Hi freeRadius users, My goal is a hotspot for a coffee. My freeRadius is on Debian and the Access Point is an Vodafone WLAN Router. All Function of the Vodafone Router are disabled. Only Network Security WPA/WPA2 and Authentication: 802.1X, Server IP: 192.168.2.1, Server Port: 1812, Secret Key: testing123 If I try to authenticated with an Apple Mac, I get the access but no IP, so I don't have Internet. What I'm doing wrong ?? #radiusd -X FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Apr 21 2011 at 12:50:54 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { name = "freeradius" prefix = "/usr/local" localstatedir = "/usr/local/var" sbindir = "/usr/local/sbin" logdir = "/usr/local/var/log/radius" run_dir = "/usr/local/var/run/freeradius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/usr/local/var/run/freeradius/freeradius.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 127.0.0.1 { require_message_authenticator = no secret = "testing123" shortname = "localhost" } client 192.168.2.1/32 { require_message_authenticator = no secret = "testing123" shortname = "freeRadius" } client 192.168.2.88/32 { require_message_authenticator = no secret = "testing123" shortname = "hotspotAP" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "reply_log" from file /usr/local/etc/raddb/modules/detail.log detail reply_log { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Instantiating module "auth_log" from file /usr/local/etc/raddb/modules/detail.log detail auth_log { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_ippool Module: Instantiating module "lowpool" from file /usr/local/etc/raddb/modules/ippool ippool lowpool { session-db = "/usr/local/etc/raddb/db.lowippool" ip-index = "/usr/local/etc/raddb/db.lowipindex" key = "%{NAS-IP-Address} %{NAS-Port}" range-start = 192.168.188.1 range-stop = 192.168.188.254 netmask = 255.255.255.0 cache-size = 800 override = no maximum-timeout = 0 } Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/usr/local/var/run/freeradius/freeradius.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/freeradius/freeradius.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. ################################################# When I try to login: rad_recv: Access-Request packet from host 192.168.2.88 port 34881, id=2, length=138 User-Name = "boo" NAS-IP-Address = 0.0.0.0 Called-Station-Id = "88-25-2C-AD-86-F2:EasyBox-AD86\000" Calling-Station-Id = "00-26-08-ED-A8-99" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202000801626f6f Message-Authenticator = 0x4876fa4982588ed7ba6c175a60f6aecc # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] expand: %t -> Thu Apr 28 16:43:42 2011 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry boo at line 1 [files] users: Matched entry DEFAULT at line 35 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.2.88 port 34881 Service-Type = Framed-User Framed-IP-Address = 192.168.182.25 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21564b2f215552d1be5738f4b0d4f875 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.88 port 34882, id=3, length=312 User-Name = "boo" NAS-IP-Address = 0.0.0.0 Called-Station-Id = "88-25-2C-AD-86-F2:EasyBox-AD86\000" Calling-Station-Id = "00-26-08-ED-A8-99" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0x21564b2f215552d1be5738f4b0d4f875 EAP-Message = 0x020300a419800000009a16030100950100009103014db97e5e76dd74cc559d116c7bccdcde68f8641490c1b88691a8348d1de835bc000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100 Message-Authenticator = 0xff8ee300743754d4ec87a5705ca5ff3b # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] expand: %t -> Thu Apr 28 16:43:42 2011 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 164 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 154 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0095], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.2.88 port 34882 EAP-Message = 0x0104040019c00000089b160301002a0200002603014db97d1e1856dc1db102cdb60379334359c350fd3494b03f5a58ce2f8b1ff0de00002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3131303432313131313832395a170d3132303432303131313832395a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba7b934ea499f2b2736373422c0982838ae11220f4fba107355d9c302ee14d5bb343fd018fa6bf0f482adad0498cfb111b39cf2ad9ac6b8e5aa6ba3965a5 EAP-Message = 0x51be869a298f1e32fabe2638588fb0ff7503365037a4f58b97302a4ee9b7499adc9bfdc9b15f845cb4344bb4d886699f35cdd25fc96197738b42c09b465b760ab59580f13fa763c44888cc809aefe02d885c2cc00d245a8364604212b497d00b1456906c0b2628fa6ab1a23f44bd4e38fc75953985c3e5f4776013d6cb52a45351871872b78e223bb1518d7ce70f38aa0aaf85b0668ee2a82925755b78d54bd4ff0deb5c0000554a7d2bbac1398a892e77a67244a194caf00700ca2cc1f5c01c05ef0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010087a0f914b4773f8893 EAP-Message = 0x21b931488032bfb518299226902cedb21008a8ba2360ec495cd1dfcee1cee13427005c00d359b1058fc50522a3eb71863d94eec6b2516fd9d457103328c7d1b702f9e436a80db57227ac13aa87729be0d276943a9b8e5909751c55e15f07a040be10383a9694e51b14425d4272338807fc8a01230323f19b616816902a4ae373ded5851950d17ecd6a41c7147c304cdf5afba9a8fd56c74693a218bda99ffd577bc791670ae3702af2d854535ff0c193ffe3259443cb4a222d2a613f465c560843a1f9c7fa98b874e22c81dc6e93c6a1ed8479f7615c4638310f6134ee34009e6be8a53e19ec7dbaf144a08457026ec4642f90e8e3e99f0004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21564b2f205252d1be5738f4b0d4f875 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.88 port 34883, id=4, length=154 User-Name = "boo" NAS-IP-Address = 0.0.0.0 Called-Station-Id = "88-25-2C-AD-86-F2:EasyBox-AD86\000" Calling-Station-Id = "00-26-08-ED-A8-99" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0x21564b2f205252d1be5738f4b0d4f875 EAP-Message = 0x020400061900 Message-Authenticator = 0xccf21f87cc15a1696d8dcee766ed27fb # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] expand: %t -> Thu Apr 28 16:43:42 2011 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.2.88 port 34883 EAP-Message = 0x010503fc194000abc71f33573e3fde300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303432313131313832395a170d3132303432303131313832395a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a2d198e35bf353e8a6b75d29e1cea897998fdacf40b9328cf84a7ff6ca0d03d3ee11864836b4f43a7cfb4b06cdd2d9e4a4b0f4e93f6ecac75a63229e53dff975dfa2e18b44c49c5bfbc9cdab97ca9d2215908ec6dc0cf041b02202424f4dceaf331f85a9bcda3c7db89a5f0a46b8e1 EAP-Message = 0x965131641bc6a7402647041af554d0f0105f86614f35f1849b00a6a9f068ab233d25a2a2e42e5c7f04be27386de260ea1608c69aa57c4bbf107a5ef765835a36f77c02ebddad36f49733886f98c62a00fd66ebdd67118a9652cd9fe63303b8ea4d85a4b4eeeaa1434f81d10270ab02700d1dbf73313f930d79c3fb05e6fbcf17d2206b55806368897c5d84cae3d215dd8b0203010001a381fb3081f8301d0603551d0e04160414752dd439d6e5377b7ec304e788fb9a1dc7c6c6683081c80603551d230481c03081bd8014752dd439d6e5377b7ec304e788fb9a1dc7c6c668a18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900abc71f33573e3fde300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100017d1dd439df54d86d72b4d890d1a3f25cd5382e6f4464fbae1e922b3e48c041d6fbfbf759b89e8b65f7ab37ac5c0f7806c5a21ef8946eb13dc40739face77fb6015b46197254fba2cc42e202b699be9ab6b EAP-Message = 0x94f19ec8c3e9828c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21564b2f235352d1be5738f4b0d4f875 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.88 port 34884, id=5, length=154 User-Name = "boo" NAS-IP-Address = 0.0.0.0 Called-Station-Id = "88-25-2C-AD-86-F2:EasyBox-AD86\000" Calling-Station-Id = "00-26-08-ED-A8-99" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0x21564b2f235352d1be5738f4b0d4f875 EAP-Message = 0x020500061900 Message-Authenticator = 0x0737e559ac7aca02525f81a36a74ff09 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] expand: %t -> Thu Apr 28 16:43:42 2011 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.2.88 port 34884 EAP-Message = 0x010600b51900a4d2aa9097ff1df73961157c8680b7d2d222fa071ad58b9fca37a8a973d37fd64e99856c900bee026b84ee5cf875aa97036dda3b3fe893dbe469f5954c1efe1fbf0b579d3a8c50b2b56fc312c956f9a676a0ff9062bcb3430cb5fe6a344855261a4ac3c3a35b4fac6c197a2868adde65e595adc8aab2091b9793e9d9cec0698fbee4029caecf271efedea75de52f7f064f3c4e78f5f4632ea06342417f5f54295d67749f1a1a16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21564b2f225052d1be5738f4b0d4f875 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.88 port 34885, id=6, length=407 User-Name = "boo" NAS-IP-Address = 0.0.0.0 State = 0x21564b2f225052d1be5738f4b0d4f875 EAP-Message = 0x0206015019800000014616030101061000010201006ca46f309f60a272907b09742bbd6100ff1d97597bc5a6ba73d3600812ff5b85589637985667847f7c3da60ef6cd233db473a7100ce780a9515d9c2415e7ef02ed7769ccbf0e209887d8692aa307d3ce6c2b8acfd1695ac9e27ccca4b2f15589e3bb3ac84c957221144a69890bdde0be8f6839089e216a59d0336247bcc851b508774114bb5e122dec2da2924afa5d7103ac50fc694eed3ae1655d361c2d34d6b092bd2cf4066cf3e442f5092fd73f0d04a6b37d9d46cc2d7e7205e29302821b920352dd74dcaa2f5c6df2dbaf164a2cea2cab0b13b1c8aa5973a75d71209525b4350441b349575f EAP-Message = 0x609eababb6acaac76f6919caba347c9564a944d571c47e361403010001011603010030e0f817eccd6b1e3d3dbb4a155b54615f54e28d57e1ed59f028ffbe79f74bbaa05cc8389a4c225f8f680df2db29ade738 Message-Authenticator = 0x7bbe6e979530ef41b057bc2375596b5d # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] expand: %t -> Thu Apr 28 16:43:42 2011 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.2.88 port 34885 EAP-Message = 0x0107004119001403010001011603010030ce12d6807d88bab2980e98b0f283310fee7d98d752c5b6e402e42e470eee21cca886ddf5e8e52d9b875365d199bad24c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21564b2f255152d1be5738f4b0d4f875 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.88 port 34886, id=7, length=154 User-Name = "boo" NAS-IP-Address = 0.0.0.0 Called-Station-Id = "88-25-2C-AD-86-F2:EasyBox-AD86\000" Calling-Station-Id = "00-26-08-ED-A8-99" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0x21564b2f255152d1be5738f4b0d4f875 EAP-Message = 0x020700061900 Message-Authenticator = 0xf2bdb6c7a41e68097e6a008123ae0f00 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] expand: %t -> Thu Apr 28 16:43:42 2011 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 7 to 192.168.2.88 port 34886 EAP-Message = 0x0108002b19001703010020d0cee21eb335a040d6bd754aa615cef1948b2cde3e3c7b2ccc5f13d671ebf9fb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21564b2f245e52d1be5738f4b0d4f875 Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.2.88 port 34887, id=8, length=191 User-Name = "boo" NAS-IP-Address = 0.0.0.0 Called-Station-Id = "88-25-2C-AD-86-F2:EasyBox-AD86\000" Calling-Station-Id = "00-26-08-ED-A8-99" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0x21564b2f245e52d1be5738f4b0d4f875 EAP-Message = 0x0208002b19001703010020405e092a1d2516394fa461fb0ba74d4a16dbfbf28910f65768172f9cb7794a36 Message-Authenticator = 0xa812767590aef81207611d0a42284e50 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] expand: %t -> Thu Apr 28 16:43:42 2011 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - boo [peap] Got inner identity 'boo' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0208000801626f6f server { [peap] Setting User-Name to boo Sending tunneled request EAP-Message = 0x0208000801626f6f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "boo" server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry boo at line 1 [files] users: Matched entry DEFAULT at line 35 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Service-Type = Framed-User Framed-IP-Address = 192.168.182.25 EAP-Message = 0x0109001d1a010900181075bbc07ced4c612749e0e8e0386b7ee1626f6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7b052bf57b0c31153b0f177e7b600567 [peap] Got tunneled reply RADIUS code 11 Service-Type = Framed-User Framed-IP-Address = 192.168.182.25 EAP-Message = 0x0109001d1a010900181075bbc07ced4c612749e0e8e0386b7ee1626f6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7b052bf57b0c31153b0f177e7b600567 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 8 to 192.168.2.88 port 34887 EAP-Message = 0x0109003b190017030100301c4beaf4f10b88ae58ea76a9ad2005383cedae18fa55caea3b8800d4b505f75fd8f2f9f2b3045b6b4d1cf9f71389b0d4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21564b2f275f52d1be5738f4b0d4f875 Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.2.88 port 34888, id=9, length=239 User-Name = "boo" NAS-IP-Address = 0.0.0.0 Called-Station-Id = "88-25-2C-AD-86-F2:EasyBox-AD86\000" Calling-Station-Id = "00-26-08-ED-A8-99" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0x21564b2f275f52d1be5738f4b0d4f875 EAP-Message = 0x0209005b190017030100503da01a62411430004d35d925f057c5b0e201cfdaf1e5355f65830c4cf9ba1248fd7204b918c71d5b10ac9b0790dafc5188b26cbc3f0669ffbc58986a3bb370549f1b0a8c5344993960f5641f973113ba Message-Authenticator = 0x78c509cbc9fff3c74d8f6c9d85b30826 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] expand: %t -> Thu Apr 28 16:43:42 2011 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0209003e1a0209003931de52063462a94106e57f7099d8e0773f000000000000000063e989f957274b81934fa1ea116e083291dad00b70d09f3000626f6f server { [peap] Setting User-Name to boo Sending tunneled request EAP-Message = 0x0209003e1a0209003931de52063462a94106e57f7099d8e0773f000000000000000063e989f957274b81934fa1ea116e083291dad00b70d09f3000626f6f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "boo" State = 0x7b052bf57b0c31153b0f177e7b600567 server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 62 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry boo at line 1 [files] users: Matched entry DEFAULT at line 35 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: boo [mschap] Told to do MS-CHAPv2 for boo with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Service-Type = Framed-User Framed-IP-Address = 192.168.182.25 EAP-Message = 0x010a00331a0309002e533d45313233383738423637303137354532443645443430354133413235374436333433344145343233 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7b052bf57a0f31153b0f177e7b600567 [peap] Got tunneled reply RADIUS code 11 Service-Type = Framed-User Framed-IP-Address = 192.168.182.25 EAP-Message = 0x010a00331a0309002e533d45313233383738423637303137354532443645443430354133413235374436333433344145343233 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7b052bf57a0f31153b0f177e7b600567 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 9 to 192.168.2.88 port 34888 EAP-Message = 0x010a005b190017030100509b93bf40fa19ae992fdfa3eae3312a4a932c5a88207d36acffc7806b19f955a09542dd5937a922b690d579406985db74cee8ebc94b5c2627588866c271d4325cce1fe1b440eaafc855a1565833055a0b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21564b2f265c52d1be5738f4b0d4f875 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.2.88 port 34889, id=10, length=191 User-Name = "boo" NAS-IP-Address = 0.0.0.0 Called-Station-Id = "88-25-2C-AD-86-F2:EasyBox-AD86\000" Calling-Station-Id = "00-26-08-ED-A8-99" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0x21564b2f265c52d1be5738f4b0d4f875 EAP-Message = 0x020a002b1900170301002053bcaf27a58802b86c8d5b6777ef0296385e5be23e396c40ed305ed77ea2e9b8 Message-Authenticator = 0x224760a4c0364af7397d0559fab335fd # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] expand: %t -> Thu Apr 28 16:43:42 2011 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00061a03 server { [peap] Setting User-Name to boo Sending tunneled request EAP-Message = 0x020a00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "boo" State = 0x7b052bf57a0f31153b0f177e7b600567 server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 10 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry boo at line 1 [files] users: Matched entry DEFAULT at line 35 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [boo/<via Auth-Type = EAP>] (from client hotspotAP port 0 via TLS tunnel) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group post-auth {...} [reply_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.88/reply-detail-20110428 [reply_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.88/reply-detail-20110428 [reply_log] expand: %t -> Thu Apr 28 16:43:42 2011 ++[reply_log] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 Service-Type = Framed-User Framed-IP-Address = 192.168.182.25 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Send-Key = 0x20a3e5676c77a165281a401a34715be3 MS-MPPE-Recv-Key = 0xcd5b9a0f61b4689c50b6135da431ca10 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "boo" [peap] Got tunneled reply RADIUS code 2 Service-Type = Framed-User Framed-IP-Address = 192.168.182.25 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 MS-MPPE-Send-Key = 0x20a3e5676c77a165281a401a34715be3 MS-MPPE-Recv-Key = 0xcd5b9a0f61b4689c50b6135da431ca10 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "boo" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 10 to 192.168.2.88 port 34889 EAP-Message = 0x010b002b19001703010020e67ea9a01196c47891598997b944844d8f4208aadc79901497e7418404c87379 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x21564b2f295d52d1be5738f4b0d4f875 Finished request 8. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.2.88 port 34890, id=11, length=191 User-Name = "boo" NAS-IP-Address = 0.0.0.0 Called-Station-Id = "88-25-2C-AD-86-F2:EasyBox-AD86\000" Calling-Station-Id = "00-26-08-ED-A8-99" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0x21564b2f295d52d1be5738f4b0d4f875 EAP-Message = 0x020b002b19001703010020bc0e31f31297bb2ab862ef71e87d0173d659ab263723f83f80e3ab05ef3f0f07 Message-Authenticator = 0x068a9407a2d2daef5f3e4d9763f6af35 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.2.88/auth-detail-20110428 [auth_log] expand: %t -> Thu Apr 28 16:43:42 2011 ++[auth_log] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "boo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok Login OK: [boo/<via Auth-Type = EAP>] (from client hotspotAP port 29 cli 00-26-08-ED-A8-99) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} [lowpool] Could not find Pool-Name attribute. ++[lowpool] returns noop ++[exec] returns noop Sending Access-Accept of id 11 to 192.168.2.88 port 34890 MS-MPPE-Recv-Key = 0xa9247a3f9ba78f9650cb12fe6d5e296c4a0cdda99d3a66e0e2956ebeed60438c MS-MPPE-Send-Key = 0xed10d0e4228c99f5dd75e8da1e5e94ee85960cdfc6a2c877ecce79948038a0b1 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "boo" Finished request 9. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 2 with timestamp +171 Cleaning up request 1 ID 3 with timestamp +171 Cleaning up request 2 ID 4 with timestamp +171 Cleaning up request 3 ID 5 with timestamp +171 Cleaning up request 4 ID 6 with timestamp +171 Cleaning up request 5 ID 7 with timestamp +171 Cleaning up request 6 ID 8 with timestamp +171 Cleaning up request 7 ID 9 with timestamp +171 Cleaning up request 8 ID 10 with timestamp +171 Cleaning up request 9 ID 11 with timestamp +171 Ready to process requests. ############################################### user: "boo" Cleartext-Password := "boo" Service-Type = Framed-User, Framed-IP-Address = 192.168.182.25, Fall-Through = yes "blu" Cleartext-Password := "blu" Service-Type = Framed-User, Fall-Through = yes DEFAULT Pool-Name := "lowpool" Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Can somebody help my?? Thanks in advance -- View this message in context: http://freeradius.1045715.n5.nabble.com/IPs-will-not-be-assigned-tp4346701p4... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 28/04/11 16:00, subcode wrote:
Hi freeRadius users,
My goal is a hotspot for a coffee. My freeRadius is on Debian and the Access Point is an Vodafone WLAN Router. All Function of the Vodafone Router are disabled. Only Network Security WPA/WPA2 and Authentication: 802.1X, Server IP: 192.168.2.1, Server Port: 1812, Secret Key: testing123
If I try to authenticated with an Apple Mac, I get the access but no IP, so I don't have Internet. What I'm doing wrong ??
VLAN assignment on wireless networks is with DHCP, not Radius. The radius Framed-IP-Address attribute is not useful. You need to run a DHCP server.
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
My goal is a hotspot for a coffee. My freeRadius is on Debian and the Access Point is an Vodafone WLAN Router. All Function of the Vodafone Router are disabled. Only Network Security WPA/WPA2 and Authentication: 802.1X, Server IP: 192.168.2.1, Server Port: 1812, Secret Key: testing123
If I try to authenticated with an Apple Mac, I get the access but no IP, so I don't have Internet. What I'm doing wrong ??
VLAN assignment on wireless networks is with DHCP, not Radius. The radius Framed-IP-Address attribute is not useful.
*ahem* s/VLAN/IP/ "IP assignment on...."
You need to run a DHCP server.
Indeed, do not mention though FreeRADIUS can do DHCP though ;) Cheers -- Alexander Clouter .sigmonster says: If you're not careful, you're going to catch something.
Hi Phil, thank you for your answer, but my AP don't supported vlan assignment. It's a simple Vodafone EasyBox803 Router and I use it only as Access Point. Do you know another way to make that? I describe you what i want to do. My goal is that, when some customer buy a coffee, he recive an Account with User and Password. Users are assigned to a Group with Permissions (Low, Mi, Hi). Low Permission is HTTP/s Access, Mi is Low+FTP/s+IMAP/s and Hi is all Protocols. So, Low Group should have IP-Range 192.168.1.0/24, Mi IP-Range 192.168.2.0/24 and Hi 192.168.3.0/24. For the Port Access I use the Iptables. Thank you for your help!! Kind Regards -- View this message in context: http://freeradius.1045715.n5.nabble.com/IPs-will-not-be-assigned-tp4346701p4... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Fri, Apr 29, 2011 at 7:30 PM, subcode <subcode@gmx.de> wrote:
Hi Phil, thank you for your answer, but my AP don't supported vlan assignment.
Then how were you going to enforce different security settings?
Users are assigned to a Group with Permissions (Low, Mi, Hi). Low Permission is HTTP/s Access, Mi is Low+FTP/s+IMAP/s and Hi is all Protocols. So, Low Group should have IP-Range 192.168.1.0/24, Mi IP-Range 192.168.2.0/24 and Hi 192.168.3.0/24.
You'll need vlan for that. If you don't need different security settings, you only need to have a DHCP server (some APs have that function built in). -- Fajar
On 04/29/2011 01:30 PM, subcode wrote:
Hi Phil, thank you for your answer, but my AP don't supported vlan assignment. It's a
Agh, sorry. What I meant to say was: "IP assignment on wireless networks is with DHCP, not Radius"
simple Vodafone EasyBox803 Router and I use it only as Access Point. Do you know another way to make that? I describe you what i want to do.
My goal is that, when some customer buy a coffee, he recive an Account with User and Password. Users are assigned to a Group with Permissions (Low, Mi, Hi). Low Permission is HTTP/s Access, Mi is Low+FTP/s+IMAP/s and Hi is all Protocols. So, Low Group should have IP-Range 192.168.1.0/24, Mi IP-Range 192.168.2.0/24 and Hi 192.168.3.0/24.
As above: you must use DHCP for IP assignment, and DHCP normally keys off a combination of the source network, and client ethernet address. Choices are: a. record/register the clients ethernet address (tedious and error-prone) b. when a username authenticates, extract the ethernet address and send it to the DHCP server (not easy) c. use vlan assignment; then the DHCP server just hands out IPs per-vlan (you can't do this) d. don't use IP address for filtering; instead, set the ACL in the radius reply (maybe your NAS can do this) As Alex has noted, FreeRADIUS does contain support for also being a DHCP server. You could in theory use this to achieve option b. - "sending" in this case would just involve some kind of database which both the 802.1x and DHCP bits of FreeRADIUS use. I don't know of any recipes for this however.
participants (4)
-
Alexander Clouter -
Fajar A. Nugraha -
Phil Mayers -
subcode