Freeradius EAP-TLS - every 2nd (even) attempt unsuccessfull
Hello all, First, our environment configuration is: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu configured for EAP-TLS Cisco WLC 2504 Windows 7/8.1 clients Problem: every 1st (odd) connection to WiFi network is without any problem and part of client's certificate contain "TLS-Client-Cert-Common-Name := 'mib@example.com'", which I check using check-eap-tls via part below, is visible: server check-eap-tls { authorize { update config { Auth-Type := Accept } if ("%{TLS-Client-Cert-Common-Name}" =~ /^[A-z.]*@example\.ccom$/) { update config { Auth-Type := Accept } } else { update config { Auth-Type := Reject } update reply { Reply-Message := "Your certificate is not valid." } } ... ... ... When I try to disconnect from wifi and connect again with the same client, connection fails. I noticed that debug output differ for successfull and unsuccessfull attempt in part below. --------------------------------------------------------------- Successfull attempt log --------------------------------------------------------------- (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x3190079e31930a29 (1) eap : Finished EAP session with state 0x3190079e31930a29 (1) eap : Previous EAP request found for state 0x3190079e31930a29, released from the list (1) eap : Peer sent method TLS (13) (1) eap : EAP TLS (13) (1) eap : Calling eap_tls to process EAP data (1) eap_tls : Authenticate (1) eap_tls : processing EAP-TLS TLS Length 129 (1) eap_tls : Length Included (1) eap_tls : eaptls_verify returned 11 (1) eap_tls : (other): before/accept initialization (1) eap_tls : TLS_accept: before/accept initialization (1) eap_tls : <<< TLS 1.0 Handshake [length 007c], ClientHello SSL: Client requested cached session b76a6cf7f480f98fd8814048c4d959e55dd67c0e180edb92d885511c89beb44e reading pairlist file /var/log/radius/tlscache/b76a6cf7f480f98fd8814048c4d959e55dd67c0e180edb92d885511c89beb44e.vps Couldn't open /var/log/radius/tlscache/b76a6cf7f480f98fd8814048c4d959e55dd67c0e180edb92d885511c89beb44e.vps for reading: No such file or directory SSL: could not load persisted VPs for session b76a6cf7f480f98fd8814048c4d959e55dd67c0e180edb92d885511c89beb44e (1) eap_tls : TLS_accept: SSLv3 read client hello A (1) eap_tls : >>> TLS 1.0 Handshake [length 0059], ServerHello (1) eap_tls : TLS_accept: SSLv3 write server hello A (1) eap_tls : >>> TLS 1.0 Handshake [length 0909], Certificate (1) eap_tls : TLS_accept: SSLv3 write certificate A (1) eap_tls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (1) eap_tls : TLS_accept: SSLv3 write key exchange A (1) eap_tls : >>> TLS 1.0 Handshake [length 00b2], CertificateRequest (1) eap_tls : TLS_accept: SSLv3 write certificate request A (1) eap_tls : TLS_accept: SSLv3 flush data (1) eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode ------------------------------------------------ Unsuccessfull attempt log ------------------------------------------------ (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x55a42e6f55a72377 (1) eap : Finished EAP session with state 0x55a42e6f55a72377 (1) eap : Previous EAP request found for state 0x55a42e6f55a72377, released from the list (1) eap : Peer sent method TLS (13) (1) eap : EAP TLS (13) (1) eap : Calling eap_tls to process EAP data (1) eap_tls : Authenticate (1) eap_tls : processing EAP-TLS TLS Length 129 (1) eap_tls : Length Included (1) eap_tls : eaptls_verify returned 11 (1) eap_tls : (other): before/accept initialization (1) eap_tls : TLS_accept: before/accept initialization (1) eap_tls : <<< TLS 1.0 Handshake [length 007c], ClientHello SSL: Client requested cached session b76a6cf7f480f98fd8814048c4d959e55dd67c0e180edb92d885511c89beb44e reading pairlist file /var/log/radius/tlscache/b76a6cf7f480f98fd8814048c4d959e55dd67c0e180edb92d885511c89beb44e.vps SSL: Successfully restored session b76a6cf7f480f98fd8814048c4d959e55dd67c0e180edb92d885511c89beb44e (1) eap_tls : TLS_accept: SSLv3 read client hello A (1) eap_tls : >>> TLS 1.0 Handshake [length 0051], ServerHello (1) eap_tls : TLS_accept: SSLv3 write server hello A (1) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001] (1) eap_tls : TLS_accept: SSLv3 write change cipher spec A (1) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished (1) eap_tls : TLS_accept: SSLv3 write finished A (1) eap_tls : TLS_accept: SSLv3 flush data (1) eap_tls : TLS_accept: Need to read more data: SSLv3 read finished A In SSL Handshake Phase In SSL Accept mode I have noticed that during unsuccessfull attempt is in the log this part (2) eap : EAP TLS (13) (2) eap : Calling eap_tls to process EAP data (2) eap_tls : Authenticate (2) eap_tls : processing EAP-TLS TLS Length 59 (2) eap_tls : Length Included and this in successfull log: (2) eap : EAP TLS (13) (2) eap : Calling eap_tls to process EAP data (2) eap_tls : Authenticate (2) eap_tls : processing EAP-TLS (2) eap_tls : Received TLS ACK (2) eap_tls : Received TLS ACK (2) eap_tls : ACK handshake fragment handler (2) eap_tls : eaptls_verify returned 1 (2) eap_tls : eaptls_process returned 13 (2) eap : New EAP session, adding 'State' attribute to reply 0x3190079e33950a29 (2) [eap] = handled Sorry, but I'm new in Freeradius environment and I surely overlook something easy to solve, but in this moment I would kindly ask you, community for a help. It looks to me like a problem with skip some certificate check or caching, but maybe I'm completely wrong. Thank you for you help Gracian
On Dec 5, 2015, at 6:04 AM, gracian@centrum.cz wrote:
First, our environment configuration is: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu configured for EAP-TLS
I'd suggest using 3.0.10. It has a number of bugs fixed, including session caching.
When I try to disconnect from wifi and connect again with the same client, connection fails. I noticed that debug output differ for successfull and unsuccessfull attempt in part below.
The first does EAP-TLS. The second re-uses the cached session information. Disable the session cache in your configuration, and it will work. Or, upgrade to 3.0.10 and it will work. Alan DeKok.
Thank you Alan, I commented out section cache in file mods-enabled/eap but the result is I can't connect at all and here is debug output: Sat Dec 5 16:12:27 2015 : Debug: (4) eap : Calling eap_tls to process EAP data Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : Authenticate Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : processing EAP-TLS Sat Dec 5 16:12:27 2015 : Debug: TLS Length 1414 Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : Length Included Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : eaptls_verify returned 11 Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : <<< TLS 1.0 Handshake [length 03fa], Certificate Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : chain-depth=1, Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : error=0 Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> User-Name = mib@example.com Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> BUF-Name = SelfSigned certificate Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> subject = /C=CZ/ST=CzechRepublic/L=NorthMoravia/O=AIB/emailAddress=it@example.com/CN=SelfSigned certificate Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> issuer = /C=CZ/ST=CzechRepublic/L=NorthMoravia/O=AIB/emailAddress=it@example.com/CN=SelfSigned certificate Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> verify return:1 Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : chain-depth=0, Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : error=0 Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> User-Name = mib@example.com Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> BUF-Name = mib@example.com Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> subject = /C=CZ/ST=CzechRepublic/O=AIB/CN=mib@example.com/emailAddress=it@example.com Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> issuer = /C=CZ/ST=CzechRepublic/L=NorthMoravia/O=AIB/emailAddress=it@example.com/CN=SelfSigned certificate Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : --> verify return:1 Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 read client certificate A Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 read client key exchange A Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 read certificate verify A Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001] Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 read finished A Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001] Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 write change cipher spec A Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 write finished A Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : TLS_accept: SSLv3 flush data Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : (other): SSL negotiation finished successfully Sat Dec 5 16:12:27 2015 : Debug: SSL Connection Established Sat Dec 5 16:12:27 2015 : Debug: (4) eap_tls : eaptls_process returned 13 Sat Dec 5 16:12:27 2015 : Debug: (4) eap : New EAP session, adding 'State' attribute to reply 0x0701786703067527 Sat Dec 5 16:12:27 2015 : Debug: (4) modsingle[authenticate]: returned from eap (rlm_eap) for request 4 Sat Dec 5 16:12:27 2015 : Debug: (4) [eap] = handled Sat Dec 5 16:12:27 2015 : Debug: (4) } # authenticate = handled Sat Dec 5 16:12:27 2015 : Debug: (4) Sending Access-Challenge packet to host 172.16.0.20 port 32769, id=180, length=0 Sat Dec 5 16:12:27 2015 : Debug: (4) EAP-Message = 0x010700450d800000003b14030100010116030100308c4c70cee63e7eccf2311eceedf4f1af7a41904352e4f549283dcd48e7fee6b9f69c511e61b12859905e9d6eda8bbc7d Sat Dec 5 16:12:27 2015 : Debug: (4) Message-Authenticator = 0x00000000000000000000000000000000 Sat Dec 5 16:12:27 2015 : Debug: (4) State = 0x07017867030675271a926a176ed75fb9 Sending Access-Challenge Id 180 from 172.16.110.17:1812 to 172.16.0.20:32769 EAP-Message = 0x010700450d800000003b14030100010116030100308c4c70cee63e7eccf2311eceedf4f1af7a41904352e4f549283dcd48e7fee6b9f69c511e61b12859905e9d6eda8bbc7d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x07017867030675271a926a176ed75fb9 Sat Dec 5 16:12:27 2015 : Debug: (4) Finished request Sat Dec 5 16:12:27 2015 : Debug: Waking up in 0.2 seconds. Received Access-Request Id 181 from 172.16.0.20:32769 to 172.16.110.17:1812 length 273 User-Name = 'mib@example.com' Chargeable-User-Identity = 0x00 Location-Capable = Civix-Location Gracian
On Dec 5, 2015, at 10:28 AM, <gracian@centrum.cz> <gracian@centrum.cz> wrote:
I commented out section cache in file mods-enabled/eap but the result is I can't connect at all and here is debug output:
Which doesn't show any errors. PLEASE use just "radiusd -X". It's what we ask for. Adding addition "-x" isn't necessary, and just confuses the output. Alan DeKok.
Alan, here is full (sorry for that) output of "radiusd -X" test during which an attempt was unsuccessfull again with tls cache disabled. As you can see below, there is not TLS-Client-Cert-Common-Name in the output so the check-eap-tls fails. radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Mar 5 2015 at 23:41:36 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/dynamic_clients including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/dhcp including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/check-eap-tls including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 64 idle_timeout = 30 } } client wlc2504 { ipaddr = 172.16.0.20 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Loaded module rlm_pap # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_detail # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Loaded module rlm_unix # Instantiating module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } # Loaded module rlm_unpack # Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_always # Instantiating module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_replicate # Instantiating module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_passwd # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Loaded module rlm_radutmp # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Loaded module rlm_exec # Instantiating module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8 # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_logintime # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" passchange { } allow_retry = yes } # Loaded module rlm_expiration # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Instantiating module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_eap # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 1024 } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" virtual_server = "check-eap-tls" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 name = "EAP module" } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = yes } } # Loaded module rlm_realm # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Loaded module rlm_digest # Instantiating module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_expr # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } # Loaded module rlm_linelog # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{Packet-Type}:-default}" } # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_cache # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 16384 epoch = 0 add_stats = no } # Loaded module rlm_chap # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_soh # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_files # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" usersfile = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" compat = "cistron" } reading pairlist file /etc/raddb/mods-config/files/authorize [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:215 Cistron compatibility checks for entry testuser ... reading pairlist file /etc/raddb/mods-config/files/authorize [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:215 Cistron compatibility checks for entry testuser ... reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Loaded module rlm_dhcp # Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp # Loaded module rlm_dynamic_clients # Instantiating module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server check-eap-tls { # from file /etc/raddb/sites-enabled/check-eap-tls # Loading authorize {...} } # server check-eap-tls server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server inner-tunnel server default { # from file /etc/raddb/sites-enabled/default # Creating Auth-Type = digest # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Listening on auth address :: port 1812 as server default Listening on acct address :: port 1813 as server default Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 47703 Ready to process requests Received Access-Request Id 194 from 172.16.0.20:32769 to 172.16.110.17:1812 length 269 User-Name = 'mib@example.cz' Chargeable-User-Identity = 0x00 Location-Capable = Civix-Location Calling-Station-Id = '20-10-7a-01-c1-80' Called-Station-Id = 'd0-c2-82-e0-cb-80' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' NAS-IP-Address = 172.16.0.20 NAS-Identifier = 'wlc' Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '200' EAP-Message = 0x02010014016d696240616c696e766573742e637a Message-Authenticator = 0x1bab59fd5ca9faa4fa61fb1e92a22ef0 (0) Received Access-Request packet from host 172.16.0.20 port 32769, id=194, length=269 (0) User-Name = 'mib@example.cz' (0) Chargeable-User-Identity = 0x00 (0) Location-Capable = Civix-Location (0) Calling-Station-Id = '20-10-7a-01-c1-80' (0) Called-Station-Id = 'd0-c2-82-e0-cb-80' (0) NAS-Port = 1 (0) Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' (0) Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' (0) NAS-IP-Address = 172.16.0.20 (0) NAS-Identifier = 'wlc' (0) Airespace-Wlan-Id = 3 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = '200' (0) EAP-Message = 0x02010014016d696240616c696e766573742e637a (0) Message-Authenticator = 0x1bab59fd5ca9faa4fa61fb1e92a22ef0 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : Looking up realm "example.cz" for User-Name = "mib@example.cz" (0) suffix : No such realm "example.cz" (0) [suffix] = noop (0) eap : Peer sent code Response (2) ID 1 length 20 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent method Identity (1) (0) eap : Calling eap_tls to process EAP data (0) eap_tls : Requiring client certificate (0) eap_tls : Initiate (0) eap_tls : Requiring client certificate (0) eap_tls : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0x9fff236a9ffd2e86 (0) [eap] = handled (0) } # authenticate = handled (0) Sending Access-Challenge packet to host 172.16.0.20 port 32769, id=194, length=0 (0) EAP-Message = 0x010200060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x9fff236a9ffd2e86923483cd2cba31b1 Sending Access-Challenge Id 194 from 172.16.110.17:1812 to 172.16.0.20:32769 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9fff236a9ffd2e86923483cd2cba31b1 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 195 from 172.16.0.20:32769 to 172.16.110.17:1812 length 374 User-Name = 'mib@example.cz' Chargeable-User-Identity = 0x00 Location-Capable = Civix-Location Calling-Station-Id = '20-10-7a-01-c1-80' Called-Station-Id = 'd0-c2-82-e0-cb-80' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' NAS-IP-Address = 172.16.0.20 NAS-Identifier = 'wlc' Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '200' EAP-Message = 0x0202006b0d8000000061160301005c01000058030156632be3cd7be1024baf6a80d10cb073231da2b3505481eb9db66a806656828b000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100 State = 0x9fff236a9ffd2e86923483cd2cba31b1 Message-Authenticator = 0xb73eb59476ea43f1e2a4302781dfd8e0 (1) Received Access-Request packet from host 172.16.0.20 port 32769, id=195, length=374 (1) User-Name = 'mib@example.cz' (1) Chargeable-User-Identity = 0x00 (1) Location-Capable = Civix-Location (1) Calling-Station-Id = '20-10-7a-01-c1-80' (1) Called-Station-Id = 'd0-c2-82-e0-cb-80' (1) NAS-Port = 1 (1) Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' (1) Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' (1) NAS-IP-Address = 172.16.0.20 (1) NAS-Identifier = 'wlc' (1) Airespace-Wlan-Id = 3 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = '200' (1) EAP-Message = 0x0202006b0d8000000061160301005c01000058030156632be3cd7be1024baf6a80d10cb073231da2b3505481eb9db66a806656828b000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100 (1) State = 0x9fff236a9ffd2e86923483cd2cba31b1 (1) Message-Authenticator = 0xb73eb59476ea43f1e2a4302781dfd8e0 (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (!&User-Name) (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\\.\\./ ) (1) if (&User-Name =~ /\\.\\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\\.$/) (1) if (&User-Name =~ /\\.$/) -> FALSE (1) if (&User-Name =~ /@\\./) (1) if (&User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : Checking for suffix after "@" (1) suffix : Looking up realm "example.cz" for User-Name = "mib@example.cz" (1) suffix : No such realm "example.cz" (1) [suffix] = noop (1) eap : Peer sent code Response (2) ID 2 length 107 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x9fff236a9ffd2e86 (1) eap : Finished EAP session with state 0x9fff236a9ffd2e86 (1) eap : Previous EAP request found for state 0x9fff236a9ffd2e86, released from the list (1) eap : Peer sent method TLS (13) (1) eap : EAP TLS (13) (1) eap : Calling eap_tls to process EAP data (1) eap_tls : Authenticate (1) eap_tls : processing EAP-TLS TLS Length 97 (1) eap_tls : Length Included (1) eap_tls : eaptls_verify returned 11 (1) eap_tls : (other): before/accept initialization (1) eap_tls : TLS_accept: before/accept initialization (1) eap_tls : <<< TLS 1.0 Handshake [length 005c], ClientHello (1) eap_tls : TLS_accept: SSLv3 read client hello A (1) eap_tls : >>> TLS 1.0 Handshake [length 0039], ServerHello (1) eap_tls : TLS_accept: SSLv3 write server hello A (1) eap_tls : >>> TLS 1.0 Handshake [length 0909], Certificate (1) eap_tls : TLS_accept: SSLv3 write certificate A (1) eap_tls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (1) eap_tls : TLS_accept: SSLv3 write key exchange A (1) eap_tls : >>> TLS 1.0 Handshake [length 00b2], CertificateRequest (1) eap_tls : TLS_accept: SSLv3 write certificate request A (1) eap_tls : TLS_accept: SSLv3 flush data (1) eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_tls : eaptls_process returned 13 (1) eap : New EAP session, adding 'State' attribute to reply 0x9fff236a9efc2e86 (1) [eap] = handled (1) } # authenticate = handled (1) Sending Access-Challenge packet to host 172.16.0.20 port 32769, id=195, length=0 (1) EAP-Message = 0x010304000dc000000b53160301003902000035030156632be40735ff6234bd273d5c42d7e7cc1a2a8a6542bdcd02c2380e078b734300c01400000dff01000100000b00040300010216030109090b0009050009020003f3308203ef308202d7a003020102020101300d06092a864886f70d01010b050030819f310b300906035504061302435a311630140603550408130d437a65636852657075626c6963311530130603550407130c4e6f7274684d6f72617669613121301f060355040a1418414c5f494e564553545f427269646c69636e612c612e732e311d301b06092a864886f70d010901160e697440616c696e766573742e637a311f301d0603550403131653656c665369676e6564206365727469666963617465301e170d3135313230333137333632365a170d3230313230313137333632365a308184310b300906035504061302435a311630140603550408130d437a65636852657075626c69633121301f060355040a1418414c5f494e564553545f427269646c69636e612c612e732e311b3019060355040313127261646975732e616c696e766573742e637a311d301b06092a864886f70d010901160e697440616c696e766573742e637a30820122300d06092a864886f70d01010105000382010f003082010a0282010100d3ca4b522 2f01a15eabedcb01c483a08963b50e6f28951 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x9fff236a9efc2e86923483cd2cba31b1 Sending Access-Challenge Id 195 from 172.16.110.17:1812 to 172.16.0.20:32769 EAP-Message = 0x010304000dc000000b53160301003902000035030156632be40735ff6234bd273d5c42d7e7cc1a2a8a6542bdcd02c2380e078b734300c01400000dff01000100000b00040300010216030109090b0009050009020003f3308203ef308202d7a003020102020101300d06092a864886f70d01010b050030819f310b300906035504061302435a311630140603550408130d437a65636852657075626c6963311530130603550407130c4e6f7274684d6f72617669613121301f060355040a1418414c5f494e564553545f427269646c69636e612c612e732e311d301b06092a864886f70d010901160e697440616c696e766573742e637a311f301d0603550403131653656c665369676e6564206365727469666963617465301e170d3135313230333137333632365a170d3230313230313137333632365a308184310b300906035504061302435a311630140603550408130d437a65636852657075626c69633121301f060355040a1418414c5f494e564553545f427269646c69636e612c612e732e311b3019060355040313127261646975732e616c696e766573742e637a311d301b06092a864886f70d010901160e697440616c696e766573742e637a30820122300d06092a864886f70d01010105000382010f003082010a0282010100d3ca4b5222f01 a15eabedcb01c483a08963b50e6f2895 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9fff236a9efc2e86923483cd2cba31b1 (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 196 from 172.16.0.20:32769 to 172.16.110.17:1812 length 273 User-Name = 'mib@example.cz' Chargeable-User-Identity = 0x00 Location-Capable = Civix-Location Calling-Station-Id = '20-10-7a-01-c1-80' Called-Station-Id = 'd0-c2-82-e0-cb-80' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' NAS-IP-Address = 172.16.0.20 NAS-Identifier = 'wlc' Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '200' EAP-Message = 0x020300060d00 State = 0x9fff236a9efc2e86923483cd2cba31b1 Message-Authenticator = 0x938805f4ed9b8f3b92a739a3a7e2f639 (2) Received Access-Request packet from host 172.16.0.20 port 32769, id=196, length=273 (2) User-Name = 'mib@example.cz' (2) Chargeable-User-Identity = 0x00 (2) Location-Capable = Civix-Location (2) Calling-Station-Id = '20-10-7a-01-c1-80' (2) Called-Station-Id = 'd0-c2-82-e0-cb-80' (2) NAS-Port = 1 (2) Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' (2) Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' (2) NAS-IP-Address = 172.16.0.20 (2) NAS-Identifier = 'wlc' (2) Airespace-Wlan-Id = 3 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = '200' (2) EAP-Message = 0x020300060d00 (2) State = 0x9fff236a9efc2e86923483cd2cba31b1 (2) Message-Authenticator = 0x938805f4ed9b8f3b92a739a3a7e2f639 (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (!&User-Name) (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\\.\\./ ) (2) if (&User-Name =~ /\\.\\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\\.$/) (2) if (&User-Name =~ /\\.$/) -> FALSE (2) if (&User-Name =~ /@\\./) (2) if (&User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : Checking for suffix after "@" (2) suffix : Looking up realm "example.cz" for User-Name = "mib@example.cz" (2) suffix : No such realm "example.cz" (2) [suffix] = noop (2) eap : Peer sent code Response (2) ID 3 length 6 (2) eap : No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0x9fff236a9efc2e86 (2) eap : Finished EAP session with state 0x9fff236a9efc2e86 (2) eap : Previous EAP request found for state 0x9fff236a9efc2e86, released from the list (2) eap : Peer sent method TLS (13) (2) eap : EAP TLS (13) (2) eap : Calling eap_tls to process EAP data (2) eap_tls : Authenticate (2) eap_tls : processing EAP-TLS (2) eap_tls : Received TLS ACK (2) eap_tls : Received TLS ACK (2) eap_tls : ACK handshake fragment handler (2) eap_tls : eaptls_verify returned 1 (2) eap_tls : eaptls_process returned 13 (2) eap : New EAP session, adding 'State' attribute to reply 0x9fff236a9dfb2e86 (2) [eap] = handled (2) } # authenticate = handled (2) Sending Access-Challenge packet to host 172.16.0.20 port 32769, id=196, length=0 (2) EAP-Message = 0x010404000dc000000b53e8fb3a062d56d1a24e5c61138a1dc706eb9475eb5201c8ac83cbf3ee935725e060e931ba668eee896a062850171eb648a0abead9d559b6eb2ce7480f29a17dcba28001319e57f2ec130f00050930820505308203eda003020102020900abddddd96f3a95b3300d06092a864886f70d010105050030819f310b300906035504061302435a311630140603550408130d437a65636852657075626c6963311530130603550407130c4e6f7274684d6f72617669613121301f060355040a1418414c5f494e564553545f427269646c69636e612c612e732e311d301b06092a864886f70d010901160e697440616c696e766573742e637a311f301d0603550403131653656c665369676e6564206365727469666963617465301e170d3135313230333137333631395a170d3230313230313137333631395a30819f310b300906035504061302435a311630140603550408130d437a65636852657075626c6963311530130603550407130c4e6f7274684d6f72617669613121301f060355040a1418414c5f494e564553545f427269646c69636e612c612e732e311d301b06092a864886f70d010901160e697440616c696e766573742e637a311f301d0603550403131653656c665369676e656420636572746966696361746530820 122300d06092a864886f70d01010105000382 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x9fff236a9dfb2e86923483cd2cba31b1 Sending Access-Challenge Id 196 from 172.16.110.17:1812 to 172.16.0.20:32769 EAP-Message = 0x010404000dc000000b53e8fb3a062d56d1a24e5c61138a1dc706eb9475eb5201c8ac83cbf3ee935725e060e931ba668eee896a062850171eb648a0abead9d559b6eb2ce7480f29a17dcba28001319e57f2ec130f00050930820505308203eda003020102020900abddddd96f3a95b3300d06092a864886f70d010105050030819f310b300906035504061302435a311630140603550408130d437a65636852657075626c6963311530130603550407130c4e6f7274684d6f72617669613121301f060355040a1418414c5f494e564553545f427269646c69636e612c612e732e311d301b06092a864886f70d010901160e697440616c696e766573742e637a311f301d0603550403131653656c665369676e6564206365727469666963617465301e170d3135313230333137333631395a170d3230313230313137333631395a30819f310b300906035504061302435a311630140603550408130d437a65636852657075626c6963311530130603550407130c4e6f7274684d6f72617669613121301f060355040a1418414c5f494e564553545f427269646c69636e612c612e732e311d301b06092a864886f70d010901160e697440616c696e766573742e637a311f301d0603550403131653656c665369676e6564206365727469666963617465308201223 00d06092a864886f70d0101010500038 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9fff236a9dfb2e86923483cd2cba31b1 (2) Finished request Waking up in 0.3 seconds. Received Access-Request Id 197 from 172.16.0.20:32769 to 172.16.110.17:1812 length 273 User-Name = 'mib@example.cz' Chargeable-User-Identity = 0x00 Location-Capable = Civix-Location Calling-Station-Id = '20-10-7a-01-c1-80' Called-Station-Id = 'd0-c2-82-e0-cb-80' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' NAS-IP-Address = 172.16.0.20 NAS-Identifier = 'wlc' Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '200' EAP-Message = 0x020400060d00 State = 0x9fff236a9dfb2e86923483cd2cba31b1 Message-Authenticator = 0x0db3c750734a94c54375e9219c8db678 (3) Received Access-Request packet from host 172.16.0.20 port 32769, id=197, length=273 (3) User-Name = 'mib@example.cz' (3) Chargeable-User-Identity = 0x00 (3) Location-Capable = Civix-Location (3) Calling-Station-Id = '20-10-7a-01-c1-80' (3) Called-Station-Id = 'd0-c2-82-e0-cb-80' (3) NAS-Port = 1 (3) Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' (3) Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' (3) NAS-IP-Address = 172.16.0.20 (3) NAS-Identifier = 'wlc' (3) Airespace-Wlan-Id = 3 (3) Service-Type = Framed-User (3) Framed-MTU = 1300 (3) NAS-Port-Type = Wireless-802.11 (3) Tunnel-Type:0 = VLAN (3) Tunnel-Medium-Type:0 = IEEE-802 (3) Tunnel-Private-Group-Id:0 = '200' (3) EAP-Message = 0x020400060d00 (3) State = 0x9fff236a9dfb2e86923483cd2cba31b1 (3) Message-Authenticator = 0x0db3c750734a94c54375e9219c8db678 (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) if (!&User-Name) (3) if (!&User-Name) -> FALSE (3) if (&User-Name =~ / /) (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@.*@/ ) (3) if (&User-Name =~ /@.*@/ ) -> FALSE (3) if (&User-Name =~ /\\.\\./ ) (3) if (&User-Name =~ /\\.\\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\\.$/) (3) if (&User-Name =~ /\\.$/) -> FALSE (3) if (&User-Name =~ /@\\./) (3) if (&User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : Checking for suffix after "@" (3) suffix : Looking up realm "example.cz" for User-Name = "mib@example.cz" (3) suffix : No such realm "example.cz" (3) [suffix] = noop (3) eap : Peer sent code Response (2) ID 4 length 6 (3) eap : No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = EAP (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0x9fff236a9dfb2e86 (3) eap : Finished EAP session with state 0x9fff236a9dfb2e86 (3) eap : Previous EAP request found for state 0x9fff236a9dfb2e86, released from the list (3) eap : Peer sent method TLS (13) (3) eap : EAP TLS (13) (3) eap : Calling eap_tls to process EAP data (3) eap_tls : Authenticate (3) eap_tls : processing EAP-TLS (3) eap_tls : Received TLS ACK (3) eap_tls : Received TLS ACK (3) eap_tls : ACK handshake fragment handler (3) eap_tls : eaptls_verify returned 1 (3) eap_tls : eaptls_process returned 13 (3) eap : New EAP session, adding 'State' attribute to reply 0x9fff236a9cfa2e86 (3) [eap] = handled (3) } # authenticate = handled (3) Sending Access-Challenge packet to host 172.16.0.20 port 32769, id=197, length=0 (3) EAP-Message = 0x010503710d8000000b53ddd96f3a95b3300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e616c696e766573742e637a2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100679c607f205cba2559697ac9e291f5bd2449de5d4df94e37ad971801d3ceb01fb43767587e26fb36f066ff61fed1f31473dcf1d5c6d92eb6e51a371e9bc69bd2c916af86414e413f4080dccf8ff6ba1e67dedf725ad52f2d2228ef56873d6a62cbc379fd6278ff634df979911a5251471242ceef3ae811433fdc91b3e5d832d586b00332d45012a084e344dab041082905ed28b254b2d00015af9acdaeb9b124f0ce38453d6f2dfa4d5e88655a262aad870dac278c887760c339df03e3a20d7631dabc5ffa5e2c0a7e451dd2dc0d4920ded3bb0560852e351cb8ef9625ae58c6c687117e61fd7db03086a789ad2ae3bd790fd4f9bf7d5d158f4a05d5c7a17660160301014b0c00014703001741048960636f4e7e60af7bf3dff3c607ec647717d947f41aacdbffce24ae4cc388cd37dc5693729a50815efe85a8123f30483ff82566c2f269a53b1ba5599504863a0100349d17e795e6a9673c3a1836164fec7a3e206fa764a6da3224fad8efa50dc450518fe2ac42f334a3c1284 1639f71f57ade5862b9dc8ade01113380c4bb (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x9fff236a9cfa2e86923483cd2cba31b1 Sending Access-Challenge Id 197 from 172.16.110.17:1812 to 172.16.0.20:32769 EAP-Message = 0x010503710d8000000b53ddd96f3a95b3300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e616c696e766573742e637a2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100679c607f205cba2559697ac9e291f5bd2449de5d4df94e37ad971801d3ceb01fb43767587e26fb36f066ff61fed1f31473dcf1d5c6d92eb6e51a371e9bc69bd2c916af86414e413f4080dccf8ff6ba1e67dedf725ad52f2d2228ef56873d6a62cbc379fd6278ff634df979911a5251471242ceef3ae811433fdc91b3e5d832d586b00332d45012a084e344dab041082905ed28b254b2d00015af9acdaeb9b124f0ce38453d6f2dfa4d5e88655a262aad870dac278c887760c339df03e3a20d7631dabc5ffa5e2c0a7e451dd2dc0d4920ded3bb0560852e351cb8ef9625ae58c6c687117e61fd7db03086a789ad2ae3bd790fd4f9bf7d5d158f4a05d5c7a17660160301014b0c00014703001741048960636f4e7e60af7bf3dff3c607ec647717d947f41aacdbffce24ae4cc388cd37dc5693729a50815efe85a8123f30483ff82566c2f269a53b1ba5599504863a0100349d17e795e6a9673c3a1836164fec7a3e206fa764a6da3224fad8efa50dc450518fe2ac42f334a3c12841639 f71f57ade5862b9dc8ade01113380c4b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9fff236a9cfa2e86923483cd2cba31b1 (3) Finished request Waking up in 0.2 seconds. Received Access-Request Id 198 from 172.16.0.20:32769 to 172.16.110.17:1812 length 1701 User-Name = 'mib@example.cz' Chargeable-User-Identity = 0x00 Location-Capable = Civix-Location Calling-Station-Id = '20-10-7a-01-c1-80' Called-Station-Id = 'd0-c2-82-e0-cb-80' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' NAS-IP-Address = 172.16.0.20 NAS-Identifier = 'wlc' Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '200' EAP-Message = 0x020505900d800000058616030105460b0003f60003f30003f0308203ec308202d4a003020102020103300d06092a864886f70d01010b050030819f310b300906035504061302435a311630140603550408130d437a65636852657075626c6963311530130603550407130c4e6f7274684d6f72617669613121301f060355040a1418414c5f494e564553545f427269646c69636e612c612e732e311d301b06092a864886f70d010901160e697440616c696e766573742e637a311f301d0603550403131653656c665369676e6564206365727469666963617465301e170d3135313230343130353935345a170d3136303230323130353935345a308181310b300906035504061302435a311630140603550408130d437a65636852657075626c69633121301f060355040a1418414c5f494e564553545f427269646c69636e612c612e732e311830160603550403140f6d696240616c696e766573742e637a311d301b06092a864886f70d010901160e697440616c696e766573742e637a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba1967a40afe506402ceda36eb04e45bc8f8fa364c49ce4a2ead552633267cb83d25dcc0df24d7a0c1c5529652cb0451f7637e187c0c5e17d0208f66ccd10b0d8a32f0721796459 b26256ecfafcdcb0ffca2cb6bc5848ca State = 0x9fff236a9cfa2e86923483cd2cba31b1 Message-Authenticator = 0x9baeed985e6260828cc3be11bb79931d (4) Received Access-Request packet from host 172.16.0.20 port 32769, id=198, length=1701 (4) User-Name = 'mib@example.cz' (4) Chargeable-User-Identity = 0x00 (4) Location-Capable = Civix-Location (4) Calling-Station-Id = '20-10-7a-01-c1-80' (4) Called-Station-Id = 'd0-c2-82-e0-cb-80' (4) NAS-Port = 1 (4) Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' (4) Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' (4) NAS-IP-Address = 172.16.0.20 (4) NAS-Identifier = 'wlc' (4) Airespace-Wlan-Id = 3 (4) Service-Type = Framed-User (4) Framed-MTU = 1300 (4) NAS-Port-Type = Wireless-802.11 (4) Tunnel-Type:0 = VLAN (4) Tunnel-Medium-Type:0 = IEEE-802 (4) Tunnel-Private-Group-Id:0 = '200' (4) EAP-Message = 0x020505900d800000058616030105460b0003f60003f30003f0308203ec308202d4a003020102020103300d06092a864886f70d01010b050030819f310b300906035504061302435a311630140603550408130d437a65636852657075626c6963311530130603550407130c4e6f7274684d6f72617669613121301f060355040a1418414c5f494e564553545f427269646c69636e612c612e732e311d301b06092a864886f70d010901160e697440616c696e766573742e637a311f301d0603550403131653656c665369676e6564206365727469666963617465301e170d3135313230343130353935345a170d3136303230323130353935345a308181310b300906035504061302435a311630140603550408130d437a65636852657075626c69633121301f060355040a1418414c5f494e564553545f427269646c69636e612c612e732e311830160603550403140f6d696240616c696e766573742e637a311d301b06092a864886f70d010901160e697440616c696e766573742e637a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba1967a40afe506402ceda36eb04e45bc8f8fa364c49ce4a2ead552633267cb83d25dcc0df24d7a0c1c5529652cb0451f7637e187c0c5e17d0208f66ccd10b0d8a32f072179 6459b26256ecfafcdcb0ffca2cb6bc5848ca3 (4) State = 0x9fff236a9cfa2e86923483cd2cba31b1 (4) Message-Authenticator = 0x9baeed985e6260828cc3be11bb79931d (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) filter_username filter_username { (4) if (!&User-Name) (4) if (!&User-Name) -> FALSE (4) if (&User-Name =~ / /) (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@.*@/ ) (4) if (&User-Name =~ /@.*@/ ) -> FALSE (4) if (&User-Name =~ /\\.\\./ ) (4) if (&User-Name =~ /\\.\\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\\.$/) (4) if (&User-Name =~ /\\.$/) -> FALSE (4) if (&User-Name =~ /@\\./) (4) if (&User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : Checking for suffix after "@" (4) suffix : Looking up realm "example.cz" for User-Name = "mib@example.cz" (4) suffix : No such realm "example.cz" (4) [suffix] = noop (4) eap : Peer sent code Response (2) ID 5 length 1424 (4) eap : No EAP Start, assuming it's an on-going EAP conversation (4) [eap] = updated (4) [files] = noop (4) [expiration] = noop (4) [logintime] = noop (4) [pap] = noop (4) } # authorize = updated (4) Found Auth-Type = EAP (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0x9fff236a9cfa2e86 (4) eap : Finished EAP session with state 0x9fff236a9cfa2e86 (4) eap : Previous EAP request found for state 0x9fff236a9cfa2e86, released from the list (4) eap : Peer sent method TLS (13) (4) eap : EAP TLS (13) (4) eap : Calling eap_tls to process EAP data (4) eap_tls : Authenticate (4) eap_tls : processing EAP-TLS TLS Length 1414 (4) eap_tls : Length Included (4) eap_tls : eaptls_verify returned 11 (4) eap_tls : <<< TLS 1.0 Handshake [length 03fa], Certificate (4) eap_tls : chain-depth=1, (4) eap_tls : error=0 (4) eap_tls : --> User-Name = mib@example.cz (4) eap_tls : --> BUF-Name = SelfSigned certificate (4) eap_tls : --> subject = /C=CZ/ST=CzechRepublic/L=NorthMoravia/O=AIB/emailAddress=it@example.cz/CN=SelfSigned certificate (4) eap_tls : --> issuer = /C=CZ/ST=CzechRepublic/L=NorthMoravia/O=AIB/emailAddress=it@example.cz/CN=SelfSigned certificate (4) eap_tls : --> verify return:1 (4) eap_tls : chain-depth=0, (4) eap_tls : error=0 (4) eap_tls : --> User-Name = mib@example.cz (4) eap_tls : --> BUF-Name = mib@example.cz (4) eap_tls : --> subject = /C=CZ/ST=CzechRepublic/O=AIB/CN=mib@example.cz/emailAddress=it@example.cz (4) eap_tls : --> issuer = /C=CZ/ST=CzechRepublic/L=NorthMoravia/O=AIB/emailAddress=it@example.cz/CN=SelfSigned certificate (4) eap_tls : --> verify return:1 (4) eap_tls : TLS_accept: SSLv3 read client certificate A (4) eap_tls : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (4) eap_tls : TLS_accept: SSLv3 read client key exchange A (4) eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify (4) eap_tls : TLS_accept: SSLv3 read certificate verify A (4) eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished (4) eap_tls : TLS_accept: SSLv3 read finished A (4) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001] (4) eap_tls : TLS_accept: SSLv3 write change cipher spec A (4) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished (4) eap_tls : TLS_accept: SSLv3 write finished A (4) eap_tls : TLS_accept: SSLv3 flush data (4) eap_tls : (other): SSL negotiation finished successfully SSL Connection Established (4) eap_tls : eaptls_process returned 13 (4) eap : New EAP session, adding 'State' attribute to reply 0x9fff236a9bf92e86 (4) [eap] = handled (4) } # authenticate = handled (4) Sending Access-Challenge packet to host 172.16.0.20 port 32769, id=198, length=0 (4) EAP-Message = 0x010600450d800000003b140301000101160301003092eb4fba004b8fca7b15972c8d337c0f3b6660c6102d39d59fd772f1e11088113288b3fbdbfe92d783ab6d34f0aba8cc (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x9fff236a9bf92e86923483cd2cba31b1 Sending Access-Challenge Id 198 from 172.16.110.17:1812 to 172.16.0.20:32769 EAP-Message = 0x010600450d800000003b140301000101160301003092eb4fba004b8fca7b15972c8d337c0f3b6660c6102d39d59fd772f1e11088113288b3fbdbfe92d783ab6d34f0aba8cc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9fff236a9bf92e86923483cd2cba31b1 (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 199 from 172.16.0.20:32769 to 172.16.110.17:1812 length 273 User-Name = 'mib@example.cz' Chargeable-User-Identity = 0x00 Location-Capable = Civix-Location Calling-Station-Id = '20-10-7a-01-c1-80' Called-Station-Id = 'd0-c2-82-e0-cb-80' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' NAS-IP-Address = 172.16.0.20 NAS-Identifier = 'wlc' Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '200' EAP-Message = 0x020600060d00 State = 0x9fff236a9bf92e86923483cd2cba31b1 Message-Authenticator = 0x2430e3517ff9c9dc9ef80772144fcb31 (5) Received Access-Request packet from host 172.16.0.20 port 32769, id=199, length=273 (5) User-Name = 'mib@example.cz' (5) Chargeable-User-Identity = 0x00 (5) Location-Capable = Civix-Location (5) Calling-Station-Id = '20-10-7a-01-c1-80' (5) Called-Station-Id = 'd0-c2-82-e0-cb-80' (5) NAS-Port = 1 (5) Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' (5) Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' (5) NAS-IP-Address = 172.16.0.20 (5) NAS-Identifier = 'wlc' (5) Airespace-Wlan-Id = 3 (5) Service-Type = Framed-User (5) Framed-MTU = 1300 (5) NAS-Port-Type = Wireless-802.11 (5) Tunnel-Type:0 = VLAN (5) Tunnel-Medium-Type:0 = IEEE-802 (5) Tunnel-Private-Group-Id:0 = '200' (5) EAP-Message = 0x020600060d00 (5) State = 0x9fff236a9bf92e86923483cd2cba31b1 (5) Message-Authenticator = 0x2430e3517ff9c9dc9ef80772144fcb31 (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) filter_username filter_username { (5) if (!&User-Name) (5) if (!&User-Name) -> FALSE (5) if (&User-Name =~ / /) (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@.*@/ ) (5) if (&User-Name =~ /@.*@/ ) -> FALSE (5) if (&User-Name =~ /\\.\\./ ) (5) if (&User-Name =~ /\\.\\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\\.$/) (5) if (&User-Name =~ /\\.$/) -> FALSE (5) if (&User-Name =~ /@\\./) (5) if (&User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : Checking for suffix after "@" (5) suffix : Looking up realm "example.cz" for User-Name = "mib@example.cz" (5) suffix : No such realm "example.cz" (5) [suffix] = noop (5) eap : Peer sent code Response (2) ID 6 length 6 (5) eap : No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) [files] = noop (5) [expiration] = noop (5) [logintime] = noop (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0x9fff236a9bf92e86 (5) eap : Finished EAP session with state 0x9fff236a9bf92e86 (5) eap : Previous EAP request found for state 0x9fff236a9bf92e86, released from the list (5) eap : Peer sent method TLS (13) (5) eap : EAP TLS (13) (5) eap : Calling eap_tls to process EAP data (5) eap_tls : Authenticate (5) eap_tls : processing EAP-TLS (5) eap_tls : Received TLS ACK (5) eap_tls : Received TLS ACK (5) eap_tls : ACK handshake is finished (5) eap_tls : eaptls_verify returned 3 (5) eap_tls : eaptls_process returned 3 (5) eap_tls : Processing EAP-TLS Certificate check: (5) server check-eap-tls { (5) Request: User-Name = 'mib@example.cz' Chargeable-User-Identity = 0x00 Location-Capable = Civix-Location Calling-Station-Id = '20-10-7a-01-c1-80' Called-Station-Id = 'd0-c2-82-e0-cb-80' NAS-Port = 1 Cisco-AVPair = 'audit-session-id=ac1000140000066956632be4' Acct-Session-Id = '56632be4/20:10:7a:01:c1:80/574' NAS-IP-Address = 172.16.0.20 NAS-Identifier = 'wlc' Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = '200' EAP-Message = 0x020600060d00 State = 0x9fff236a9bf92e86923483cd2cba31b1 Message-Authenticator = 0x2430e3517ff9c9dc9ef80772144fcb31 Event-Timestamp = 'Dec 5 2015 19:24:37 CET' EAP-Type = TLS (5) # Executing section authorize from file /etc/raddb/sites-enabled/check-eap-tls (5) authorize { (5) update config { (5) Auth-Type := Accept (5) } # update config = noop (5) if ("%{TLS-Client-Cert-Common-Name}" =~ /^[A-z.]*@example\.cz$/) (5) EXPAND %{TLS-Client-Cert-Common-Name} (5) --> (5) if ("%{TLS-Client-Cert-Common-Name}" =~ /^[A-z.]*@example\.cz$/) -> FALSE (5) else else { (5) update config { (5) Auth-Type := Reject (5) } # update config = noop (5) update reply { (5) Reply-Message := 'Your certificate is not valid.' (5) } # update reply = noop (5) } # else else = noop (5) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (5) auth_log : --> /var/log/radius/radacct/172.16.0.20/auth-detail-20151205 (5) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.0.20/auth-detail-20151205 (5) auth_log : EXPAND %t (5) auth_log : --> Sat Dec 5 19:24:37 2015 (5) [auth_log] = ok (5) } # authorize = ok (5) Found Auth-Type = Reject (5) Auth-Type = Reject, rejecting user (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) Reply: Reply-Message := 'Your certificate is not valid.' (5) } # server check-eap-tls (5) eap_tls : Certificates were rejected by the virtual server (5) ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed (5) eap : Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject : EXPAND %{User-Name} (5) attr_filter.access_reject : --> mib@example.cz (5) attr_filter.access_reject : Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) eap : Reply already contained an EAP-Message, not inserting EAP-Failure (5) [eap] = noop (5) remove_reply_message_if_eap remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) (5) if (&reply:EAP-Message && &reply:Reply-Message) -> TRUE (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) update reply { (5) Reply-Message !* ANY (5) } # update reply = noop (5) } # if (&reply:EAP-Message && &reply:Reply-Message) = noop (5) ... skipping else for request 5: Preceding "if" was taken (5) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Delaying response for 1 seconds Waking up in 0.2 seconds. Waking up in 0.6 seconds. (5) Sending delayed response (5) Sending Access-Reject packet to host 172.16.0.20 port 32769, id=199, length=0 (5) EAP-Message = 0x04060004 (5) Message-Authenticator = 0x00000000000000000000000000000000 Sending Access-Reject Id 199 from 172.16.110.17:1812 to 172.16.0.20:32769 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (0) Cleaning up request packet ID 194 with timestamp +10 (1) Cleaning up request packet ID 195 with timestamp +10 (2) Cleaning up request packet ID 196 with timestamp +10 (3) Cleaning up request packet ID 197 with timestamp +10 (4) Cleaning up request packet ID 198 with timestamp +11 (5) Cleaning up request packet ID 199 with timestamp +11 Ready to process requests
On Dec 5, 2015, at 1:40 PM, <gracian@centrum.cz> <gracian@centrum.cz> wrote: here is full (sorry for that) output of "radiusd -X" test during which an attempt was unsuccessfull again with tls cache disabled. As you can see below, there is not TLS-Client-Cert-Common-Name in the output so the check-eap-tls fails.
Upgrade to 3.0.10. And verify that the check *you added* for TLS-Client-Cert-Common-Name is correct. There is no way that simply disabling the "cache" entry causes authentication to fail. The default configuration does *not* have checks for TLS-Client-Cert-Common-Name. Alan DeKok.
Alan, I have CentOS 7.1 so the upgrade of the radius package is quite complicated, but I'll try. Could you guide me please, against what attribute I should check the client certificate for eap-tls mode? Thank you very much Alan for your time and effort Gracian ______________________________________________________________
Od: Alan DeKok <aland@deployingradius.com> Komu: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Datum: 05.12.2015 20:33 Předmět: Re: Freeradius EAP-TLS - every 2nd (even) attempt unsuccessfull
On Dec 5, 2015, at 1:40 PM, <gracian@centrum.cz> <gracian@centrum.cz> wrote: here is full (sorry for that) output of "radiusd -X" test during which an attempt was unsuccessfull again with tls cache disabled. As you can see below, there is not TLS-Client-Cert-Common-Name in the output so the check-eap-tls fails.
Upgrade to 3.0.10. And verify that the check *you added* for TLS-Client-Cert-Common-Name is correct. There is no way that simply disabling the "cache" entry causes authentication to fail. The default configuration does *not* have checks for TLS-Client-Cert-Common-Name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
On Dec 5, 2015, at 2:45 PM, <gracian@centrum.cz> <gracian@centrum.cz> wrote:
I have CentOS 7.1 so the upgrade of the radius package is quite complicated, but I'll try.
The Wiki contains detailed instructions for building RedHat modules. It's not difficult.
Could you guide me please, against what attribute I should check the client certificate for eap-tls mode?
You're checking the correct attribute. But in 3.0.4, without caching... the attribute doesn't exist. Alan DeKok.
You are right! I downloaded the newest packages from "http://koji.fedoraproject.org/koji/buildinfo?buildID=678764" and upgraded FR to 3.0.9. Everything works include tls caching! Great job Alan! Gracian ______________________________________________________________
Od: Alan DeKok <aland@deployingradius.com> Komu: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Datum: 05.12.2015 21:28 Předmět: Re: Freeradius EAP-TLS - every 2nd (even) attempt unsuccessfull
On Dec 5, 2015, at 2:45 PM, <gracian@centrum.cz> <gracian@centrum.cz> wrote:
I have CentOS 7.1 so the upgrade of the radius package is quite complicated, but I'll try.
The Wiki contains detailed instructions for building RedHat modules. It's not difficult.
Could you guide me please, against what attribute I should check the client certificate for eap-tls mode?
You're checking the correct attribute. But in 3.0.4, without caching... the attribute doesn't exist. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
participants (2)
-
Alan DeKok -
gracian@centrum.cz