Freeradius reply attribute problem when using PEAP
I'm trying to get Freeradius to authenticate wireless users. AVPs don't pass when clients use PEAP even with tunneled reply on. If I force the client to TTLS it works fine, passes AVPs everyones happy. Problem is, windows android and ios all default to PEAP. Has anyone else run into this? Any help is greatly appreciated. Freeradius FreeRADIUS Version 3.0.3, for host x86_64-unknown-linux-gnu, built on Jun 6 2014 at 13:18:16 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT I have included ttls and peap settings of my eap file: ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } Installed newer freeradius from source with same result: FreeRADIUS Version 3.1.0 (git #9a810bd), for host x86_64-unknown-linux-gnu, built on Aug 8 2014 at 11:53:47 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT
Terry Kantorowski wrote:
I'm trying to get Freeradius to authenticate wireless users. AVPs don't pass when clients use PEAP even with tunneled reply on. If I force the client to TTLS it works fine, passes AVPs everyones happy. Problem is, windows android and ios all default to PEAP. Has anyone else run into this? Any help is greatly appreciated.
Please post the debug output as suggested in the FAQ, "man" page, web pages, and daily on this list.
I have included ttls and peap settings of my eap file:
None of that is important. Alan DeKok.
Per your request. I have included the debug output from freeradius. You will see that my test user "rickjames" authenticates just fine. The problem I am having is that the attribute value pairs for his group are not passed and so he never actually "connects" to the wireless network. The AVPs are missing when I try to connect with a device using PEAP, but present when I force connect with TTLS. I did not see this until I ran tcpdump. Thanks for taking the time to look at this. Ready to process requests Received Access-Request Id 114 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 212 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x0200000e017269636b6a616d6573 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0xe824864fa1e5254555ea012f1d3749a7 (0) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=114, length=212 (0) User-Name = 'rickjames' (0) Calling-Station-Id = '10-A5-D0-E9-10-D0' (0) NAS-IP-Address = NAS-INSIDE (0) NAS-Port = 98 (0) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (0) Service-Type = Framed-User (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) NAS-Identifier = '6C-AA-B3-CF-40-AD' (0) Connect-Info = 'CONNECT 802.11a/n' (0) EAP-Message = 0x0200000e017269636b6a616d6573 (0) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (0) Message-Authenticator = 0xe824864fa1e5254555ea012f1d3749a7 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) [files] = noop (0) eap : Peer sent code Response (2) ID 0 length 14 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent method Identity (1) (0) eap : Calling eap_tls to process EAP data (0) eap_tls : Flushing SSL sessions (of #0) (0) eap_tls : Requiring client certificate (0) eap_tls : Initiate (0) eap_tls : Requiring client certificate (0) eap_tls : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0xae0cdbe8ae0dd68c (0) [eap] = handled (0) } # authenticate = handled (0) Sending Access-Challenge packet to host NAS-OUTSIDE port 30713, id=114, length=0 (0) EAP-Message = 0x010100060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xae0cdbe8ae0dd68c958875bba3b09eb6 Sending Access-Challenge Id 114 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae0cdbe8ae0dd68c958875bba3b09eb6 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 115 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 222 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020100060319 State = 0xae0cdbe8ae0dd68c958875bba3b09eb6 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0xfdb08cc0028aeb0eea5dc5c90f48835b (1) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=115, length=222 (1) User-Name = 'rickjames' (1) Calling-Station-Id = '10-A5-D0-E9-10-D0' (1) NAS-IP-Address = NAS-INSIDE (1) NAS-Port = 98 (1) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (1) Service-Type = Framed-User (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) NAS-Identifier = '6C-AA-B3-CF-40-AD' (1) Connect-Info = 'CONNECT 802.11a/n' (1) EAP-Message = 0x020100060319 (1) State = 0xae0cdbe8ae0dd68c958875bba3b09eb6 (1) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (1) Message-Authenticator = 0xfdb08cc0028aeb0eea5dc5c90f48835b (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (User-Name =~ /@.*@/ ) (1) if (User-Name =~ /@.*@/ ) -> FALSE (1) if (User-Name =~ /\\.\\./ ) (1) if (User-Name =~ /\\.\\./ ) -> FALSE (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (User-Name =~ /\\.$/) (1) if (User-Name =~ /\\.$/) -> FALSE (1) if (User-Name =~ /@\\./) (1) if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) [files] = noop (1) eap : Peer sent code Response (2) ID 1 length 6 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) sql : EXPAND %{User-Name} (1) sql : --> rickjames (1) sql : SQL-User-Name set to 'rickjames' rlm_sql (sql): Reserved connection (4) (1) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rickjames' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rickjames' ORDER BY id' (1) sql : User found in radcheck table (1) sql : EXPAND %{Packet-Src-IP-Address} (1) sql : --> NAS-OUTSIDE (1) sql : Check items matched (1) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rickjames' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rickjames' ORDER BY id' (1) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql : --> SELECT groupname FROM radusergroup WHERE username = 'rickjames' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'rickjames' ORDER BY priority' (1) sql : User found in the group table rlm_sql (sql): Released connection (4) (1) [sql] = ok (1) [expiration] = noop (1) [logintime] = noop (1) WARNING: pap : Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0xae0cdbe8ae0dd68c (1) eap : Finished EAP session with state 0xae0cdbe8ae0dd68c (1) eap : Previous EAP request found for state 0xae0cdbe8ae0dd68c, released from the list (1) eap : Peer sent method NAK (3) (1) eap : Found mutually acceptable type PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : Initiate (1) eap_peap : Start returned 1 (1) eap : New EAP session, adding 'State' attribute to reply 0xae0cdbe8af0ec28c (1) [eap] = handled (1) } # authenticate = handled (1) Sending Access-Challenge packet to host NAS-OUTSIDE port 30713, id=115, length=0 (1) EAP-Message = 0x010200061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xae0cdbe8af0ec28c958875bba3b09eb6 Sending Access-Challenge Id 115 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae0cdbe8af0ec28c958875bba3b09eb6 (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 116 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 424 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020200d01980000000c616030100c1010000bd030153e5275783695b045513e2df6c382cb01f2383a48d64ba7aedc5023200cf1884000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011 State = 0xae0cdbe8af0ec28c958875bba3b09eb6 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0xcee24249500d3790f1ed4bd248495a63 (2) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=116, length=424 (2) User-Name = 'rickjames' (2) Calling-Station-Id = '10-A5-D0-E9-10-D0' (2) NAS-IP-Address = NAS-INSIDE (2) NAS-Port = 98 (2) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (2) Service-Type = Framed-User (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) NAS-Identifier = '6C-AA-B3-CF-40-AD' (2) Connect-Info = 'CONNECT 802.11a/n' (2) EAP-Message = 0x020200d01980000000c616030100c1010000bd030153e5275783695b045513e2df6c382cb01f2383a48d64ba7aedc5023200cf1884000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011 (2) State = 0xae0cdbe8af0ec28c958875bba3b09eb6 (2) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (2) Message-Authenticator = 0xcee24249500d3790f1ed4bd248495a63 (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (User-Name =~ /@.*@/ ) (2) if (User-Name =~ /@.*@/ ) -> FALSE (2) if (User-Name =~ /\\.\\./ ) (2) if (User-Name =~ /\\.\\./ ) -> FALSE (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (User-Name =~ /\\.$/) (2) if (User-Name =~ /\\.$/) -> FALSE (2) if (User-Name =~ /@\\./) (2) if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) [files] = noop (2) eap : Peer sent code Response (2) ID 2 length 208 (2) eap : Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0xae0cdbe8af0ec28c (2) eap : Finished EAP session with state 0xae0cdbe8af0ec28c (2) eap : Previous EAP request found for state 0xae0cdbe8af0ec28c, released from the list (2) eap : Peer sent method PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS TLS Length 198 (2) eap_peap : Length Included (2) eap_peap : eaptls_verify returned 11 (2) eap_peap : (other): before/accept initialization (2) eap_peap : TLS_accept: before/accept initialization (2) eap_peap : <<< TLS 1.0 Handshake [length 00c1], ClientHello (2) eap_peap : TLS_accept: SSLv3 read client hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello (2) eap_peap : TLS_accept: SSLv3 write server hello A (2) eap_peap : >>> TLS 1.0 Handshake [length 0e63], Certificate (2) eap_peap : TLS_accept: SSLv3 write certificate A (2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (2) eap_peap : TLS_accept: SSLv3 write key exchange A (2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (2) eap_peap : TLS_accept: SSLv3 write server done A (2) eap_peap : TLS_accept: SSLv3 flush data (2) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xae0cdbe8ac0fc28c (2) [eap] = handled (2) } # authenticate = handled (2) Sending Access-Challenge packet to host NAS-OUTSIDE port 30713, id=116, length=0 (2) EAP-Message = 0x010303ec19c00000101f1603010059020000550301b94c573538257ba6b0fc2fc7e17d7f66e4dad3c42e819142c94bb65ac98d2aa52088e265710b2fcc6e8da92f9b8207f45fe93c2488f11cbe5f958e159a5489d218c01400000dff01000100000b0004030001021603010e630b000e5f000e5c0005303082052c30820414a003020102021100b512df55e3a6f3b415e81fff9b1dcf95300d06092a864886f70d01010505003073310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643119301706035504031310506f73697469766553534c2043412032301e170d3134303830343030303030305a170d3137303830333233353935395a30613121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c69646174656431143012060355040b130b506f73697469766553534c312630240603550403131d6d616e616765642d776972656c6573732e76656c6f636974792e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c1e570a88d32cd6fe220c09da1891a02990a1c66e0b95fd5a5973ebdb0577b36594ca66c048eb08f9c5e495333d1c9e6eb390a8a43b50130 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xae0cdbe8ac0fc28c958875bba3b09eb6 Sending Access-Challenge Id 116 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 EAP-Message = 0x010303ec19c00000101f1603010059020000550301b94c573538257ba6b0fc2fc7e17d7f66e4dad3c42e819142c94bb65ac98d2aa52088e265710b2fcc6e8da92f9b8207f45fe93c2488f11cbe5f958e159a5489d218c01400000dff01000100000b0004030001021603010e630b000e5f000e5c0005303082052c30820414a003020102021100b512df55e3a6f3b415e81fff9b1dcf95300d06092a864886f70d01010505003073310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d697465643119301706035504031310506f73697469766553534c2043412032301e170d3134303830343030303030305a170d3137303830333233353935395a30613121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c69646174656431143012060355040b130b506f73697469766553534c312630240603550403131d6d616e616765642d776972656c6573732e76656c6f636974792e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c1e570a88d32cd6fe220c09da1891a02990a1c66e0b95fd5a5973ebdb0577b36594ca66c048eb08f9c5e495333d1c9e6eb390a8a43b5013 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae0cdbe8ac0fc28c958875bba3b09eb6 (2) Finished request Waking up in 0.3 seconds. Received Access-Request Id 117 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 222 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020300061900 State = 0xae0cdbe8ac0fc28c958875bba3b09eb6 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0x5e34d6dfd4185ebd7781adcac8fd6998 (3) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=117, length=222 (3) User-Name = 'rickjames' (3) Calling-Station-Id = '10-A5-D0-E9-10-D0' (3) NAS-IP-Address = NAS-INSIDE (3) NAS-Port = 98 (3) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (3) Service-Type = Framed-User (3) Framed-MTU = 1400 (3) NAS-Port-Type = Wireless-802.11 (3) NAS-Identifier = '6C-AA-B3-CF-40-AD' (3) Connect-Info = 'CONNECT 802.11a/n' (3) EAP-Message = 0x020300061900 (3) State = 0xae0cdbe8ac0fc28c958875bba3b09eb6 (3) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (3) Message-Authenticator = 0x5e34d6dfd4185ebd7781adcac8fd6998 (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) if (User-Name =~ /@.*@/ ) (3) if (User-Name =~ /@.*@/ ) -> FALSE (3) if (User-Name =~ /\\.\\./ ) (3) if (User-Name =~ /\\.\\./ ) -> FALSE (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (User-Name =~ /\\.$/) (3) if (User-Name =~ /\\.$/) -> FALSE (3) if (User-Name =~ /@\\./) (3) if (User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) [files] = noop (3) eap : Peer sent code Response (2) ID 3 length 6 (3) eap : Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0xae0cdbe8ac0fc28c (3) eap : Finished EAP session with state 0xae0cdbe8ac0fc28c (3) eap : Previous EAP request found for state 0xae0cdbe8ac0fc28c, released from the list (3) eap : Peer sent method PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xae0cdbe8ad08c28c (3) [eap] = handled (3) } # authenticate = handled (3) Sending Access-Challenge packet to host NAS-OUTSIDE port 30713, id=117, length=0 (3) EAP-Message = 0x010403e819402b06010505073002862a687474703a2f2f6372742e636f6d6f646f63612e636f6d2f506f73697469766553534c4341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d304b0603551d1104443042821d6d616e616765642d776972656c6573732e76656c6f636974792e6e657482217777772e6d616e616765642d776972656c6573732e76656c6f636974792e6e6574300d06092a864886f70d01010505000382010100cb149d1facc1f69732e870953b090e67ea1d1ed48fd7fa76a7a98d2515abf97afa296b5f101af7bb229cc9f1fe7f095499ef514fe7f6c0fe6d6dad75a067a3c9608d0b6e155ee5ce7768d431d4166f928ac7b9218db8787a0c2b1ecfe25c0fbb7be14731be74f7ad37c5f11b383c683643e60bd609afa3e057cb71223c297799e99666363bfff3e5c10c2036197d4b9569c130b7df40bd599aa923d04fef3ab258b021129db26870e958fb6f78800ebba921f11d2daa6091f5eb9cbe33b6f1f165f69909e3f7b24b8c63d75e77a5f742a4965a5ff20fd3546e4aaaf2b53f0296fb6240e7fdf13c142dfcf410a394dd74f45082e23e9186dde1629ca70b33eb080004e9308204e5308203cda0030201020210076f124681459c28d548d697c40e001b300d06092a864886f70d0101050500306f310b30 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xae0cdbe8ad08c28c958875bba3b09eb6 Sending Access-Challenge Id 117 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 EAP-Message = 0x010403e819402b06010505073002862a687474703a2f2f6372742e636f6d6f646f63612e636f6d2f506f73697469766553534c4341322e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d304b0603551d1104443042821d6d616e616765642d776972656c6573732e76656c6f636974792e6e657482217777772e6d616e616765642d776972656c6573732e76656c6f636974792e6e6574300d06092a864886f70d01010505000382010100cb149d1facc1f69732e870953b090e67ea1d1ed48fd7fa76a7a98d2515abf97afa296b5f101af7bb229cc9f1fe7f095499ef514fe7f6c0fe6d6dad75a067a3c9608d0b6e155ee5ce7768d431d4166f928ac7b9218db8787a0c2b1ecfe25c0fbb7be14731be74f7ad37c5f11b383c683643e60bd609afa3e057cb71223c297799e99666363bfff3e5c10c2036197d4b9569c130b7df40bd599aa923d04fef3ab258b021129db26870e958fb6f78800ebba921f11d2daa6091f5eb9cbe33b6f1f165f69909e3f7b24b8c63d75e77a5f742a4965a5ff20fd3546e4aaaf2b53f0296fb6240e7fdf13c142dfcf410a394dd74f45082e23e9186dde1629ca70b33eb080004e9308204e5308203cda0030201020210076f124681459c28d548d697c40e001b300d06092a864886f70d0101050500306f310b3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae0cdbe8ad08c28c958875bba3b09eb6 (3) Finished request Waking up in 0.3 seconds. Received Access-Request Id 118 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 222 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020400061900 State = 0xae0cdbe8ad08c28c958875bba3b09eb6 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0x454258f61b4966598c9cfc1c2cb5c893 (4) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=118, length=222 (4) User-Name = 'rickjames' (4) Calling-Station-Id = '10-A5-D0-E9-10-D0' (4) NAS-IP-Address = NAS-INSIDE (4) NAS-Port = 98 (4) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (4) Service-Type = Framed-User (4) Framed-MTU = 1400 (4) NAS-Port-Type = Wireless-802.11 (4) NAS-Identifier = '6C-AA-B3-CF-40-AD' (4) Connect-Info = 'CONNECT 802.11a/n' (4) EAP-Message = 0x020400061900 (4) State = 0xae0cdbe8ad08c28c958875bba3b09eb6 (4) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (4) Message-Authenticator = 0x454258f61b4966598c9cfc1c2cb5c893 (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) filter_username filter_username { (4) if (User-Name =~ /@.*@/ ) (4) if (User-Name =~ /@.*@/ ) -> FALSE (4) if (User-Name =~ /\\.\\./ ) (4) if (User-Name =~ /\\.\\./ ) -> FALSE (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) if (User-Name =~ /\\.$/) (4) if (User-Name =~ /\\.$/) -> FALSE (4) if (User-Name =~ /@\\./) (4) if (User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) [files] = noop (4) eap : Peer sent code Response (2) ID 4 length 6 (4) eap : Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0xae0cdbe8ad08c28c (4) eap : Finished EAP session with state 0xae0cdbe8ad08c28c (4) eap : Previous EAP request found for state 0xae0cdbe8ad08c28c, released from the list (4) eap : Peer sent method PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS (4) eap_peap : Received TLS ACK (4) eap_peap : Received TLS ACK (4) eap_peap : ACK handshake fragment handler (4) eap_peap : eaptls_verify returned 1 (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xae0cdbe8aa09c28c (4) [eap] = handled (4) } # authenticate = handled (4) Sending Access-Challenge packet to host NAS-OUTSIDE port 30713, id=118, length=0 (4) EAP-Message = 0x010503e81940ac8055fe2893e10a1168f452576ffe480b5b5d1a6a67739982b49e43603ec75b2a126e1aeecb39aec3359da8bc5db02fc30203010001a382017730820173301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e0416041499e4405f6b145e3e05d9ddd36354fc62b8f700ac300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff02010030110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c3081b306082b060105050701010481a63081a3303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e703763303906082b06010505073002862d687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737455544e53474343412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d010105050003820101009c36e34eaef18abb6c978c8f4b67d09fd884aa9f215f35a15bc42b630de8bc775da7c437fd4b2d9ee81d69a1 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0xae0cdbe8aa09c28c958875bba3b09eb6 Sending Access-Challenge Id 118 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 EAP-Message = 0x010503e81940ac8055fe2893e10a1168f452576ffe480b5b5d1a6a67739982b49e43603ec75b2a126e1aeecb39aec3359da8bc5db02fc30203010001a382017730820173301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e0416041499e4405f6b145e3e05d9ddd36354fc62b8f700ac300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff02010030110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c3081b306082b060105050701010481a63081a3303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e703763303906082b06010505073002862d687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737455544e53474343412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d010105050003820101009c36e34eaef18abb6c978c8f4b67d09fd884aa9f215f35a15bc42b630de8bc775da7c437fd4b2d9ee81d69a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae0cdbe8aa09c28c958875bba3b09eb6 (4) Finished request Waking up in 0.2 seconds. Received Access-Request Id 119 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 222 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020500061900 State = 0xae0cdbe8aa09c28c958875bba3b09eb6 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0x1783afc7c643b930d840219ee56c3285 (5) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=119, length=222 (5) User-Name = 'rickjames' (5) Calling-Station-Id = '10-A5-D0-E9-10-D0' (5) NAS-IP-Address = NAS-INSIDE (5) NAS-Port = 98 (5) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (5) Service-Type = Framed-User (5) Framed-MTU = 1400 (5) NAS-Port-Type = Wireless-802.11 (5) NAS-Identifier = '6C-AA-B3-CF-40-AD' (5) Connect-Info = 'CONNECT 802.11a/n' (5) EAP-Message = 0x020500061900 (5) State = 0xae0cdbe8aa09c28c958875bba3b09eb6 (5) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (5) Message-Authenticator = 0x1783afc7c643b930d840219ee56c3285 (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) filter_username filter_username { (5) if (User-Name =~ /@.*@/ ) (5) if (User-Name =~ /@.*@/ ) -> FALSE (5) if (User-Name =~ /\\.\\./ ) (5) if (User-Name =~ /\\.\\./ ) -> FALSE (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) if (User-Name =~ /\\.$/) (5) if (User-Name =~ /\\.$/) -> FALSE (5) if (User-Name =~ /@\\./) (5) if (User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) [files] = noop (5) eap : Peer sent code Response (2) ID 5 length 6 (5) eap : Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0xae0cdbe8aa09c28c (5) eap : Finished EAP session with state 0xae0cdbe8aa09c28c (5) eap : Previous EAP request found for state 0xae0cdbe8aa09c28c, released from the list (5) eap : Peer sent method PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS (5) eap_peap : Received TLS ACK (5) eap_peap : Received TLS ACK (5) eap_peap : ACK handshake fragment handler (5) eap_peap : eaptls_verify returned 1 (5) eap_peap : eaptls_process returned 13 (5) eap_peap : FR_TLS_HANDLED (5) eap : New EAP session, adding 'State' attribute to reply 0xae0cdbe8ab0ac28c (5) [eap] = handled (5) } # authenticate = handled (5) Sending Access-Challenge packet to host NAS-OUTSIDE port 30713, id=119, length=0 (5) EAP-Message = 0x010603e81940434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xae0cdbe8ab0ac28c958875bba3b09eb6 Sending Access-Challenge Id 119 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 EAP-Message = 0x010603e81940434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b31223020060355040313194 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae0cdbe8ab0ac28c958875bba3b09eb6 (5) Finished request Waking up in 0.2 seconds. Received Access-Request Id 120 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 222 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020600061900 State = 0xae0cdbe8ab0ac28c958875bba3b09eb6 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0x49e12bcca11dfd8d87b3df96ac5d5aed (6) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=120, length=222 (6) User-Name = 'rickjames' (6) Calling-Station-Id = '10-A5-D0-E9-10-D0' (6) NAS-IP-Address = NAS-INSIDE (6) NAS-Port = 98 (6) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (6) Service-Type = Framed-User (6) Framed-MTU = 1400 (6) NAS-Port-Type = Wireless-802.11 (6) NAS-Identifier = '6C-AA-B3-CF-40-AD' (6) Connect-Info = 'CONNECT 802.11a/n' (6) EAP-Message = 0x020600061900 (6) State = 0xae0cdbe8ab0ac28c958875bba3b09eb6 (6) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (6) Message-Authenticator = 0x49e12bcca11dfd8d87b3df96ac5d5aed (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) filter_username filter_username { (6) if (User-Name =~ /@.*@/ ) (6) if (User-Name =~ /@.*@/ ) -> FALSE (6) if (User-Name =~ /\\.\\./ ) (6) if (User-Name =~ /\\.\\./ ) -> FALSE (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) if (User-Name =~ /\\.$/) (6) if (User-Name =~ /\\.$/) -> FALSE (6) if (User-Name =~ /@\\./) (6) if (User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) [files] = noop (6) eap : Peer sent code Response (2) ID 6 length 6 (6) eap : Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0xae0cdbe8ab0ac28c (6) eap : Finished EAP session with state 0xae0cdbe8ab0ac28c (6) eap : Previous EAP request found for state 0xae0cdbe8ab0ac28c, released from the list (6) eap : Peer sent method PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS (6) eap_peap : Received TLS ACK (6) eap_peap : Received TLS ACK (6) eap_peap : ACK handshake fragment handler (6) eap_peap : eaptls_verify returned 1 (6) eap_peap : eaptls_process returned 13 (6) eap_peap : FR_TLS_HANDLED (6) eap : New EAP session, adding 'State' attribute to reply 0xae0cdbe8a80bc28c (6) [eap] = handled (6) } # authenticate = handled (6) Sending Access-Challenge packet to host NAS-OUTSIDE port 30713, id=120, length=0 (6) EAP-Message = 0x0107009d190018dd10520caff6b3d619a15119d235ba33343d64fbd095d739426ae1d64b324cdde61151b15bc848ae8241d54f19014d0796e2b3232b87712661900d939fa1dca01a2eba47ff360642f2ce5dd0444f177a82ebc91159cb13d794ba7b6e6d824dfa08d8dada4bc802dc7f0dabf9fbc02f89eb3c6c4a5e4232caa762fc26792268c1ec54db08ccd3f0d453d73aa93016030100040e000000 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xae0cdbe8a80bc28c958875bba3b09eb6 Sending Access-Challenge Id 120 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 EAP-Message = 0x0107009d190018dd10520caff6b3d619a15119d235ba33343d64fbd095d739426ae1d64b324cdde61151b15bc848ae8241d54f19014d0796e2b3232b87712661900d939fa1dca01a2eba47ff360642f2ce5dd0444f177a82ebc91159cb13d794ba7b6e6d824dfa08d8dada4bc802dc7f0dabf9fbc02f89eb3c6c4a5e4232caa762fc26792268c1ec54db08ccd3f0d453d73aa93016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae0cdbe8a80bc28c958875bba3b09eb6 (6) Finished request Waking up in 0.2 seconds. Received Access-Request Id 121 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 360 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x0207009019800000008616030100461000004241047e5182230539b5d0808c2f4e067fcb6d1f3c5fc1affc9c64308f18103ce49c65702f36c39e92e212768351765d645b51a52924c827c3df04bf03c708b75ce4081403010001011603010030dd6896ee57c83326a0ff97e7723451f10a91c557db463989bfadfcfbe8ecbab20b206dc95823a1a658d95d762a1f7d73 State = 0xae0cdbe8a80bc28c958875bba3b09eb6 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0x706bf00f09690d6dfb51a3cc92bfb2f8 (7) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=121, length=360 (7) User-Name = 'rickjames' (7) Calling-Station-Id = '10-A5-D0-E9-10-D0' (7) NAS-IP-Address = NAS-INSIDE (7) NAS-Port = 98 (7) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (7) Service-Type = Framed-User (7) Framed-MTU = 1400 (7) NAS-Port-Type = Wireless-802.11 (7) NAS-Identifier = '6C-AA-B3-CF-40-AD' (7) Connect-Info = 'CONNECT 802.11a/n' (7) EAP-Message = 0x0207009019800000008616030100461000004241047e5182230539b5d0808c2f4e067fcb6d1f3c5fc1affc9c64308f18103ce49c65702f36c39e92e212768351765d645b51a52924c827c3df04bf03c708b75ce4081403010001011603010030dd6896ee57c83326a0ff97e7723451f10a91c557db463989bfadfcfbe8ecbab20b206dc95823a1a658d95d762a1f7d73 (7) State = 0xae0cdbe8a80bc28c958875bba3b09eb6 (7) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (7) Message-Authenticator = 0x706bf00f09690d6dfb51a3cc92bfb2f8 (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) filter_username filter_username { (7) if (User-Name =~ /@.*@/ ) (7) if (User-Name =~ /@.*@/ ) -> FALSE (7) if (User-Name =~ /\\.\\./ ) (7) if (User-Name =~ /\\.\\./ ) -> FALSE (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) if (User-Name =~ /\\.$/) (7) if (User-Name =~ /\\.$/) -> FALSE (7) if (User-Name =~ /@\\./) (7) if (User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) [files] = noop (7) eap : Peer sent code Response (2) ID 7 length 144 (7) eap : Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0xae0cdbe8a80bc28c (7) eap : Finished EAP session with state 0xae0cdbe8a80bc28c (7) eap : Previous EAP request found for state 0xae0cdbe8a80bc28c, released from the list (7) eap : Peer sent method PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS TLS Length 134 (7) eap_peap : Length Included (7) eap_peap : eaptls_verify returned 11 (7) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (7) eap_peap : TLS_accept: SSLv3 read client key exchange A (7) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (7) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (7) eap_peap : TLS_accept: SSLv3 read finished A (7) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (7) eap_peap : TLS_accept: SSLv3 write change cipher spec A (7) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (7) eap_peap : TLS_accept: SSLv3 write finished A (7) eap_peap : TLS_accept: SSLv3 flush data SSL: Adding session 88e265710b2fcc6e8da92f9b8207f45fe93c2488f11cbe5f958e159a5489d218 to cache (7) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (7) eap_peap : eaptls_process returned 13 (7) eap_peap : FR_TLS_HANDLED (7) eap : New EAP session, adding 'State' attribute to reply 0xae0cdbe8a904c28c (7) [eap] = handled (7) } # authenticate = handled (7) Sending Access-Challenge packet to host NAS-OUTSIDE port 30713, id=121, length=0 (7) EAP-Message = 0x01080041190014030100010116030100304fd4b31abc34b15a847f60e94c08ab9689ad51c5f543396910aea0b5f691acc0c1c9ee30f10d249be8205b284502e59b (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xae0cdbe8a904c28c958875bba3b09eb6 Sending Access-Challenge Id 121 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 EAP-Message = 0x01080041190014030100010116030100304fd4b31abc34b15a847f60e94c08ab9689ad51c5f543396910aea0b5f691acc0c1c9ee30f10d249be8205b284502e59b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae0cdbe8a904c28c958875bba3b09eb6 (7) Finished request Waking up in 0.2 seconds. Received Access-Request Id 122 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 222 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020800061900 State = 0xae0cdbe8a904c28c958875bba3b09eb6 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0xc7f85f7148cf63cce5a62dbde2249872 (8) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=122, length=222 (8) User-Name = 'rickjames' (8) Calling-Station-Id = '10-A5-D0-E9-10-D0' (8) NAS-IP-Address = NAS-INSIDE (8) NAS-Port = 98 (8) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (8) Service-Type = Framed-User (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) NAS-Identifier = '6C-AA-B3-CF-40-AD' (8) Connect-Info = 'CONNECT 802.11a/n' (8) EAP-Message = 0x020800061900 (8) State = 0xae0cdbe8a904c28c958875bba3b09eb6 (8) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (8) Message-Authenticator = 0xc7f85f7148cf63cce5a62dbde2249872 (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) filter_username filter_username { (8) if (User-Name =~ /@.*@/ ) (8) if (User-Name =~ /@.*@/ ) -> FALSE (8) if (User-Name =~ /\\.\\./ ) (8) if (User-Name =~ /\\.\\./ ) -> FALSE (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) if (User-Name =~ /\\.$/) (8) if (User-Name =~ /\\.$/) -> FALSE (8) if (User-Name =~ /@\\./) (8) if (User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) [files] = noop (8) eap : Peer sent code Response (2) ID 8 length 6 (8) eap : Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0xae0cdbe8a904c28c (8) eap : Finished EAP session with state 0xae0cdbe8a904c28c (8) eap : Previous EAP request found for state 0xae0cdbe8a904c28c, released from the list (8) eap : Peer sent method PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : Received TLS ACK (8) eap_peap : Received TLS ACK (8) eap_peap : ACK handshake is finished (8) eap_peap : eaptls_verify returned 3 (8) eap_peap : eaptls_process returned 3 (8) eap_peap : FR_TLS_SUCCESS (8) eap_peap : Session established. Decoding tunneled attributes (8) eap_peap : Peap state TUNNEL ESTABLISHED (8) eap : New EAP session, adding 'State' attribute to reply 0xae0cdbe8a605c28c (8) [eap] = handled (8) } # authenticate = handled (8) Sending Access-Challenge packet to host NAS-OUTSIDE port 30713, id=122, length=0 (8) EAP-Message = 0x0109002b19001703010020f6929543ede2bc99d218d37fdeefccbc27504c46c06581d970af81cb1af394b1 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xae0cdbe8a605c28c958875bba3b09eb6 Sending Access-Challenge Id 122 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 EAP-Message = 0x0109002b19001703010020f6929543ede2bc99d218d37fdeefccbc27504c46c06581d970af81cb1af394b1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae0cdbe8a605c28c958875bba3b09eb6 (8) Finished request Waking up in 0.2 seconds. Received Access-Request Id 123 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 296 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x0209005019001703010020430d54849046f35cef9b0557ae69d197ee306a6a67173b87f6efc115ee3272ad1703010020261c75feecc7b94db0d95b9c6ab6a104fbc66e43252a0391c9e7fefa81db83fc State = 0xae0cdbe8a605c28c958875bba3b09eb6 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0x26047dd54e1ab908a842c670d8c5ff1f (9) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=123, length=296 (9) User-Name = 'rickjames' (9) Calling-Station-Id = '10-A5-D0-E9-10-D0' (9) NAS-IP-Address = NAS-INSIDE (9) NAS-Port = 98 (9) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (9) Service-Type = Framed-User (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) NAS-Identifier = '6C-AA-B3-CF-40-AD' (9) Connect-Info = 'CONNECT 802.11a/n' (9) EAP-Message = 0x0209005019001703010020430d54849046f35cef9b0557ae69d197ee306a6a67173b87f6efc115ee3272ad1703010020261c75feecc7b94db0d95b9c6ab6a104fbc66e43252a0391c9e7fefa81db83fc (9) State = 0xae0cdbe8a605c28c958875bba3b09eb6 (9) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (9) Message-Authenticator = 0x26047dd54e1ab908a842c670d8c5ff1f (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) filter_username filter_username { (9) if (User-Name =~ /@.*@/ ) (9) if (User-Name =~ /@.*@/ ) -> FALSE (9) if (User-Name =~ /\\.\\./ ) (9) if (User-Name =~ /\\.\\./ ) -> FALSE (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (User-Name =~ /\\.$/) (9) if (User-Name =~ /\\.$/) -> FALSE (9) if (User-Name =~ /@\\./) (9) if (User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) [files] = noop (9) eap : Peer sent code Response (2) ID 9 length 80 (9) eap : Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0xae0cdbe8a605c28c (9) eap : Finished EAP session with state 0xae0cdbe8a605c28c (9) eap : Previous EAP request found for state 0xae0cdbe8a605c28c, released from the list (9) eap : Peer sent method PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes (9) eap_peap : Peap state WAITING FOR INNER IDENTITY (9) eap_peap : Identity - rickjames (9) eap_peap : Got inner identity 'rickjames' (9) eap_peap : Setting default EAP type for tunneled EAP session (9) eap_peap : Got tunneled request EAP-Message = 0x0209000e017269636b6a616d6573 server default { (9) eap_peap : Setting User-Name to rickjames Sending tunneled request EAP-Message = 0x0209000e017269636b6a616d6573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 server inner-tunnel { (9) server inner-tunnel { (9) Request: EAP-Message = 0x0209000e017269636b6a616d6573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) update control { (9) Proxy-To-Realm := 'LOCAL' (9) } # update control = noop (9) eap : Peer sent code Response (2) ID 9 length 14 (9) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap : Peer sent method Identity (1) (9) eap : Calling eap_mschapv2 to process EAP data (9) eap_mschapv2 : Issuing Challenge (9) eap : New EAP session, adding 'State' attribute to reply 0x01cb1c3201c1063c (9) [eap] = handled (9) } # authenticate = handled (9) Reply: EAP-Message = 0x010a00231a010a001e10b7e9bd1bb24a40606bfa0bf5dc26249e7269636b6a616d6573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01cb1c3201c1063c2648c1312ac5cc01 (9) } # server inner-tunnel } # server inner-tunnel (9) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010a00231a010a001e10b7e9bd1bb24a40606bfa0bf5dc26249e7269636b6a616d6573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01cb1c3201c1063c2648c1312ac5cc01 (9) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00231a010a001e10b7e9bd1bb24a40606bfa0bf5dc26249e7269636b6a616d6573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01cb1c3201c1063c2648c1312ac5cc01 (9) eap_peap : Got tunneled Access-Challenge (9) eap : New EAP session, adding 'State' attribute to reply 0xae0cdbe8a706c28c (9) [eap] = handled (9) } # authenticate = handled (9) Sending Access-Challenge packet to host NAS-OUTSIDE port 30713, id=123, length=0 (9) EAP-Message = 0x010a004b19001703010040fd5359d7d6395396fd049586ff8f845eb8aca3488d091b0831afa26d56ea9d601b8b07ab142c91d7d2595b8651a105d2c408f0ef33d246ee35c56cc43eb90ec7 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0xae0cdbe8a706c28c958875bba3b09eb6 Sending Access-Challenge Id 123 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 EAP-Message = 0x010a004b19001703010040fd5359d7d6395396fd049586ff8f845eb8aca3488d091b0831afa26d56ea9d601b8b07ab142c91d7d2595b8651a105d2c408f0ef33d246ee35c56cc43eb90ec7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae0cdbe8a706c28c958875bba3b09eb6 (9) Finished request Waking up in 0.2 seconds. Received Access-Request Id 124 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 360 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020a0090190017030100201aa6358da53edc930acce6c65924b3fa8321f5aec635b9a26b6eef18e405db6c1703010060ae82b5dde8f2ea4f8086e036941ad7335d46f31158852f63fd756380740d480ceea6b4a185b1111b30fa7e5b2d96bf42253a909e1c67b9d2ae0e5585c8517beb5a548f706f382dfe995ab2f95c123e319995f83b694e3c82a5b57b2a50624cef State = 0xae0cdbe8a706c28c958875bba3b09eb6 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0x40813d44ad350c94cf160632183580bb (10) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=124, length=360 (10) User-Name = 'rickjames' (10) Calling-Station-Id = '10-A5-D0-E9-10-D0' (10) NAS-IP-Address = NAS-INSIDE (10) NAS-Port = 98 (10) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (10) Service-Type = Framed-User (10) Framed-MTU = 1400 (10) NAS-Port-Type = Wireless-802.11 (10) NAS-Identifier = '6C-AA-B3-CF-40-AD' (10) Connect-Info = 'CONNECT 802.11a/n' (10) EAP-Message = 0x020a0090190017030100201aa6358da53edc930acce6c65924b3fa8321f5aec635b9a26b6eef18e405db6c1703010060ae82b5dde8f2ea4f8086e036941ad7335d46f31158852f63fd756380740d480ceea6b4a185b1111b30fa7e5b2d96bf42253a909e1c67b9d2ae0e5585c8517beb5a548f706f382dfe995ab2f95c123e319995f83b694e3c82a5b57b2a50624cef (10) State = 0xae0cdbe8a706c28c958875bba3b09eb6 (10) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (10) Message-Authenticator = 0x40813d44ad350c94cf160632183580bb (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) filter_username filter_username { (10) if (User-Name =~ /@.*@/ ) (10) if (User-Name =~ /@.*@/ ) -> FALSE (10) if (User-Name =~ /\\.\\./ ) (10) if (User-Name =~ /\\.\\./ ) -> FALSE (10) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (10) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (10) if (User-Name =~ /\\.$/) (10) if (User-Name =~ /\\.$/) -> FALSE (10) if (User-Name =~ /@\\./) (10) if (User-Name =~ /@\\./) -> FALSE (10) } # filter_username filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (10) suffix : No such realm "NULL" (10) [suffix] = noop (10) [files] = noop (10) eap : Peer sent code Response (2) ID 10 length 144 (10) eap : Continuing tunnel setup (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = EAP (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap : Expiring EAP session with state 0x01cb1c3201c1063c (10) eap : Finished EAP session with state 0xae0cdbe8a706c28c (10) eap : Previous EAP request found for state 0xae0cdbe8a706c28c, released from the list (10) eap : Peer sent method PEAP (25) (10) eap : EAP PEAP (25) (10) eap : Calling eap_peap to process EAP data (10) eap_peap : processing EAP-TLS (10) eap_peap : eaptls_verify returned 7 (10) eap_peap : Done initial handshake (10) eap_peap : eaptls_process returned 7 (10) eap_peap : FR_TLS_OK (10) eap_peap : Session established. Decoding tunneled attributes (10) eap_peap : Peap state phase2 (10) eap_peap : EAP type MSCHAPv2 (26) (10) eap_peap : Got tunneled request EAP-Message = 0x020a00441a020a003f31411b2a6c0dc0f9c40bb19b13aa8a5cb300000000000000003f711ae300e431d18cda62db72c308531fa1d8d2e18db063007269636b6a616d6573 server default { (10) eap_peap : Setting User-Name to rickjames Sending tunneled request EAP-Message = 0x020a00441a020a003f31411b2a6c0dc0f9c40bb19b13aa8a5cb300000000000000003f711ae300e431d18cda62db72c308531fa1d8d2e18db063007269636b6a616d6573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'rickjames' State = 0x01cb1c3201c1063c2648c1312ac5cc01 Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 server inner-tunnel { (10) server inner-tunnel { (10) Request: EAP-Message = 0x020a00441a020a003f31411b2a6c0dc0f9c40bb19b13aa8a5cb300000000000000003f711ae300e431d18cda62db72c308531fa1d8d2e18db063007269636b6a616d6573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'rickjames' State = 0x01cb1c3201c1063c2648c1312ac5cc01 Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (10) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (10) authorize { (10) [chap] = noop (10) [mschap] = noop (10) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (10) suffix : No such realm "NULL" (10) [suffix] = noop (10) update control { (10) Proxy-To-Realm := 'LOCAL' (10) } # update control = noop (10) eap : Peer sent code Response (2) ID 10 length 68 (10) eap : No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) [files] = noop (10) sql : EXPAND %{User-Name} (10) sql : --> rickjames (10) sql : SQL-User-Name set to 'rickjames' rlm_sql (sql): Reserved connection (4) (10) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (10) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rickjames' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rickjames' ORDER BY id' (10) sql : User found in radcheck table (10) sql : EXPAND %{Packet-Src-IP-Address} (10) sql : --> NAS-OUTSIDE (10) sql : Check items matched (10) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (10) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rickjames' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rickjames' ORDER BY id' (10) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (10) sql : --> SELECT groupname FROM radusergroup WHERE username = 'rickjames' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'rickjames' ORDER BY priority' (10) sql : User found in the group table rlm_sql (sql): Released connection (4) (10) [sql] = ok (10) [expiration] = noop (10) [logintime] = noop (10) WARNING: pap : Auth-Type already set. Not setting to PAP (10) [pap] = noop (10) } # authorize = updated (10) Found Auth-Type = EAP (10) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (10) authenticate { (10) eap : Expiring EAP session with state 0x01cb1c3201c1063c (10) eap : Finished EAP session with state 0x01cb1c3201c1063c (10) eap : Previous EAP request found for state 0x01cb1c3201c1063c, released from the list (10) eap : Peer sent method MSCHAPv2 (26) (10) eap : EAP MSCHAPv2 (26) (10) eap : Calling eap_mschapv2 to process EAP data (10) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (10) eap_mschapv2 : Auth-Type MS-CHAP { (10) mschap : Found Cleartext-Password, hashing to create LM-Password (10) mschap : Found Cleartext-Password, hashing to create NT-Password (10) mschap : Creating challenge hash with username: rickjames (10) mschap : Client is using MS-CHAPv2 (10) mschap : Adding MS-CHAPv2 MPPE keys (10) [mschap] = ok (10) } # Auth-Type MS-CHAP = ok MSCHAP Success (10) eap : New EAP session, adding 'State' attribute to reply 0x01cb1c3200c0063c (10) [eap] = handled (10) } # authenticate = handled (10) Reply: EAP-Message = 0x010b00331a030a002e533d42453341453638384230463333323338363937464634393743344330383337303646413330414135 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01cb1c3200c0063c2648c1312ac5cc01 (10) } # server inner-tunnel } # server inner-tunnel (10) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010b00331a030a002e533d42453341453638384230463333323338363937464634393743344330383337303646413330414135 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01cb1c3200c0063c2648c1312ac5cc01 (10) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010b00331a030a002e533d42453341453638384230463333323338363937464634393743344330383337303646413330414135 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01cb1c3200c0063c2648c1312ac5cc01 (10) eap_peap : Got tunneled Access-Challenge (10) eap : New EAP session, adding 'State' attribute to reply 0xae0cdbe8a407c28c (10) [eap] = handled (10) } # authenticate = handled (10) Sending Access-Challenge packet to host NAS-OUTSIDE port 30713, id=124, length=0 (10) EAP-Message = 0x010b005b19001703010050680be7c5963a403a5a2362116e026992c0454c1bf3402b27e9d58fed56e939dba078f074595694089222ae5ac0d2d213133a9fd8dbb7556a8c7d57f625d4d8d4b9ecace2ee1acd2ce7544a2734d44859 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0xae0cdbe8a407c28c958875bba3b09eb6 Sending Access-Challenge Id 124 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 EAP-Message = 0x010b005b19001703010050680be7c5963a403a5a2362116e026992c0454c1bf3402b27e9d58fed56e939dba078f074595694089222ae5ac0d2d213133a9fd8dbb7556a8c7d57f625d4d8d4b9ecace2ee1acd2ce7544a2734d44859 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae0cdbe8a407c28c958875bba3b09eb6 (10) Finished request Waking up in 0.2 seconds. Received Access-Request Id 125 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 296 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020b0050190017030100200488bd92060d7fab702ef70978708003783a1346f3c3f92274bfc85c394a265517030100208f06ac6ff02529377b283063be08be7318cdedb3fea50fb8a5e3d1120b73ab31 State = 0xae0cdbe8a407c28c958875bba3b09eb6 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0x5e3da040ad71f3d18292e84e675c8f87 (11) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=125, length=296 (11) User-Name = 'rickjames' (11) Calling-Station-Id = '10-A5-D0-E9-10-D0' (11) NAS-IP-Address = NAS-INSIDE (11) NAS-Port = 98 (11) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (11) Service-Type = Framed-User (11) Framed-MTU = 1400 (11) NAS-Port-Type = Wireless-802.11 (11) NAS-Identifier = '6C-AA-B3-CF-40-AD' (11) Connect-Info = 'CONNECT 802.11a/n' (11) EAP-Message = 0x020b0050190017030100200488bd92060d7fab702ef70978708003783a1346f3c3f92274bfc85c394a265517030100208f06ac6ff02529377b283063be08be7318cdedb3fea50fb8a5e3d1120b73ab31 (11) State = 0xae0cdbe8a407c28c958875bba3b09eb6 (11) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (11) Message-Authenticator = 0x5e3da040ad71f3d18292e84e675c8f87 (11) # Executing section authorize from file /etc/raddb/sites-enabled/default (11) authorize { (11) filter_username filter_username { (11) if (User-Name =~ /@.*@/ ) (11) if (User-Name =~ /@.*@/ ) -> FALSE (11) if (User-Name =~ /\\.\\./ ) (11) if (User-Name =~ /\\.\\./ ) -> FALSE (11) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (11) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (11) if (User-Name =~ /\\.$/) (11) if (User-Name =~ /\\.$/) -> FALSE (11) if (User-Name =~ /@\\./) (11) if (User-Name =~ /@\\./) -> FALSE (11) } # filter_username filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (11) suffix : No such realm "NULL" (11) [suffix] = noop (11) [files] = noop (11) eap : Peer sent code Response (2) ID 11 length 80 (11) eap : Continuing tunnel setup (11) [eap] = ok (11) } # authorize = ok (11) Found Auth-Type = EAP (11) # Executing group from file /etc/raddb/sites-enabled/default (11) authenticate { (11) eap : Expiring EAP session with state 0x01cb1c3200c0063c (11) eap : Finished EAP session with state 0xae0cdbe8a407c28c (11) eap : Previous EAP request found for state 0xae0cdbe8a407c28c, released from the list (11) eap : Peer sent method PEAP (25) (11) eap : EAP PEAP (25) (11) eap : Calling eap_peap to process EAP data (11) eap_peap : processing EAP-TLS (11) eap_peap : eaptls_verify returned 7 (11) eap_peap : Done initial handshake (11) eap_peap : eaptls_process returned 7 (11) eap_peap : FR_TLS_OK (11) eap_peap : Session established. Decoding tunneled attributes (11) eap_peap : Peap state phase2 (11) eap_peap : EAP type MSCHAPv2 (26) (11) eap_peap : Got tunneled request EAP-Message = 0x020b00061a03 server default { (11) eap_peap : Setting User-Name to rickjames Sending tunneled request EAP-Message = 0x020b00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'rickjames' State = 0x01cb1c3200c0063c2648c1312ac5cc01 Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 server inner-tunnel { (11) server inner-tunnel { (11) Request: EAP-Message = 0x020b00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'rickjames' State = 0x01cb1c3200c0063c2648c1312ac5cc01 Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (11) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (11) authorize { (11) [chap] = noop (11) [mschap] = noop (11) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (11) suffix : No such realm "NULL" (11) [suffix] = noop (11) update control { (11) Proxy-To-Realm := 'LOCAL' (11) } # update control = noop (11) eap : Peer sent code Response (2) ID 11 length 6 (11) eap : No EAP Start, assuming it's an on-going EAP conversation (11) [eap] = updated (11) [files] = noop (11) sql : EXPAND %{User-Name} (11) sql : --> rickjames (11) sql : SQL-User-Name set to 'rickjames' rlm_sql (sql): Reserved connection (4) (11) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (11) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rickjames' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'rickjames' ORDER BY id' (11) sql : User found in radcheck table (11) sql : EXPAND %{Packet-Src-IP-Address} (11) sql : --> NAS-OUTSIDE (11) sql : Check items matched (11) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (11) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rickjames' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'rickjames' ORDER BY id' (11) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (11) sql : --> SELECT groupname FROM radusergroup WHERE username = 'rickjames' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'rickjames' ORDER BY priority' (11) sql : User found in the group table rlm_sql (sql): Released connection (4) (11) [sql] = ok (11) [expiration] = noop (11) [logintime] = noop (11) WARNING: pap : Auth-Type already set. Not setting to PAP (11) [pap] = noop (11) } # authorize = updated (11) Found Auth-Type = EAP (11) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (11) authenticate { (11) eap : Expiring EAP session with state 0x01cb1c3200c0063c (11) eap : Finished EAP session with state 0x01cb1c3200c0063c (11) eap : Previous EAP request found for state 0x01cb1c3200c0063c, released from the list (11) eap : Peer sent method MSCHAPv2 (26) (11) eap : EAP MSCHAPv2 (26) (11) eap : Calling eap_mschapv2 to process EAP data (11) eap : Freeing handler (11) [eap] = ok (11) } # authenticate = ok (11) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (11) post-auth { (11) sql : EXPAND .query (11) sql : --> .query (11) sql : Using query template 'query' rlm_sql (sql): Reserved connection (4) (11) sql : EXPAND %{User-Name} (11) sql : --> rickjames (11) sql : SQL-User-Name set to 'rickjames' (11) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (11) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'rickjames', '', 'Access-Accept', '2014-08-08 15:39:12') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'rickjames', '', 'Access-Accept', '2014-08-08 15:39:12')' rlm_sql (sql): Released connection (4) (11) [sql] = ok (11) } # post-auth = ok (11) Reply: MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x179df4ed5c7771b6728858f3b86294c2 MS-MPPE-Recv-Key = 0xb9fea9733904585d418bc4af62e467f3 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'rickjames' (11) } # server inner-tunnel } # server inner-tunnel (11) eap_peap : Got tunneled reply code 2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x179df4ed5c7771b6728858f3b86294c2 MS-MPPE-Recv-Key = 0xb9fea9733904585d418bc4af62e467f3 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'rickjames' (11) eap_peap : Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x179df4ed5c7771b6728858f3b86294c2 MS-MPPE-Recv-Key = 0xb9fea9733904585d418bc4af62e467f3 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'rickjames' (11) eap_peap : Tunneled authentication was successful (11) eap_peap : SUCCESS (11) eap_peap : Saving tunneled attributes for later (11) eap : New EAP session, adding 'State' attribute to reply 0xae0cdbe8a500c28c (11) [eap] = handled (11) } # authenticate = handled (11) Sending Access-Challenge packet to host NAS-OUTSIDE port 30713, id=125, length=0 (11) EAP-Message = 0x010c002b1900170301002056922e2b8a6eb48b269ae59add908b45c42b46f397e3714d6ecc268d0be4712c (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0xae0cdbe8a500c28c958875bba3b09eb6 Sending Access-Challenge Id 125 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 EAP-Message = 0x010c002b1900170301002056922e2b8a6eb48b269ae59add908b45c42b46f397e3714d6ecc268d0be4712c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xae0cdbe8a500c28c958875bba3b09eb6 (11) Finished request Waking up in 0.2 seconds. Received Access-Request Id 126 from NAS-OUTSIDE:30713 to RADIUS-SERVER:1812 length 296 User-Name = 'rickjames' Calling-Station-Id = '10-A5-D0-E9-10-D0' NAS-IP-Address = NAS-INSIDE NAS-Port = 98 Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 NAS-Identifier = '6C-AA-B3-CF-40-AD' Connect-Info = 'CONNECT 802.11a/n' EAP-Message = 0x020c0050190017030100203c1ed40a848c69a42d79c362202418abe665c4bc6633d0bb6b990c9d3bb99a881703010020663c8bdeb71859e38e5f6a45249c04efdfab4eba71c8e70f5f17ff7003f9a15a State = 0xae0cdbe8a500c28c958875bba3b09eb6 Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 Message-Authenticator = 0x6d28ef3b08f29987cefab55995b259a4 (12) Received Access-Request packet from host NAS-OUTSIDE port 30713, id=126, length=296 (12) User-Name = 'rickjames' (12) Calling-Station-Id = '10-A5-D0-E9-10-D0' (12) NAS-IP-Address = NAS-INSIDE (12) NAS-Port = 98 (12) Called-Station-Id = '6C-AA-B3-CF-40-AD:test-eap-radius1' (12) Service-Type = Framed-User (12) Framed-MTU = 1400 (12) NAS-Port-Type = Wireless-802.11 (12) NAS-Identifier = '6C-AA-B3-CF-40-AD' (12) Connect-Info = 'CONNECT 802.11a/n' (12) EAP-Message = 0x020c0050190017030100203c1ed40a848c69a42d79c362202418abe665c4bc6633d0bb6b990c9d3bb99a881703010020663c8bdeb71859e38e5f6a45249c04efdfab4eba71c8e70f5f17ff7003f9a15a (12) State = 0xae0cdbe8a500c28c958875bba3b09eb6 (12) Attr-26 = 0x000061dd0312746573742d6561702d72616469757331 (12) Message-Authenticator = 0x6d28ef3b08f29987cefab55995b259a4 (12) # Executing section authorize from file /etc/raddb/sites-enabled/default (12) authorize { (12) filter_username filter_username { (12) if (User-Name =~ /@.*@/ ) (12) if (User-Name =~ /@.*@/ ) -> FALSE (12) if (User-Name =~ /\\.\\./ ) (12) if (User-Name =~ /\\.\\./ ) -> FALSE (12) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (12) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (12) if (User-Name =~ /\\.$/) (12) if (User-Name =~ /\\.$/) -> FALSE (12) if (User-Name =~ /@\\./) (12) if (User-Name =~ /@\\./) -> FALSE (12) } # filter_username filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix : No '@' in User-Name = "rickjames", looking up realm NULL (12) suffix : No such realm "NULL" (12) [suffix] = noop (12) [files] = noop (12) eap : Peer sent code Response (2) ID 12 length 80 (12) eap : Continuing tunnel setup (12) [eap] = ok (12) } # authorize = ok (12) Found Auth-Type = EAP (12) # Executing group from file /etc/raddb/sites-enabled/default (12) authenticate { (12) eap : Expiring EAP session with state 0xae0cdbe8a500c28c (12) eap : Finished EAP session with state 0xae0cdbe8a500c28c (12) eap : Previous EAP request found for state 0xae0cdbe8a500c28c, released from the list (12) eap : Peer sent method PEAP (25) (12) eap : EAP PEAP (25) (12) eap : Calling eap_peap to process EAP data (12) eap_peap : processing EAP-TLS (12) eap_peap : eaptls_verify returned 7 (12) eap_peap : Done initial handshake (12) eap_peap : eaptls_process returned 7 (12) eap_peap : FR_TLS_OK (12) eap_peap : Session established. Decoding tunneled attributes (12) eap_peap : Peap state send tlv success (12) eap_peap : Received EAP-TLV response (12) eap_peap : Success (12) eap_peap : Using saved attributes from the original Access-Accept User-Name = 'rickjames' (12) eap_peap : Saving session 88e265710b2fcc6e8da92f9b8207f45fe93c2488f11cbe5f958e159a5489d218 vps 0x17daa20 in the cache (12) eap : Freeing handler (12) [eap] = ok (12) } # authenticate = ok (12) # Executing section post-auth from file /etc/raddb/sites-enabled/default (12) post-auth { (12) sql : EXPAND .query (12) sql : --> .query (12) sql : Using query template 'query' rlm_sql (sql): Reserved connection (4) (12) sql : EXPAND %{User-Name} (12) sql : --> rickjames (12) sql : SQL-User-Name set to 'rickjames' (12) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (12) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'rickjames', '', 'Access-Accept', '2014-08-08 15:39:12') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'rickjames', '', 'Access-Accept', '2014-08-08 15:39:12')' rlm_sql (sql): Released connection (4) (12) [sql] = ok (12) [exec] = noop (12) remove_reply_message_if_eap remove_reply_message_if_eap { (12) if (reply:EAP-Message && reply:Reply-Message) (12) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (12) else else { (12) [noop] = noop (12) } # else else = noop (12) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (12) } # post-auth = ok (12) Sending Access-Accept packet to host NAS-OUTSIDE port 30713, id=126, length=0 (12) User-Name = 'rickjames' (12) MS-MPPE-Recv-Key = 0x95a29eb8e7e7473a50ca0d2619dd07ef50e81de3f96bc8591b55916e38de5901 (12) MS-MPPE-Send-Key = 0x669171259bcd630681b4e1b9e4fb7d78ee8c764690be69c3bca200ff83407a20 (12) EAP-MSK = 0x95a29eb8e7e7473a50ca0d2619dd07ef50e81de3f96bc8591b55916e38de5901669171259bcd630681b4e1b9e4fb7d78ee8c764690be69c3bca200ff83407a20 (12) EAP-EMSK = 0x66d63feee81881b28fdc9237a17ecbbb155aa665c4d86f2bcb897466560cc914d0cb78bfc3ecf5a3e1f2578d56a20eb6fbfb19688b4fdc91aa60b9579f767d3c (12) EAP-Session-Id = 0x1953e5275783695b045513e2df6c382cb01f2383a48d64ba7aedc5023200cf1884b94c573538257ba6b0fc2fc7e17d7f66e4dad3c42e819142c94bb65ac98d2aa5 (12) EAP-Message = 0x030c0004 (12) Message-Authenticator = 0x00000000000000000000000000000000 Sending Access-Accept Id 126 from RADIUS-SERVER:1812 to NAS-OUTSIDE:30713 User-Name = 'rickjames' MS-MPPE-Recv-Key = 0x95a29eb8e7e7473a50ca0d2619dd07ef50e81de3f96bc8591b55916e38de5901 MS-MPPE-Send-Key = 0x669171259bcd630681b4e1b9e4fb7d78ee8c764690be69c3bca200ff83407a20 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 (12) Finished request Waking up in 0.2 seconds. Waking up in 4.5 seconds. (0) Cleaning up request packet ID 114 with timestamp +18 (1) Cleaning up request packet ID 115 with timestamp +18 (2) Cleaning up request packet ID 116 with timestamp +18 (3) Cleaning up request packet ID 117 with timestamp +18 (4) Cleaning up request packet ID 118 with timestamp +18 (5) Cleaning up request packet ID 119 with timestamp +18 (6) Cleaning up request packet ID 120 with timestamp +18 (7) Cleaning up request packet ID 121 with timestamp +19 (8) Cleaning up request packet ID 122 with timestamp +19 (9) Cleaning up request packet ID 123 with timestamp +19 (10) Cleaning up request packet ID 124 with timestamp +19 (11) Cleaning up request packet ID 125 with timestamp +19 (12) Cleaning up request packet ID 126 with timestamp +19 Ready to process requests On Fri, Aug 8, 2014 at 3:26 PM, Alan DeKok <aland@deployingradius.com> wrote:
Terry Kantorowski wrote:
I'm trying to get Freeradius to authenticate wireless users. AVPs don't pass when clients use PEAP even with tunneled reply on. If I force the client to TTLS it works fine, passes AVPs everyones happy. Problem is, windows android and ios all default to PEAP. Has anyone else run into this? Any help is greatly appreciated.
Please post the debug output as suggested in the FAQ, "man" page, web pages, and daily on this list.
I have included ttls and peap settings of my eap file:
None of that is important.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Terry Kantorowski terry.kantorowski@gmail.com 814-397-4724
attribute values for his group? where are you storing the details....and how are you feeding them into the system? you say it works for EAP-TTLS? if so,have you looked at the output of THAT and compared/contrasted? alan
Terry Kantorowski wrote:
Per your request. I have included the debug output from freeradius. You will see that my test user "rickjames" authenticates just fine. The problem I am having is that the attribute value pairs for his group are not passed and so he never actually "connects" to the wireless network. The AVPs are missing when I try to connect with a device using PEAP, but present when I force connect with TTLS. I did not see this until I ran tcpdump.
Which is why all of the documentation tells you to run the server in debugging mode, and to read the output.
Thanks for taking the time to look at this.
It should be pretty clear from the output. There's a lot of it, but reading it is simple.
(11) eap_peap : Got tunneled reply code 2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x179df4ed5c7771b6728858f3b86294c2 MS-MPPE-Recv-Key = 0xb9fea9733904585d418bc4af62e467f3 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'rickjames'
So... no authorization attributes are in the tunnel. Fix that. Alan DeKok.
Hello, I'm helping Terry out with this issue. Apologies if this doesn't thread correctly as I wasn't subscribed to the list during the original email thread and Terry is not available. On Tue, 2014-08-12 at 10:56 -0400, Alan DeKok wrote:
Terry Kantorowski wrote:
Per your request. I have included the debug output from freeradius. You will see that my test user "rickjames" authenticates just fine. The problem I am having is that the attribute value pairs for his group are not passed and so he never actually "connects" to the wireless network. The AVPs are missing when I try to connect with a device using PEAP, but present when I force connect with TTLS. I did not see this until I ran tcpdump.
Which is why all of the documentation tells you to run the server in debugging mode, and to read the output.
I've gone through the logs but cannot find the issue that is causing the attributes not to pass. The Ruckus-Role attribute is found throughout the whole log up until line ~1432 of ttls6.log and ~1761 of peap6.log. Also of note is line 1508-1509 of ttls6.log: (9) eap_ttls : Using saved attributes from the original Access-Accept Ruckus-Role = 'TestSite-Premium' And 1849-1850 of peap6.log: (12) eap_peap : Using saved attributes from the original Access-Accept User-Name = 'rickjames' Both logs are available here: http://dale.us/temp/peap6.log http://dale.us/temp/ttls6.log
It should be pretty clear from the output. There's a lot of it, but reading it is simple.
(11) eap_peap : Got tunneled reply code 2 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x179df4ed5c7771b6728858f3b86294c2 MS-MPPE-Recv-Key = 0xb9fea9733904585d418bc4af62e467f3 EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'rickjames'
So... no authorization attributes are in the tunnel.
Fix that.
Agreed. I am seeing this on the new debug files as well. Does PEAP require a different inner-tunnel than TTLS does? At the moment they are both using the same default inner-tunnel. Thanks, Dale
Dale Blount wrote:
I've gone through the logs but cannot find the issue that is causing the attributes not to pass. The Ruckus-Role attribute is found throughout the whole log up until line ~1432 of ttls6.log and ~1761 of peap6.log.
Also of note is line 1508-1509 of ttls6.log: (9) eap_ttls : Using saved attributes from the original Access-Accept Ruckus-Role = 'TestSite-Premium'
i.e. there are NO other attributes sent by the inner-tunnel in the Access-Accept. So of *course* nothing more gets sent back to the NAS.
And 1849-1850 of peap6.log: (12) eap_peap : Using saved attributes from the original Access-Accept User-Name = 'rickjames'
The same applies here.
Does PEAP require a different inner-tunnel than TTLS does? At the moment they are both using the same default inner-tunnel.
They're using the same inner tunnel. There's no magic here. Everything is in the debug log. If the replies are different, it's because the server does *different* things in the inner-tunnel. And if you read it, it does. Stop trying to debug the entire EAP thing. It's a waste of your time. Debug the inner-tunnel, as I said. See the comments at the top of the inner-tunnel file (in recent versions) Alan DeKok.
On Tue, 2014-08-12 at 18:36 +0200, Alan DeKok wrote:
Does PEAP require a different inner-tunnel than TTLS does? At the moment they are both using the same default inner-tunnel.
They're using the same inner tunnel.
There's no magic here. Everything is in the debug log. If the replies are different, it's because the server does *different* things in the inner-tunnel. And if you read it, it does.
Stop trying to debug the entire EAP thing. It's a waste of your time. Debug the inner-tunnel, as I said. See the comments at the top of the inner-tunnel file (in recent versions)
I've already debugged the inner-tunnel using the radtest commands in the top of the inner-tunnel file. They both work and pass the Ruckus-Role just fine: $ radtest rickjames XXXX 127.0.0.1:18120 0 ZZZZ SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp Sending Access-Request Id 141 from 0.0.0.0:33424 to 127.0.0.1:18120 User-Name = 'rickjames' User-Password = 'test1234' NAS-IP-Address = 192.168.211.189 NAS-Port = 0 Message-Authenticator = 0x00 Framed-Protocol = PPP Received Access-Accept Id 141 from 127.0.0.1:18120 to 127.0.0.1:33424 length 42 Ruckus-Role = 'TestSite-Premium' $ radtest -t mschap rickjames XXXX 127.0.0.1:18120 0 ZZZZ SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp Sending Access-Request Id 2 from 0.0.0.0:58096 to 127.0.0.1:18120 User-Name = 'rickjames' NAS-IP-Address = 192.168.211.189 NAS-Port = 0 Message-Authenticator = 0x00 Framed-Protocol = PPP MS-CHAP-Challenge = 0x1a0e8931efa7d3bf MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000000cbf65ea5964d246e0d583e86aadcb125ab474f95c97d27d Received Access-Accept Id 2 from 127.0.0.1:18120 to 127.0.0.1:58096 length 106 Ruckus-Role = 'TestSite-Premium' MS-CHAP-MPPE-Keys = 0x624aac413795cdc1ae33a32dca8c9821844f740d5b3f4d6c MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed I did find something odd, though. I upgraded to 3.0.4rc1 based on a few bug reports I had found earlier to see if it would provide additional debug. Now EAP-PEAP connects the first time radiusd is started, and fails subsequent times. If I switch the client (NetworkManager/wpa_supplicant) from PEAP to TTLS it connects, and if I switch it back to PEAP it'll connect again as long as I keep switching the type. I then disabled cache in mods-enabled/eap and it'll work repeatedly using PEAP on every client device I can find. Logs: http://dale.us/temp/fr-304rc1-1.log and broken out into the separate attempts: http://dale.us/temp/fr-304rc1-1-works.log http://dale.us/temp/fr-304rc1-1-broken.log Any hints? Dale
If you are relying on certain attributes to be present you need to ensure that they are put into the cache alan
Dale Blount wrote:
I've already debugged the inner-tunnel using the radtest commands in the top of the inner-tunnel file. They both work and pass the Ruckus-Role just fine:
OK.
$ radtest rickjames XXXX 127.0.0.1:18120 0 ZZZZ SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp
Hmm... that isn't good. I suggest using the latest code from git, the v3.0.x branch.
I did find something odd, though. I upgraded to 3.0.4rc1 based on a few bug reports I had found earlier to see if it would provide additional debug. Now EAP-PEAP connects the first time radiusd is started, and fails subsequent times. If I switch the client (NetworkManager/wpa_supplicant) from PEAP to TTLS it connects, and if I switch it back to PEAP it'll connect again as long as I keep switching the type. I then disabled cache in mods-enabled/eap and it'll work repeatedly using PEAP on every client device I can find.
So the cache module is buggy, or you misconfigured it. Please try the latest code from v3.0.x. It has a number of fixes over the 3.0.4rc1 code. Alan DeKok.
On 13 Aug 2014, at 13:20, Alan DeKok <aland@deployingradius.com> wrote:
Dale Blount wrote:
I've already debugged the inner-tunnel using the radtest commands in the top of the inner-tunnel file. They both work and pass the Ruckus-Role just fine:
OK.
$ radtest rickjames XXXX 127.0.0.1:18120 0 ZZZZ SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp
Hmm... that isn't good. I suggest using the latest code from git, the v3.0.x branch.
I did find something odd, though. I upgraded to 3.0.4rc1 based on a few bug reports I had found earlier to see if it would provide additional debug. Now EAP-PEAP connects the first time radiusd is started, and fails subsequent times. If I switch the client (NetworkManager/wpa_supplicant) from PEAP to TTLS it connects, and if I switch it back to PEAP it'll connect again as long as I keep switching the type. I then disabled cache in mods-enabled/eap and it'll work repeatedly using PEAP on every client device I can find.
So the cache module is buggy, or you misconfigured it.
I think he's referring to the session cache and not rlm_cache. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
$ radtest rickjames XXXX 127.0.0.1:18120 0 ZZZZ SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp
Hmm... that isn't good. I suggest using the latest code from git, the v3.0.x branch.
Good news and bad news. That SOFT ASSERT FAILED is gone, but the all of the group matching never happens so the reply attribute is never sent (radtest, TTLS, and PEAP requests). More logs: http://dale.us/temp/radtest-304rc1.log http://dale.us/temp/radtest-git.log http://dale.us/temp/radtest.diff Thanks, Dale
On 13 Aug 2014, at 15:00, Dale Blount <freeradius-users@dale.us> wrote:
$ radtest rickjames XXXX 127.0.0.1:18120 0 ZZZZ SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp
Hmm... that isn't good. I suggest using the latest code from git, the v3.0.x branch.
Good news and bad news. That SOFT ASSERT FAILED is gone, but the all of the group matching never happens so the reply attribute is never sent (radtest, TTLS, and PEAP requests).
More logs:
http://dale.us/temp/radtest-304rc1.log http://dale.us/temp/radtest-git.log http://dale.us/temp/radtest.diff
git pull Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Wed, 2014-08-13 at 17:23 -0400, Arran Cudbard-Bell wrote:
On 13 Aug 2014, at 15:00, Dale Blount <freeradius-users@dale.us> wrote:
Good news and bad news. That SOFT ASSERT FAILED is gone, but the all of the group matching never happens so the reply attribute is never sent (radtest, TTLS, and PEAP requests).
More logs:
http://dale.us/temp/radtest-304rc1.log http://dale.us/temp/radtest-git.log http://dale.us/temp/radtest.diff
git pull
Thanks, that commit fixed this issue and I'm now able to run from git. I'm still having problems with repeated connections from the same username with caching enabled on the eap module. Is there any additional debug/configuration I can provide to help debug this part? Thanks, Dale
participants (5)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Dale Blount -
Terry Kantorowski