0x0123002a1a0123002510807cf25a7f0593f308104a2a7f1bbe28667265657261646975732d332e322e36 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xac2b487aac0852714e974a6b4baa7cab (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 205 from 10.219.195.225:38276 to 10.219.195.1:1812 length 211 (1) User-Name = "test" (1) NAS-Identifier = "ap01-hbap" (1) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) NAS-Port = 3 (1) Calling-Station-Id = "A6-5F-75-98-A5-06" (1) Connect-Info = "CONNECT 54Mbps 802.11a" (1) Acct-Session-Id = "EEFF590BE3BB6A1C" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Framed-MTU = 1400 (1) EAP-Message = 0x022300080319152b (1) State = 0xac2b487aac0852714e974a6b4baa7cab (1) Message-Authenticator = 0x87e934652733a17be1765b4b6f4f24c4 (1) session-state: No cached attributes (1) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (1) authorize { (1) eap: Peer sent EAP Response (code 2) ID 35 length 8 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) if (!control:Auth-Type) { (1) if (!control:Auth-Type) -> FALSE (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (1) Auth-Type EAP { (1) eap: Removing EAP session with state 0xac2b487aac085271 (1) eap: Previous EAP request found for state 0xac2b487aac085271, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: (TLS) PEAP -Initiating new session (1) eap: Sending EAP Request (code 1) ID 36 length 6 (1) eap: EAP session adding &reply:State = 0xac2b487aad0f5171 (1) [eap] = handled (1) } # Auth-Type EAP = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) Sent Access-Challenge Id 205 from 10.219.195.1:1812 to 10.219.195.225:38276 length 64 (1) EAP-Message = 0x012400061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xac2b487aad0f51714e974a6b4baa7cab (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 206 from 10.219.195.225:38276 to 10.219.195.1:1812 length 364 (2) User-Name = "test" (2) NAS-Identifier = "ap01-hbap" (2) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) NAS-Port = 3 (2) Calling-Station-Id = "A6-5F-75-98-A5-06" (2) Connect-Info = "CONNECT 54Mbps 802.11a" (2) Acct-Session-Id = "EEFF590BE3BB6A1C" (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027076 (2) WLAN-AKM-Suite = 1027073 (2) Framed-MTU = 1400 (2) EAP-Message = 0x022400a119800000009716030100920100008e0303696381086bafdecf86b47ad4c93e56a3b253ab52e8d2d1935c21005877f5eeb700002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (2) State = 0xac2b487aad0f51714e974a6b4baa7cab (2) Message-Authenticator = 0x8d8adccff2d8071b49b73e04caacb294 (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (2) authorize { (2) eap: Peer sent EAP Response (code 2) ID 36 length 161 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) if (!control:Auth-Type) { (2) if (!control:Auth-Type) -> FALSE (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (2) Auth-Type EAP { (2) eap: Removing EAP session with state 0xac2b487aad0f5171 (2) eap: Previous EAP request found for state 0xac2b487aad0f5171, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes (2) eap_peap: (TLS) EAP Got all data (151 bytes) (2) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization (2) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (2) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization (2) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello (2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello (2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello (2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello (2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate (2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate (2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange (2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange (2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone (2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (2) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done (2) eap_peap: (TLS) PEAP - In Handshake Phase (2) eap: Sending EAP Request (code 1) ID 37 length 1004 (2) eap: EAP session adding &reply:State = 0xac2b487aae0e5171 (2) [eap] = handled (2) } # Auth-Type EAP = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 206 from 10.219.195.1:1812 to 10.219.195.225:38276 length 1068 (2) EAP-Message = 0x012503ec19c000000bd7160303003d0200003903037d9615ce8191f6cead070312ee58c68647bb340519841c210fc1a6f586ebbff400c030000011ff01000100000b000403000102001700001603030a350b000a31000a2e000499308204953082027da003020102020705fea02d221361300d06092a864886f70d01010b05003076312a302806035504030c212f68626f73732e696e7465726e2f6b6f626c656e7a2f6361732f534954455f4341310b3009060355040613024445310c300a06035504080c03524c503110300e06035504070c074b6f626c656e7a310e300c060355040a0c0548424f5353310b3009060355040b0c024954301e170d3233303632313039313330395a170d3338303631373039313330395a3069311d301b06035504030c146b6f626c656e7a2e68626f73732e696e7465726e310b3009060355040613024445310c300a06035504080c03524c503110300e06035504070c074b6f626c656e7a310e300c060355040a0c0548424f535331 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xac2b487aae0e51714e974a6b4baa7cab (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 207 from 10.219.195.225:38276 to 10.219.195.1:1812 length 209 (3) User-Name = "test" (3) NAS-Identifier = "ap01-hbap" (3) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) NAS-Port = 3 (3) Calling-Station-Id = "A6-5F-75-98-A5-06" (3) Connect-Info = "CONNECT 54Mbps 802.11a" (3) Acct-Session-Id = "EEFF590BE3BB6A1C" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027076 (3) WLAN-AKM-Suite = 1027073 (3) Framed-MTU = 1400 (3) EAP-Message = 0x022500061900 (3) State = 0xac2b487aae0e51714e974a6b4baa7cab (3) Message-Authenticator = 0xbfa1456c3a23563d3ae031e3ab7b871c (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (3) authorize { (3) eap: Peer sent EAP Response (code 2) ID 37 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) if (!control:Auth-Type) { (3) if (!control:Auth-Type) -> FALSE (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (3) Auth-Type EAP { (3) eap: Removing EAP session with state 0xac2b487aae0e5171 (3) eap: Previous EAP request found for state 0xac2b487aae0e5171, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 38 length 1000 (3) eap: EAP session adding &reply:State = 0xac2b487aaf0d5171 (3) [eap] = handled (3) } # Auth-Type EAP = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 207 from 10.219.195.1:1812 to 10.219.195.225:38276 length 1064 (3) EAP-Message = 0x012603e819406729c41ca39fed55f40b0703e590f4ef3fe75165ed505d0e8e33187c7f82a4fa97311282257e3dca08d5818a76cee90d8aea88403b1d62eda2f8ed0e7cc7d72ce4f25e3497d7cbb88d5fb3e76fd5eb2cb7c29126896e5cf175ca9a6b177812f14e4ad1acc69c7a07a33ad3e880179c3971584f08442b7bfe40153886a8e68f88b2ebd088522f0214474a905d560fa04a8f20a966b67e072e644b106f92e95d3fc468afe1b60ff5b30eabfd9eb217f1847f6a24ab5f922365ecc2bb16be43951cbf4cf33735cd9fc4a0337c1632c68690fb8748b78e6f1fe6534e092fc9b9f25123a0a3ed26215dc6b0b765bbe2272058c9bf0935cb8ac47c5b1f7bd20e474f71a760f1db1b8a45da00058f3082058b30820373a003020102020705fea02cf10b27300d06092a864886f70d01010b05003077312b302906035504030c222f68626f73732e696e7465726e2f6b6f626c656e7a2f6361732f5245414c4d5f4341310b3009060355040613024445310c300a06 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xac2b487aaf0d51714e974a6b4baa7cab (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 208 from 10.219.195.225:38276 to 10.219.195.1:1812 length 209 (4) User-Name = "test" (4) NAS-Identifier = "ap01-hbap" (4) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) NAS-Port = 3 (4) Calling-Station-Id = "A6-5F-75-98-A5-06" (4) Connect-Info = "CONNECT 54Mbps 802.11a" (4) Acct-Session-Id = "EEFF590BE3BB6A1C" (4) WLAN-Pairwise-Cipher = 1027076 (4) WLAN-Group-Cipher = 1027076 (4) WLAN-AKM-Suite = 1027073 (4) Framed-MTU = 1400 (4) EAP-Message = 0x022600061900 (4) State = 0xac2b487aaf0d51714e974a6b4baa7cab (4) Message-Authenticator = 0x5cb8800c3a7ed09d207a2ef341573028 (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (4) authorize { (4) eap: Peer sent EAP Response (code 2) ID 38 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) if (!control:Auth-Type) { (4) if (!control:Auth-Type) -> FALSE (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (4) Auth-Type EAP { (4) eap: Removing EAP session with state 0xac2b487aaf0d5171 (4) eap: Previous EAP request found for state 0xac2b487aaf0d5171, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: (TLS) Peer ACKed our handshake fragment (4) eap: Sending EAP Request (code 1) ID 39 length 1000 (4) eap: EAP session adding &reply:State = 0xac2b487aa80c5171 (4) [eap] = handled (4) } # Auth-Type EAP = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 208 from 10.219.195.1:1812 to 10.219.195.225:38276 length 1064 (4) EAP-Message = 0x012703e81940603ef2f2884b299ace212671ea16a0df8d30640875c03aaef2ac1e4cd0b45487fcb99234083e915ecded1171c41b3eb10b7c736e781a97f17e3aa3b85d0f5b5f35d09ce1570d621b9dc5be4b4f9ecae899a6d0949b7eed4ebcbf64a48aa40d41d3c07d33da2e8d816dd2eba719a8b75d53dfa7ecb5a35b7cec093710efea7ff30203010001a31d301b300c0603551d13040530030101ff300b0603551d0f040403020106300d06092a864886f70d01010b0500038202010048ed80b6b8d9f45c988d3a8c439f33112acf5a1a90a3e79a8622a919c7fa078d6bcfcb743a26ddd8bc1bc56f9071c89b8a986b33eeb0c6defe6f99834b9a90da8089c002815951b451f4b9d4ed8225888e5b77b04f9131487a830c71082209525143b143d9335eb02b382660f462e5b6d5e4dd2991b894148e23f6ce2be12f76406890fe48dba3e0c97b33089c20f7466a37daa34eb110f7d9cf47553fae6f7453ad44e48fa154f1db59066d3250216bde12320eed158d5197 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xac2b487aa80c51714e974a6b4baa7cab (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 209 from 10.219.195.225:38276 to 10.219.195.1:1812 length 209 (5) User-Name = "test" (5) NAS-Identifier = "ap01-hbap" (5) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) NAS-Port = 3 (5) Calling-Station-Id = "A6-5F-75-98-A5-06" (5) Connect-Info = "CONNECT 54Mbps 802.11a" (5) Acct-Session-Id = "EEFF590BE3BB6A1C" (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027076 (5) WLAN-AKM-Suite = 1027073 (5) Framed-MTU = 1400 (5) EAP-Message = 0x022700061900 (5) State = 0xac2b487aa80c51714e974a6b4baa7cab (5) Message-Authenticator = 0x4904b50139129c9ee3d149be137fb45e (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (5) authorize { (5) eap: Peer sent EAP Response (code 2) ID 39 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) if (!control:Auth-Type) { (5) if (!control:Auth-Type) -> FALSE (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (5) Auth-Type EAP { (5) eap: Removing EAP session with state 0xac2b487aa80c5171 (5) eap: Previous EAP request found for state 0xac2b487aa80c5171, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: (TLS) Peer ACKed our handshake fragment (5) eap: Sending EAP Request (code 1) ID 40 length 55 (5) eap: EAP session adding &reply:State = 0xac2b487aa9035171 (5) [eap] = handled (5) } # Auth-Type EAP = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) session-state: Saving cached attributes (5) Framed-MTU = 994 (5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (5) Sent Access-Challenge Id 209 from 10.219.195.1:1812 to 10.219.195.225:38276 length 113 (5) EAP-Message = 0x012800371900b048c07ac17f86f9c727014f0cc6a508653ff99a95e6e84a4829d48058b9132be05c9c1b68de733316030300040e000000 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xac2b487aa90351714e974a6b4baa7cab (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 210 from 10.219.195.225:38276 to 10.219.195.1:1812 length 339 (6) User-Name = "test" (6) NAS-Identifier = "ap01-hbap" (6) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) NAS-Port = 3 (6) Calling-Station-Id = "A6-5F-75-98-A5-06" (6) Connect-Info = "CONNECT 54Mbps 802.11a" (6) Acct-Session-Id = "EEFF590BE3BB6A1C" (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027076 (6) WLAN-AKM-Suite = 1027073 (6) Framed-MTU = 1400 (6) EAP-Message = 0x0228008819800000007e16030300461000004241041914318456c90b3eed960cc0f427749a4a58dea1c45b04d88e0d4aa358aa753149db3707404dba0da11104816db305bfb16c221d10d02ca05f66f05e90868b1914030300010116030300284ae33342f449b98c815966dbee60f4bfb147c6898c284415f0f4f449d2ff033a5ec9027ddb4ce85f (6) State = 0xac2b487aa90351714e974a6b4baa7cab (6) Message-Authenticator = 0x4765ff00e4d57c7b8098fe86dc4fa440 (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (6) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (6) authorize { (6) eap: Peer sent EAP Response (code 2) ID 40 length 136 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) if (!control:Auth-Type) { (6) if (!control:Auth-Type) -> FALSE (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (6) Auth-Type EAP { (6) eap: Removing EAP session with state 0xac2b487aa9035171 (6) eap: Previous EAP request found for state 0xac2b487aa9035171, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (6) eap_peap: (TLS) EAP Got all data (126 bytes) (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done (6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec (6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished (6) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec (6) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished (6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished (6) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully (6) eap_peap: (TLS) PEAP - Connection Established (6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) eap_peap: TLS-Session-Version = "TLS 1.2" (6) eap: Sending EAP Request (code 1) ID 41 length 57 (6) eap: EAP session adding &reply:State = 0xac2b487aaa025171 (6) [eap] = handled (6) } # Auth-Type EAP = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) session-state: Saving cached attributes (6) Framed-MTU = 994 (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 210 from 10.219.195.1:1812 to 10.219.195.225:38276 length 115 (6) EAP-Message = 0x01290039190014030300010116030300282209ea55626d5fee2bc36d1a8a06ba29ee44eb2847cffb3da18d6d212b1f8b681bddb7d42c7dc10a (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xac2b487aaa0251714e974a6b4baa7cab (6) Finished request Waking up in 4.8 seconds. (7) Received Access-Request Id 211 from 10.219.195.225:38276 to 10.219.195.1:1812 length 209 (7) User-Name = "test" (7) NAS-Identifier = "ap01-hbap" (7) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) NAS-Port = 3 (7) Calling-Station-Id = "A6-5F-75-98-A5-06" (7) Connect-Info = "CONNECT 54Mbps 802.11a" (7) Acct-Session-Id = "EEFF590BE3BB6A1C" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Framed-MTU = 1400 (7) EAP-Message = 0x022900061900 (7) State = 0xac2b487aaa0251714e974a6b4baa7cab (7) Message-Authenticator = 0xb01820edd9de0eb9ebd79cea4c818884 (7) Restoring &session-state (7) &session-state:Framed-MTU = 994 (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (7) authorize { (7) eap: Peer sent EAP Response (code 2) ID 41 length 6 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) if (!control:Auth-Type) { (7) if (!control:Auth-Type) -> FALSE (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (7) Auth-Type EAP { (7) eap: Removing EAP session with state 0xac2b487aaa025171 (7) eap: Previous EAP request found for state 0xac2b487aaa025171, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state TUNNEL ESTABLISHED (7) eap: Sending EAP Request (code 1) ID 42 length 40 (7) eap: EAP session adding &reply:State = 0xac2b487aab015171 (7) [eap] = handled (7) } # Auth-Type EAP = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) session-state: Saving cached attributes (7) Framed-MTU = 994 (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 211 from 10.219.195.1:1812 to 10.219.195.225:38276 length 98 (7) EAP-Message = 0x012a00281900170303001d2209ea55626d5fef324c805c6b28f660cb29d8bd4026022faedaf16c29 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xac2b487aab0151714e974a6b4baa7cab (7) Finished request Waking up in 4.8 seconds. (8) Received Access-Request Id 212 from 10.219.195.225:38276 to 10.219.195.1:1812 length 243 (8) User-Name = "test" (8) NAS-Identifier = "ap01-hbap" (8) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) NAS-Port = 3 (8) Calling-Station-Id = "A6-5F-75-98-A5-06" (8) Connect-Info = "CONNECT 54Mbps 802.11a" (8) Acct-Session-Id = "EEFF590BE3BB6A1C" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Framed-MTU = 1400 (8) EAP-Message = 0x022a00281900170303001d4ae33342f449b98d13c961f594f00dcb253fa40f83e7aec02fab3fb55a (8) State = 0xac2b487aab0151714e974a6b4baa7cab (8) Message-Authenticator = 0xcea0cff4f6afbee50b7007acbe9993a1 (8) Restoring &session-state (8) &session-state:Framed-MTU = 994 (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (8) authorize { (8) eap: Peer sent EAP Response (code 2) ID 42 length 40 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) if (!control:Auth-Type) { (8) if (!control:Auth-Type) -> FALSE (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (8) Auth-Type EAP { (8) eap: Removing EAP session with state 0xac2b487aab015171 (8) eap: Previous EAP request found for state 0xac2b487aab015171, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: (TLS) EAP Done initial handshake (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state WAITING FOR INNER IDENTITY (8) eap_peap: Identity - test (8) eap_peap: Got inner identity 'test' (8) eap_peap: Setting default EAP type for tunneled EAP session (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x022a00090174657374 (8) eap_peap: Setting User-Name to test (8) eap_peap: Sending tunneled request to otpme (8) eap_peap: EAP-Message = 0x022a00090174657374 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "test" (8) eap_peap: NAS-Identifier = "ap01-hbap" (8) eap_peap: Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (8) eap_peap: NAS-Port-Type = Wireless-802.11 (8) eap_peap: Service-Type = Framed-User (8) eap_peap: NAS-Port = 3 (8) eap_peap: Calling-Station-Id = "A6-5F-75-98-A5-06" (8) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11a" (8) eap_peap: Acct-Session-Id = "EEFF590BE3BB6A1C" (8) eap_peap: WLAN-Pairwise-Cipher = 1027076 (8) eap_peap: WLAN-Group-Cipher = 1027076 (8) eap_peap: WLAN-AKM-Suite = 1027073 (8) eap_peap: Framed-MTU = 1400 (8) Virtual server otpme received request (8) EAP-Message = 0x022a00090174657374 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "test" (8) NAS-Identifier = "ap01-hbap" (8) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) NAS-Port = 3 (8) Calling-Station-Id = "A6-5F-75-98-A5-06" (8) Connect-Info = "CONNECT 54Mbps 802.11a" (8) Acct-Session-Id = "EEFF590BE3BB6A1C" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Framed-MTU = 1400 (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server otpme { (8) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (8) authorize { (8) eap: Peer sent EAP Response (code 2) ID 42 length 9 (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) if (!control:Auth-Type) { (8) if (!control:Auth-Type) -> FALSE (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (8) Auth-Type EAP { (8) eap: Peer sent packet with method EAP Identity (1) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: Issuing Challenge (8) eap: Sending EAP Request (code 1) ID 43 length 42 (8) eap: EAP session adding &reply:State = 0x4d7ab8054d51a258 (8) [eap] = handled (8) } # Auth-Type EAP = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) } # server otpme (8) Virtual server sending reply (8) EAP-Message = 0x012b002a1a012b002510b158d692e01e55d324fba4bd46d9b3a1667265657261646975732d332e322e36 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x4d7ab8054d51a258be49ba37bb208c58 (8) eap_peap: Got tunneled reply code 11 (8) eap_peap: EAP-Message = 0x012b002a1a012b002510b158d692e01e55d324fba4bd46d9b3a1667265657261646975732d332e322e36 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0x4d7ab8054d51a258be49ba37bb208c58 (8) eap_peap: Got tunneled reply RADIUS code 11 (8) eap_peap: EAP-Message = 0x012b002a1a012b002510b158d692e01e55d324fba4bd46d9b3a1667265657261646975732d332e322e36 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: State = 0x4d7ab8054d51a258be49ba37bb208c58 (8) eap_peap: Got tunneled Access-Challenge (8) eap: Sending EAP Request (code 1) ID 43 length 73 (8) eap: EAP session adding &reply:State = 0xac2b487aa4005171 (8) [eap] = handled (8) } # Auth-Type EAP = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) session-state: Saving cached attributes (8) Framed-MTU = 994 (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) TLS-Session-Version = "TLS 1.2" (8) Sent Access-Challenge Id 212 from 10.219.195.1:1812 to 10.219.195.225:38276 length 131 (8) EAP-Message = 0x012b00491900170303003e2209ea55626d5ff0baf80a2c42ec6788dd5d4663e3245c6aaaef10c2c1deb1d2ad96fab8a4438ea319ff3f70d6d27ae2c8a9d4aa8dc68429000232767ded (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xac2b487aa40051714e974a6b4baa7cab (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 213 from 10.219.195.225:38276 to 10.219.195.1:1812 length 297 (9) User-Name = "test" (9) NAS-Identifier = "ap01-hbap" (9) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) NAS-Port = 3 (9) Calling-Station-Id = "A6-5F-75-98-A5-06" (9) Connect-Info = "CONNECT 54Mbps 802.11a" (9) Acct-Session-Id = "EEFF590BE3BB6A1C" (9) WLAN-Pairwise-Cipher = 1027076 (9) WLAN-Group-Cipher = 1027076 (9) WLAN-AKM-Suite = 1027073 (9) Framed-MTU = 1400 (9) EAP-Message = 0x022b005e190017030300534ae33342f449b98e94136a54fa9773216317d2ebacdd3c8cea4603265909a0054c9dbb0bc8083fe2bd3ff8548dde3574e03c15d2b5a9ba2568d6711d69a8859b8fe148f477919afc4ccdbd64664e50b2cf5a5f (9) State = 0xac2b487aa40051714e974a6b4baa7cab (9) Message-Authenticator = 0x70ed0ad4ec446ceb8871e3c49ec3026a (9) Restoring &session-state (9) &session-state:Framed-MTU = 994 (9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (9) authorize { (9) eap: Peer sent EAP Response (code 2) ID 43 length 94 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) if (!control:Auth-Type) { (9) if (!control:Auth-Type) -> FALSE (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (9) Auth-Type EAP { (9) eap: Removing EAP session with state 0xac2b487aa4005171 (9) eap: Previous EAP request found for state 0xac2b487aa4005171, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: (TLS) EAP Done initial handshake (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state phase2 (9) eap_peap: EAP method MSCHAPv2 (26) (9) eap_peap: Got tunneled request (9) eap_peap: EAP-Message = 0x022b003f1a022b003a3106a05c6e463eb6c51b322211d9918db400000000000000002d5a72c8ea7f1462f326cb9167cd3ef55e1d254c2141aafa0074657374 (9) eap_peap: Setting User-Name to test (9) eap_peap: Sending tunneled request to otpme (9) eap_peap: EAP-Message = 0x022b003f1a022b003a3106a05c6e463eb6c51b322211d9918db400000000000000002d5a72c8ea7f1462f326cb9167cd3ef55e1d254c2141aafa0074657374 (9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (9) eap_peap: User-Name = "test" (9) eap_peap: State = 0x4d7ab8054d51a258be49ba37bb208c58 (9) eap_peap: NAS-Identifier = "ap01-hbap" (9) eap_peap: Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (9) eap_peap: NAS-Port-Type = Wireless-802.11 (9) eap_peap: Service-Type = Framed-User (9) eap_peap: NAS-Port = 3 (9) eap_peap: Calling-Station-Id = "A6-5F-75-98-A5-06" (9) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11a" (9) eap_peap: Acct-Session-Id = "EEFF590BE3BB6A1C" (9) eap_peap: WLAN-Pairwise-Cipher = 1027076 (9) eap_peap: WLAN-Group-Cipher = 1027076 (9) eap_peap: WLAN-AKM-Suite = 1027073 (9) eap_peap: Framed-MTU = 1400 (9) Virtual server otpme received request (9) EAP-Message = 0x022b003f1a022b003a3106a05c6e463eb6c51b322211d9918db400000000000000002d5a72c8ea7f1462f326cb9167cd3ef55e1d254c2141aafa0074657374 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "test" (9) State = 0x4d7ab8054d51a258be49ba37bb208c58 (9) NAS-Identifier = "ap01-hbap" (9) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) NAS-Port = 3 (9) Calling-Station-Id = "A6-5F-75-98-A5-06" (9) Connect-Info = "CONNECT 54Mbps 802.11a" (9) Acct-Session-Id = "EEFF590BE3BB6A1C" (9) WLAN-Pairwise-Cipher = 1027076 (9) WLAN-Group-Cipher = 1027076 (9) WLAN-AKM-Suite = 1027073 (9) Framed-MTU = 1400 (9) WARNING: Outer and inner identities are the same. User privacy is compromised. (9) server otpme { (9) session-state: No cached attributes (9) # Executing section authorize from file /var/run/otpme/freeradius/radiusd.conf (9) authorize { (9) eap: Peer sent EAP Response (code 2) ID 43 length 63 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) if (!control:Auth-Type) { (9) if (!control:Auth-Type) -> FALSE (9) } # authorize = updated (9) Found Auth-Type = EAP (9) # Executing group from file /var/run/otpme/freeradius/radiusd.conf (9) Auth-Type EAP { (9) eap: Removing EAP session with state 0x4d7ab8054d51a258 (9) eap: Previous EAP request found for state 0x4d7ab8054d51a258, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap_mschapv2: # Executing group from file /var/run/otpme/freeradius/radiusd.conf (9) eap_mschapv2: Auth-Type MS-CHAP { otpme.py: adding MS-CHAP2-Success: '3S=c3971529e7869293a9a388ede7e667182aeaa22c' otpme.py: adding MS-MPPE-Send-Key: 'c7726ce0b854c17314668bc50df88203' otpme.py: adding MS-MPPE-Recv-Key: '7019a1e6577898bd8acfecd45e55a41d' otpme.py: adding MS-MPPE-Encryption-Policy: '0x00000001' otpme.py: adding MS-MPPE-Encryption-Types: '0x00000006' otpme.py: adding Auth-Type: 'MS-CHAP' authenticate - 'reply:Reply-Message' = 'Authentication successful' authenticate - 'reply:MS-CHAP2-Success' = '0x33533d63333937313532396537383639323933613961333838656465376536363731383261656161323263' authenticate - 'reply:MS-MPPE-Encryption-Policy' = '0x00000001' authenticate - 'reply:MS-MPPE-Encryption-Types' = '0x00000006' authenticate - 'reply:MS-MPPE-Send-Key' = '0xc7726ce0b854c17314668bc50df88203' authenticate - 'reply:MS-MPPE-Recv-Key' = '0x7019a1e6577898bd8acfecd45e55a41d' authenticate - 'config:Auth-Type' = 'MS-CHAP' (9) eap_mschapv2: [python_otpme] = ok (9) eap_mschapv2: } # Auth-Type MS-CHAP = ok (9) eap_mschapv2: MSCHAP Success (9) eap: Sending EAP Request (code 1) ID 44 length 51 (9) eap: EAP session adding &reply:State = 0x4d7ab8054c56a258 (9) [eap] = handled (9) } # Auth-Type EAP = handled (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) } # server otpme (9) Virtual server sending reply (9) Reply-Message = "Authentication successful" (9) EAP-Message = 0x012c00331a032b002e533d63333937313532396537383639323933613961333838656465376536363731383261656161323263 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0x4d7ab8054c56a258be49ba37bb208c58 (9) eap_peap: Got tunneled reply code 11 (9) eap_peap: Reply-Message = "Authentication successful" (9) eap_peap: EAP-Message = 0x012c00331a032b002e533d63333937313532396537383639323933613961333838656465376536363731383261656161323263 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: State = 0x4d7ab8054c56a258be49ba37bb208c58 (9) eap_peap: Got tunneled reply RADIUS code 11 (9) eap_peap: Reply-Message = "Authentication successful" (9) eap_peap: EAP-Message = 0x012c00331a032b002e533d63333937313532396537383639323933613961333838656465376536363731383261656161323263 (9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap: State = 0x4d7ab8054c56a258be49ba37bb208c58 (9) eap_peap: Got tunneled Access-Challenge (9) eap: Sending EAP Request (code 1) ID 44 length 82 (9) eap: EAP session adding &reply:State = 0xac2b487aa5075171 (9) [eap] = handled (9) } # Auth-Type EAP = handled (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) session-state: Saving cached attributes (9) Framed-MTU = 994 (9) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello" (9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello" (9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate" (9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange" (9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone" (9) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange" (9) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished" (9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec" (9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished" (9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) TLS-Session-Version = "TLS 1.2" (9) Sent Access-Challenge Id 213 from 10.219.195.1:1812 to 10.219.195.225:38276 length 140 (9) EAP-Message = 0x012c0052190017030300472209ea55626d5ff1c5bfe6da41424c37ee71bb77118b8f1f51e7bdb050466709030848e8afe46e99cd47ef4337957aa870e14a5a42c006d97a017640d76c88fd54daf3585dae47 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xac2b487aa50751714e974a6b4baa7cab (9) Finished request Waking up in 4.0 seconds.
On Jan 11, 2026, at 6:29 AM, The2nd <the2nd@otpme.org> wrote:
i hope this is the right list for this question.
It's the only list for FreeRADIUS. :)
I've written a python module to be used with freeradius
Why? The server can do just about anything. My suspicion is that you could just use the REST module to poke a back-end REST API, and the rest of it could be done in unlang. But OK....
and it works for wlan authentication (mschapv2) with windows, linux and android devices. But it fails with iphone/ios. With iOS is see the request in my python module and it authenticates against my server successfully but the iPhone always tells me "Unable to join the network <ssid>".
Does iOS work when you *don't* use your module? i.e. when you put a clear-text password into the configuration, and let FreeRADIUS do everything?
As it works with linux, windows and android i think its not completely wrong.
There's likely some odd corner case you're missing, or the iOS device isn't configured correctly. Debug it with the normal FreeRADIUS configuration. That way you can narrow down where the problem is.
... (9) Sent Access-Challenge Id 213 from 10.219.195.1:1812 to 10.219.195.225:38276 length 140 (9) EAP-Message = 0x012c0052190017030300472209ea55626d5ff1c5bfe6da41424c37ee71bb77118b8f1f51e7bdb050466709030848e8afe46e99cd47ef4337957aa870e14a5a42c006d97a017640d76c88fd54daf3585dae47 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xac2b487aa50751714e974a6b4baa7cab (9) Finished request Waking up in 4.0 seconds.
The iOS device doesn't like the response, and therefore stops talking to FreeRADIUS. To see exactly what it doesn't like, look at the debug logs on the device. And yes, generally there are no debug logs on the device. The vendors seem to hate their customers, and provide no way to debug anything. Alan DeKok.
Am 11.01.26 um 19:48 schrieb Alan DeKok via Freeradius-Users:
On Jan 11, 2026, at 6:29 AM, The2nd <the2nd@otpme.org> wrote:
and it works for wlan authentication (mschapv2) with windows, linux and android devices. But it fails with iphone/ios. With iOS is see the request in my python module and it authenticates against my server successfully but the iPhone always tells me "Unable to join the network <ssid>". Does iOS work when you *don't* use your module? i.e. when you put a clear-text password into the configuration, and let FreeRADIUS do everything? It worked when i used it with OTPme (the server i am writing) and the otpme-auth tool as ntlm_auth replacement.
As it works with linux, windows and android i think its not completely wrong. There's likely some odd corner case you're missing, or the iOS device isn't configured correctly.
Debug it with the normal FreeRADIUS configuration. That way you can narrow down where the problem is.
I was able to get the response freeradius sends when using it with my ntml_auth replacement. And the only difference was, that the response was uppercase hex. After changing my module to return uppercase too, it works. Checking the RFC shows that the response MUST be uppercase.
... (9) Sent Access-Challenge Id 213 from 10.219.195.1:1812 to 10.219.195.225:38276 length 140 (9) EAP-Message = 0x012c0052190017030300472209ea55626d5ff1c5bfe6da41424c37ee71bb77118b8f1f51e7bdb050466709030848e8afe46e99cd47ef4337957aa870e14a5a42c006d97a017640d76c88fd54daf3585dae47 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xac2b487aa50751714e974a6b4baa7cab (9) Finished request Waking up in 4.0 seconds. The iOS device doesn't like the response, and therefore stops talking to FreeRADIUS.
To see exactly what it doesn't like, look at the debug logs on the device. And yes, generally there are no debug logs on the device. The vendors seem to hate their customers, and provide no way to debug anything.
Alan DeKok. Yes, a proper debug output on iOS could've saved me 3 hours or so...
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 13, 2026, at 3:13 PM, The2nd <the2nd@otpme.org> wrote:
I was able to get the response freeradius sends when using it with my ntml_auth replacement. And the only difference was, that the response was uppercase hex. After changing my module to return uppercase too, it works. Checking the RFC shows that the response MUST be uppercase.
Ah, I guess that sort of makes sense. I have no idea why uppercase would be so important, but it's a Microsoft RFC from 25+ years ago. We can leave that alone. Alan DeKok.
participants (2)
-
Alan DeKok -
The2nd