Segmentation fault when using check_cert_cn in eap.conf

Brett C Miller miller_brett at bah.com
Fri Dec 9 21:34:35 CET 2005


Hello,

I am hoping someone else has ran into my problem. I am running  
freeradius 1.0.5 in a 802.1x configuration with Cisco 1200 access  
points. I have configured eap_tls and everything works great (users  
can authenticate and access resources) until I uncomment  
"check_cert_cn=%{User-Name}" in the eap.conf file. When this line is  
uncommented and the user tries to authenticate with a previously  
working configuration, the server has a segmentation fault. I have  
verified this result using a linux, windows, and macosx client.  At  
this point I have not added any usernames to the "users" file.  It  
seems the server should reject the authentication request if the  
users credentials cannot be found in the users file, not throw a  
segmentation fault. Is there are problem when the Username and common  
name  are different within the certificate?This is true with the  
Globalsign certificates we are using.  I have seen a post that went  
unanswered about on this subject. The link is below.    I have  
reproduced the segmentation fault in both 1.0.4 and 1.0.5.   Thanks  
for any assistance you can give, I am really at a loss. :(

I have also seen a question that pertains to my problem. Was there a  
solution?

http://www.mail-archive.com/freeradius-users@lists.freeradius.org/ 
msg13518.html

OS: Debian Sarge
Openssl version: 0.9.7e

Thanks

Brett

log file:
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius3/proxy.conf
Config:   including file: /etc/freeradius3/clients.conf
Config:   including file: /etc/freeradius3/snmp.conf
Config:   including file: /etc/freeradius3/eap.conf
Config:   including file: /etc/freeradius3/sql.conf
main: prefix = "/usr/local/freeradius3"
main: localstatedir = "/usr/local/freeradius3/var"
main: logdir = "/var/log/freeradius3"
main: libdir = "/usr/local/freeradius3/lib"
main: radacctdir = "/var/log/freeradius3"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/var/log/freeradius3/freeradius3.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/freeradius3/var/run/radiusd/radiusd.pid"
main: bind_address = 10.120.0.27 IP address [10.120.0.27]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/freeradius3/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/freeradius3/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/freeradius3/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = yes
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/freeradius3/certs/wirelesslan.bah.com.key"
tls: certificate_file = "/etc/freeradius3/certs/wirelesslan.bah.com.pub"
tls: CA_file = "/etc/freeradius3/certs/certs.pem"
tls: private_key_password = "(null)"
tls: dh_file = "/etc/freeradius3/certs/dh"
tls: random_file = "/etc/freeradius3/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "%{User-Name}"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "tls"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius3/huntgroups"
preprocess: hints = "/etc/freeradius3/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius3/users"
files: acctusersfile = "/etc/freeradius3/acct_users"
files: preproxy_usersfile = "/etc/freeradius3/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,  
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/log/freeradius3/%{Client-IP-Address}/ 
detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius3/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = no
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 10.120.0.27:1812
Listening on accounting 10.120.0.27:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.120.0.3:1645, id=234,  
length=169
	User-Name = "miller_brett at bah.com"
	Framed-MTU = 1400
	Called-Station-Id = "000f.23d8.a391"
	Calling-Station-Id = "000a.95f3.1c2a"
	Service-Type = Login-User
	Message-Authenticator = 0xe5515c138accf22a37416c2027732e40
	EAP-Message = 0x02010019016d696c6c65725f6272657474406261682e636f6d
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 738
	NAS-IP-Address = 10.120.0.3
	NAS-Identifier = "asq2-1st-Floor-110"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
     rlm_realm: Looking up realm "bah.com" for User-Name =  
"miller_brett at bah.com"
     rlm_realm: No such realm "bah.com"
   modcall[authorize]: module "suffix" returns noop for request 0
   rlm_eap: EAP packet type response id 1 length 25
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 0
     users: Matched entry DEFAULT at line 163
   modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
   rlm_eap: EAP Identity
   rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
   rlm_eap_tls: Initiate
   rlm_eap_tls: Start returned 1
   modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 234 to 10.120.0.3:1645
	EAP-Message = 0x010200060d20
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x165dc27d9eaf31fb476ce6f5a7cc5683
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.120.0.3:1645, id=235,  
length=264
	User-Name = "miller_brett at bah.com"
	Framed-MTU = 1400
	Called-Station-Id = "000f.23d8.a391"
	Calling-Station-Id = "000a.95f3.1c2a"
	Service-Type = Login-User
	Message-Authenticator = 0x1cec338b5f5748130c7553596d4cd2f0
	EAP-Message =  
0x020200660d800000005c16030100570100005303014399e74094a93a57397fc8b744ab 
783e2b5fde9569af40d044c9728f715d8ae400002c00050004000aff830009ff82000300 
080006ff8000010016001500140013001200110018001b001a001700190100
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 738
	State = 0x165dc27d9eaf31fb476ce6f5a7cc5683
	NAS-IP-Address = 10.120.0.3
	NAS-Identifier = "asq2-1st-Floor-110"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
   modcall[authorize]: module "preprocess" returns ok for request 1
   modcall[authorize]: module "chap" returns noop for request 1
   modcall[authorize]: module "mschap" returns noop for request 1
     rlm_realm: Looking up realm "bah.com" for User-Name =  
"miller_brett at bah.com"
     rlm_realm: No such realm "bah.com"
   modcall[authorize]: module "suffix" returns noop for request 1
   rlm_eap: EAP packet type response id 2 length 102
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 1
     users: Matched entry DEFAULT at line 163
   modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
   eaptls_verify returned 11
     (other): before/accept initialization
     TLS_accept: before/accept initialization
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0057], ClientHello
     TLS_accept: SSLv3 read client hello A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
     TLS_accept: SSLv3 write server hello A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 0e72], Certificate
     TLS_accept: SSLv3 write certificate A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 0120], CertificateRequest
     TLS_accept: SSLv3 write certificate request A
     TLS_accept: SSLv3 flush data
     TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 235 to 10.120.0.3:1645
	EAP-Message =  
0x0103040a0dc000000feb160301004a0200004603014399e74017aac97b9fbde271c605 
a1bd3ecc329becb52df6490a50b253a6c19d20957027d9cd2c71d45e4de98416c76e55ce 
619e683e97441ae24400768b6b5e490005001603010e720b000e6e000e6b00038e308203 
8a30820272a003020102020206b0300d06092a864886f70d01010505003051310b300906 
0355040613025553310c300a060355040a130342414831133011060355040b130a436f6d 
706f6e656e7473311f301d06035504031316426f6f7a20416c6c656e2048616d696c746f 
6e204341301e170d3034313230333231323931395a170d3037303630343231323931395a 
304e
	EAP-Message =  
0x310b3009060355040613025553310c300a060355040a13034241483113301106035504 
0b130a436f6d706f6e656e7473311c301a06035504031313776972656c6573736c616e2e 
6261682e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100 
cc5f09a86ce048ad23f86770f60d9d89f6c2f3c83bfa2007d4d9639091d1e5cb9a32d5d2 
946c4df07b8e9e3d67b3bdb25ab634b1d3d5301b332979386dd5b174af08a13f9d6bb192 
6a14cf31f5fcf221c2d72f34a08ca4c0472ee05adf3f2792f1297d6d7c5db7efe7dbdfa4 
668d96fa399be6ca2a6428db6c25cd174638c6a30203010001a381f23081ef300e060355 
1d0f
	EAP-Message =  
0x0101ff0404030205a0301d0603551d0e04160414f307b4c578f4f45f9a295a3a1549e5 
f4a2f4f8b8301f0603551d23041830168014e07d84c5bcb46553f2a25d9b8038d06c1c9e 
9dc230180603551d200411300f300d060b2b06010401de000103020130620603551d1f04 
5b30593057a055a05386516c6461703a2f2f64697273796e632e757361652e6261682e63 
6f6d2f636e3d426f6f7a20416c6c656e2048616d696c746f6e2043412c206f753d436f6d 
706f6e656e74732c206f3d4241482c20633d5553301f0603551d110418301681146d696c 
6c65725f6272657474406261682e636f6d300d06092a864886f70d010105050003820101 
001d
	EAP-Message =  
0x221c42c9ada1d932fc738e7dfcd79c7e43ca09b18613526e601a9c3259191951294cf0 
f84faf7ce91f7f14e166b72e10c613096b1accc1a7ad36bbd1ad42722e1cf684ee640445 
804295816b774012a83f3c9f1268725ae846b3cdaac58b26aa598eaa2a0b44335b27fdb6 
6fee6c88f2ac791674aab437630a442368ea38fa8e6223639221f36b130d28cf49867dcd 
3741d32d08b75773fd6646c677749679a33cf9f7f402ac9dd9ceeac612617f79f645a36d 
a5ae572d0211760c81ba8a9686a568e1f7b9e1a40c0355959ddbace1c59974194337d1cb 
ca464f128c357168f94820582ce9cd5feccea3169a08a111015ab24a1689b0174b5bda62 
a2dc
	EAP-Message = 0x52060003b6308203b23082029aa003020102020b0300
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x8a735a3b7837decd3545d5aa80336f2c
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.120.0.3:1645, id=236,  
length=168
	User-Name = "miller_brett at bah.com"
	Framed-MTU = 1400
	Called-Station-Id = "000f.23d8.a391"
	Calling-Station-Id = "000a.95f3.1c2a"
	Service-Type = Login-User
	Message-Authenticator = 0x5602bdacab532e7f999c70612750d07a
	EAP-Message = 0x020300060d00
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 738
	State = 0x8a735a3b7837decd3545d5aa80336f2c
	NAS-IP-Address = 10.120.0.3
	NAS-Identifier = "asq2-1st-Floor-110"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
   modcall[authorize]: module "preprocess" returns ok for request 2
   modcall[authorize]: module "chap" returns noop for request 2
   modcall[authorize]: module "mschap" returns noop for request 2
     rlm_realm: Looking up realm "bah.com" for User-Name =  
"miller_brett at bah.com"
     rlm_realm: No such realm "bah.com"
   modcall[authorize]: module "suffix" returns noop for request 2
   rlm_eap: EAP packet type response id 3 length 6
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 2
     users: Matched entry DEFAULT at line 163
   modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
   rlm_eap_tls: ack handshake fragment handler
   eaptls_verify returned 1
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 236 to 10.120.0.3:1645
	EAP-Message =  
0x0104040a0dc000000feb00000000ec99bcff6e300d06092a864886f70d010105050030 
5f310b300906035504061302424531193017060355040a1310476c6f62616c5369676e20 
6e762d736131143012060355040b130b506172746e657273204341311f301d0603550403 
1316476c6f62616c5369676e20506172746e657273204341301e170d3032303331353131 
323632325a170d3038313233313132303030305a3051310b300906035504061302555331 
0c300a060355040a130342414831133011060355040b130a436f6d706f6e656e7473311f 
301d06035504031316426f6f7a20416c6c656e2048616d696c746f6e2043413082012230 
0d06
	EAP-Message =  
0x092a864886f70d01010105000382010f003082010a0282010100b0077e0646fcb615f3 
57a5e0dfe0d5b052a32d1c5bed5297e005f4fc73e7ef6c3d1f64eb88b20dcd1ac33bddc9 
28d0618616452c27a56493594cf3cad054765d444cd1527f1a0b78f7cc34315e5456770a 
66ecfdbbbe6855adb479c3fedbdf721731bd863449c8619d217f6ce2c6ee303e8f1f50dd 
1e9bee6f192bdcc2f862774560f19c8a0db78ffe4c0c039e164276c2d8592fcc274cf832 
431410d983550ce4894b1e9c6d93581ee5018f95a220f39b53cff9e41f9f801373e63201 
085ea7025a289b03ab757927b6a158e58f21b0600006f54778f13158b02636574d1c94d0 
f483
	EAP-Message =  
0x33e6995681ef4afca76b65d93a7a13b3eeefae3634db2d2f98e54eeb990203010001a3 
7d307b300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff 
30180603551d200411300f300d060b2b06010401de0001030201301d0603551d0e041604 
14e07d84c5bcb46553f2a25d9b8038d06c1c9e9dc2301f0603551d230418301680144324 
8d70150862559c4f0c40175d865e0fa24cfb300d06092a864886f70d0101050500038201 
010026de75dbe1c1aaf83bf2eca52de9d8bf7b91a59a3c24d194e353ff9873d2f7a722ae 
f0ed3e7a527d2d33e853644dc34c70dd652575f30c2c624676c0efc4a84a2847e0c8c464 
fbbf
	EAP-Message =  
0x4514ef408c7f0a2b2ca33321a015b4b50b4f4a5a1823cae2f1e10007d0ffc5a03d449c 
c4ec06c3f9f4267d49a3b6af61a4ad2e097c2b435463f0bc2b87aebb22e21e0e6a4f6e60 
0d37c32acce5ce7050a0427abe9d99bb03c6eadf9d57ca71839218a40355f0e21a6b75ec 
595ec7c3b21001169f45ef082640074a8058c60cf2f8ff5371f92c316eb9c064d6c65a72 
75df55ff3182ed2bf47a27889e3c84ab1c40a85712f35c23d486b7c9d8291758c3d3fbab 
8829dcdd880003a23082039e30820286a003020102020b020000000000d678b9d1af300d 
06092a864886f70d01010405003057310b30090603550406130242453119301706035504 
0a13
	EAP-Message = 0x10476c6f62616c5369676e206e762d73613110300e06
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xad02c72864260730b0a95da8a6cd5778
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.120.0.3:1645, id=237,  
length=168
	User-Name = "miller_brett at bah.com"
	Framed-MTU = 1400
	Called-Station-Id = "000f.23d8.a391"
	Calling-Station-Id = "000a.95f3.1c2a"
	Service-Type = Login-User
	Message-Authenticator = 0xff7fe42128e425ade791eb0e043eeb22
	EAP-Message = 0x020400060d00
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 738
	State = 0xad02c72864260730b0a95da8a6cd5778
	NAS-IP-Address = 10.120.0.3
	NAS-Identifier = "asq2-1st-Floor-110"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
   modcall[authorize]: module "preprocess" returns ok for request 3
   modcall[authorize]: module "chap" returns noop for request 3
   modcall[authorize]: module "mschap" returns noop for request 3
     rlm_realm: Looking up realm "bah.com" for User-Name =  
"miller_brett at bah.com"
     rlm_realm: No such realm "bah.com"
   modcall[authorize]: module "suffix" returns noop for request 3
   rlm_eap: EAP packet type response id 4 length 6
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 3
     users: Matched entry DEFAULT at line 163
   modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
   rlm_eap_tls: ack handshake fragment handler
   eaptls_verify returned 1
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 237 to 10.120.0.3:1645
	EAP-Message =  
0x0105040a0dc000000feb0355040b1307526f6f74204341311b30190603550403131247 
6c6f62616c5369676e20526f6f74204341301e170d3939303132383132303030305a170d 
3039303132383132303030305a305f310b30090603550406130242453119301706035504 
0a1310476c6f62616c5369676e206e762d736131143012060355040b130b506172746e65 
7273204341311f301d06035504031316476c6f62616c5369676e20506172746e65727320 
434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d2 
2cf832ac4a127a37c82991a5ae8c6e1e0ec0343388e53371161c788468c31834502e163e 
b194
	EAP-Message =  
0x824fb19a9f00f8c61135c6697b9802ad0006886ce74c3328008827461f87b3717563bc 
32bb88de66180e500693b4f6bc1437303d22df3dff757ed90a1ac59fb3fcd0acb3087a89 
d301e8005ce74a0b3d4d7b26a2b762068bda46dd93173f3f5b024b0bb68820119200adbb 
c72ed4e345aef5895a7c8da4ad856432c0278cc6f28a8092862456598d7468a28342b39e 
3d5041866f206ef6fdced319e332cc8fed9a5e6d1f28f552ac6e185ef83dd192e5ba6c01 
884b0af22dde65330542a04caa3176befdbf8178f9711c465e2d15952d30598e4c41d162 
ab3d0203010001a3633061300e0603551d0f0101ff040403020006301d0603551d0e0416 
0414
	EAP-Message =  
0x43248d70150862559c4f0c40175d865e0fa24cfb301f0603551d23041830168014607b 
661a450d97ca89502f7d04cd34a8fffcfd4b300f0603551d130101ff040530030101ff30 
0d06092a864886f70d0101040500038201010066edb488691199822183aca16d8b9b84ad 
0f2dc81e8cca7b7eadaad48ede07d69e45c7a5b89c07396025551ac04f19e5cf17294989 
183566e5eb28404e57c9afb3e4b82005a33b9550914994297d2ce58841a545885e9d8227 
f7d2ef5bb54f9fbefe35652c55649fe151da226177ba584e8fc67959596e3080a24f906e 
210badd0683990109bed22656f1e1138e67f8cd2f3396d47d521e8ea753a41d1adf6169d 
5d0b
	EAP-Message =  
0x21bdf31f6306251dc11f35712ceb2019d5c1b0ec3de56fed02073f137b6692d644c198 
f75f508b7a5bc26f6db0d1f8e574a04037a3250fe43dca643193905c307bb939319a5e4c 
cdb9414f50e43d38aec866d9c73b5d5147ac9babf2ad000379308203753082025da00302 
0102020b020000000000d678b79405300d06092a864886f70d01010405003057310b3009 
06035504061302424531193017060355040a1310476c6f62616c5369676e206e762d7361 
3110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c53 
69676e20526f6f74204341301e170d3938303930313132303030305a170d313430313238 
3132
	EAP-Message = 0x303030305a3057310b30090603550406130242453119
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x5a3c9c2dfd37d0eacb99d4770ff125fb
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.120.0.3:1645, id=238,  
length=168
	User-Name = "miller_brett at bah.com"
	Framed-MTU = 1400
	Called-Station-Id = "000f.23d8.a391"
	Calling-Station-Id = "000a.95f3.1c2a"
	Service-Type = Login-User
	Message-Authenticator = 0x5412e3a867de65818277cb39aa002f29
	EAP-Message = 0x020500060d00
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 738
	State = 0x5a3c9c2dfd37d0eacb99d4770ff125fb
	NAS-IP-Address = 10.120.0.3
	NAS-Identifier = "asq2-1st-Floor-110"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
   modcall[authorize]: module "preprocess" returns ok for request 4
   modcall[authorize]: module "chap" returns noop for request 4
   modcall[authorize]: module "mschap" returns noop for request 4
     rlm_realm: Looking up realm "bah.com" for User-Name =  
"miller_brett at bah.com"
     rlm_realm: No such realm "bah.com"
   modcall[authorize]: module "suffix" returns noop for request 4
   rlm_eap: EAP packet type response id 5 length 6
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 4
     users: Matched entry DEFAULT at line 163
   modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
   rlm_eap_tls: ack handshake fragment handler
   eaptls_verify returned 1
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 238 to 10.120.0.3:1645
	EAP-Message =  
0x010603f50d8000000feb3017060355040a1310476c6f62616c5369676e206e762d7361 
3110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c53 
69676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f0030 
82010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bd 
f063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a 
30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9 
d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c9278 
96d6
	EAP-Message =  
0xdc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73 
549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251 
631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf6 
2168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020006 
301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300f060355 
1d130101ff040530030101ff300d06092a864886f70d01010405000382010100aeaa9ffc 
b7d2cb1f5f392928189e34c96c4f6f1af064a2704a4f13869b60289ee88149987d0abbe5 
b09d
	EAP-Message =  
0x3d36db8f0551ff09312a1fdd89779e0f2e6c9504ed86cbb4003f84024d806a2a2d780b 
ae6f2ba28344831fcd50824c24afbdf7a5b4c85a0ff4e7475e498e3796fe9a88053ad9c0 
db2987e6199647a73aa68c8b3c77fe4663a753da21d1ac7e49a24be6c367592fb38a0ebb 
2cbda9aa427c35c1d87fd5a7313a4e634339af08b061348cd398a94334f60f87293b9dc2 
56589877c3f71bacf69df83eaaa75445f0f5f9d53165fe6b589c71b31ed752ea3217fc40 
601dc97924b2f66cfda8660e82dd98cbdac2444f2ea07bf2f76b2c761184468a78a3e316 
030101200d000118020102011300593057310b3009060355040613024245311930170603 
5504
	EAP-Message =  
0x0a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f7420 
4341311b301906035504031312476c6f62616c5369676e20526f6f742043410061305f31 
0b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e76 
2d736131143012060355040b130b506172746e657273204341311f301d06035504031316 
476c6f62616c5369676e20506172746e65727320434100533051310b3009060355040613 
025553310c300a060355040a130342414831133011060355040b130a436f6d706f6e656e 
7473311f301d06035504031316426f6f7a20416c6c656e2048616d696c746f6e2043410e 
0000
	EAP-Message = 0x00
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x0477eccc80a92cbf72f5506fc4ee9b1c
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.120.0.3:1645, id=239,  
length=1568
	User-Name = "miller_brett at bah.com"
	Framed-MTU = 1400
	Called-Station-Id = "000f.23d8.a391"
	Calling-Station-Id = "000a.95f3.1c2a"
	Service-Type = Login-User
	Message-Authenticator = 0x53b9f83d6cc16419c6224624ac4de2b1
	EAP-Message =  
0x020605740dc00000133316030111e90b0011e50011e20003813082037d30820265a003 
02010202020677300d06092a864886f70d01010505003051310b30090603550406130255 
53310c300a060355040a130342414831133011060355040b130a436f6d706f6e656e7473 
311f301d06035504031316426f6f7a20416c6c656e2048616d696c746f6e204341301e17 
0d3034313032373135333930335a170d3037303432383135333930335a3041310b300906 
0355040613025553310c300a060355040a1303424148310d300b060355040b1304534d54 
50311530130603550403130c4d696c6c657220427265747430819f300d06092a864886f7 
0d01
	EAP-Message =  
0x0101050003818d0030818902818100a62c7c43b2d94dad861452e68696ad85023c51b4 
13d88336a4dfdf1fd90a9595364e34cee5dfbaf22aa41e8e34d6497568f8ecaa96e15002 
c9530a629c1c055d0257c966e595d77f7105e2d7ff433bd55703e9a0e019356ff97197aa 
4533ae02ba75ed75319b6c3d24f00c07f91a468304be239f805c5be91e2e5174575ea675 
0203010001a381f23081ef300e0603551d0f0101ff0404030205a0301d0603551d0e0416 
0414d8970d09ac4f248d2e1e3be99e1e01a1d06898c630180603551d200411300f300d06 
0b2b06010401de000103020130620603551d1f045b30593057a055a05386516c6461703a 
2f2f
	EAP-Message =  
0x64697273796e632e757361652e6261682e636f6d2f636e3d426f6f7a20416c6c656e20 
48616d696c746f6e2043412c206f753d436f6d706f6e656e74732c206f3d4241482c2063 
3d5553301f0603551d110418301681146d696c6c65725f6272657474406261682e636f6d 
301f0603551d23041830168014e07d84c5bcb46553f2a25d9b8038d06c1c9e9dc2300d06 
092a864886f70d0101050500038201010096f0549f1df98da23093540aad54b67688a278 
ff21dfa688f435e4e1426cd14262c6fbee9c31fb24336dfe230b059304e5ecce10abafe9 
f7ee519f87c88478eadb084e46f97ec55b0f2fde80ffdaccde55f8839fba0ba53efe741a 
facf
	EAP-Message =  
0xe391f807b55e57f0e515d7d4cd65ad01d0d87141d33d1a53e537f30d7039fea885ccff 
f917ed31a3274a0bbed61e3fd0c048cb83a577d5cd73240f2e2f7622d0760b66b4b01da2 
3fb9ec36126fab6a50dab982dacbd8f1c2d6bee6aa1ab21003df66ca96751077b438d2d7 
48dfe32581a98fb73ef48c56155295a9134a6b220c3682c015839c4c9a86c4a6f28527f1 
8b33166ca40ddb407f1d10976536511132d9f90a0003813082037d30820265a003020102 
02020677300d06092a864886f70d01010505003051310b3009060355040613025553310c 
300a060355040a130342414831133011060355040b130a436f6d706f6e656e7473311f30 
1d06
	EAP-Message =  
0x035504031316426f6f7a20416c6c656e2048616d696c746f6e204341301e170d303431 
3032373135333930335a170d3037303432383135333930335a3041310b30090603550406 
13025553310c300a060355040a1303424148310d300b060355040b1304534d5450311530 
130603550403130c4d696c6c657220427265747430819f300d06092a864886f70d010101 
050003818d0030818902818100a62c7c43b2d94dad861452e68696ad85023c51b413d883 
36a4dfdf1fd90a9595364e34cee5dfbaf22aa41e8e34d6497568f8ecaa96e15002c9530a 
629c1c055d0257c966e595d77f7105e2d7ff433bd55703e9a0e019356ff97197aa4533ae 
02ba
	EAP-Message =  
0x75ed75319b6c3d24f00c07f91a468304be239f805c5be91e2e5174575ea67502030100 
01a381f23081ef300e0603551d0f0101ff0404030205a0301d0603551d0e04160414d897 
0d09ac4f248d2e1e3be99e1e01a1d06898c630180603551d200411300f300d060b2b0601 
0401de000103020130620603551d1f045b30593057a055a0
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 738
	State = 0x0477eccc80a92cbf72f5506fc4ee9b1c
	NAS-IP-Address = 10.120.0.3
	NAS-Identifier = "asq2-1st-Floor-110"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
   modcall[authorize]: module "preprocess" returns ok for request 5
   modcall[authorize]: module "chap" returns noop for request 5
   modcall[authorize]: module "mschap" returns noop for request 5
     rlm_realm: Looking up realm "bah.com" for User-Name =  
"miller_brett at bah.com"
     rlm_realm: No such realm "bah.com"
   modcall[authorize]: module "suffix" returns noop for request 5
   rlm_eap: EAP packet type response id 6 length 253
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 5
     users: Matched entry DEFAULT at line 163
   modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Received EAP-TLS First Fragment of the message
   eaptls_verify returned 9
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 239 to 10.120.0.3:1645
	EAP-Message = 0x010700060d00
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xd03f828df209da2e3a25fb8e1ec68974
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.120.0.3:1645, id=240,  
length=1568
	User-Name = "miller_brett at bah.com"
	Framed-MTU = 1400
	Called-Station-Id = "000f.23d8.a391"
	Calling-Station-Id = "000a.95f3.1c2a"
	Service-Type = Login-User
	Message-Authenticator = 0x8ef630c7ab60b669d245a8921f079104
	EAP-Message =  
0x020705740d405386516c6461703a2f2f64697273796e632e757361652e6261682e636f 
6d2f636e3d426f6f7a20416c6c656e2048616d696c746f6e2043412c206f753d436f6d70 
6f6e656e74732c206f3d4241482c20633d5553301f0603551d110418301681146d696c6c 
65725f6272657474406261682e636f6d301f0603551d23041830168014e07d84c5bcb465 
53f2a25d9b8038d06c1c9e9dc2300d06092a864886f70d0101050500038201010096f054 
9f1df98da23093540aad54b67688a278ff21dfa688f435e4e1426cd14262c6fbee9c31fb 
24336dfe230b059304e5ecce10abafe9f7ee519f87c88478eadb084e46f97ec55b0f2fde 
80ff
	EAP-Message =  
0xdaccde55f8839fba0ba53efe741afacfe391f807b55e57f0e515d7d4cd65ad01d0d871 
41d33d1a53e537f30d7039fea885ccfff917ed31a3274a0bbed61e3fd0c048cb83a577d5 
cd73240f2e2f7622d0760b66b4b01da23fb9ec36126fab6a50dab982dacbd8f1c2d6bee6 
aa1ab21003df66ca96751077b438d2d748dfe32581a98fb73ef48c56155295a9134a6b22 
0c3682c015839c4c9a86c4a6f28527f18b33166ca40ddb407f1d10976536511132d9f90a 
0003b6308203b23082029aa003020102020b030000000000ec99bcff6e300d06092a8648 
86f70d0101050500305f310b300906035504061302424531193017060355040a1310476c 
6f62
	EAP-Message =  
0x616c5369676e206e762d736131143012060355040b130b506172746e65727320434131 
1f301d06035504031316476c6f62616c5369676e20506172746e657273204341301e170d 
3032303331353131323632325a170d3038313233313132303030305a3051310b30090603 
55040613025553310c300a060355040a130342414831133011060355040b130a436f6d70 
6f6e656e7473311f301d06035504031316426f6f7a20416c6c656e2048616d696c746f6e 
20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100 
b0077e0646fcb615f357a5e0dfe0d5b052a32d1c5bed5297e005f4fc73e7ef6c3d1f64eb 
88b2
	EAP-Message =  
0x0dcd1ac33bddc928d0618616452c27a56493594cf3cad054765d444cd1527f1a0b78f7 
cc34315e5456770a66ecfdbbbe6855adb479c3fedbdf721731bd863449c8619d217f6ce2 
c6ee303e8f1f50dd1e9bee6f192bdcc2f862774560f19c8a0db78ffe4c0c039e164276c2 
d8592fcc274cf832431410d983550ce4894b1e9c6d93581ee5018f95a220f39b53cff9e4 
1f9f801373e63201085ea7025a289b03ab757927b6a158e58f21b0600006f54778f13158 
b02636574d1c94d0f48333e6995681ef4afca76b65d93a7a13b3eeefae3634db2d2f98e5 
4eeb990203010001a37d307b300e0603551d0f0101ff040403020186300f0603551d1301 
01ff
	EAP-Message =  
0x040530030101ff30180603551d200411300f300d060b2b06010401de0001030201301d 
0603551d0e04160414e07d84c5bcb46553f2a25d9b8038d06c1c9e9dc2301f0603551d23 
04183016801443248d70150862559c4f0c40175d865e0fa24cfb300d06092a864886f70d 
0101050500038201010026de75dbe1c1aaf83bf2eca52de9d8bf7b91a59a3c24d194e353 
ff9873d2f7a722aef0ed3e7a527d2d33e853644dc34c70dd652575f30c2c624676c0efc4 
a84a2847e0c8c464fbbf4514ef408c7f0a2b2ca33321a015b4b50b4f4a5a1823cae2f1e1 
0007d0ffc5a03d449cc4ec06c3f9f4267d49a3b6af61a4ad2e097c2b435463f0bc2b87ae 
bb22
	EAP-Message =  
0xe21e0e6a4f6e600d37c32acce5ce7050a0427abe9d99bb03c6eadf9d57ca71839218a4 
0355f0e21a6b75ec595ec7c3b21001169f45ef082640074a8058c60cf2f8ff5371f92c31 
6eb9c064d6c65a7275df55ff3182ed2bf47a27889e3c84ab1c40a85712f35c23d486b7c9 
d8291758c3d3fbab8829dcdd880003a23082039e30820286
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 738
	State = 0xd03f828df209da2e3a25fb8e1ec68974
	NAS-IP-Address = 10.120.0.3
	NAS-Identifier = "asq2-1st-Floor-110"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
   modcall[authorize]: module "preprocess" returns ok for request 6
   modcall[authorize]: module "chap" returns noop for request 6
   modcall[authorize]: module "mschap" returns noop for request 6
     rlm_realm: Looking up realm "bah.com" for User-Name =  
"miller_brett at bah.com"
     rlm_realm: No such realm "bah.com"
   modcall[authorize]: module "suffix" returns noop for request 6
   rlm_eap: EAP packet type response id 7 length 253
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 6
     users: Matched entry DEFAULT at line 163
   modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns updated for request 6
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  More fragments to follow
   eaptls_verify returned 10
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 240 to 10.120.0.3:1645
	EAP-Message = 0x010800060d00
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xcc2d10811ab9b5cb0aa0d64b62cc1143
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.120.0.3:1645, id=241,  
length=1568
	User-Name = "miller_brett at bah.com"
	Framed-MTU = 1400
	Called-Station-Id = "000f.23d8.a391"
	Calling-Station-Id = "000a.95f3.1c2a"
	Service-Type = Login-User
	Message-Authenticator = 0x21271ead112a6ce16ac592ab0302be17
	EAP-Message =  
0x020805740d40a003020102020b020000000000d678b9d1af300d06092a864886f70d01 
010405003057310b300906035504061302424531193017060355040a1310476c6f62616c 
5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504 
031312476c6f62616c5369676e20526f6f74204341301e170d3939303132383132303030 
305a170d3039303132383132303030305a305f310b300906035504061302424531193017 
060355040a1310476c6f62616c5369676e206e762d736131143012060355040b130b5061 
72746e657273204341311f301d06035504031316476c6f62616c5369676e20506172746e 
6572
	EAP-Message =  
0x7320434130820122300d06092a864886f70d01010105000382010f003082010a028201 
0100d22cf832ac4a127a37c82991a5ae8c6e1e0ec0343388e53371161c788468c3183450 
2e163eb194824fb19a9f00f8c61135c6697b9802ad0006886ce74c3328008827461f87b3 
717563bc32bb88de66180e500693b4f6bc1437303d22df3dff757ed90a1ac59fb3fcd0ac 
b3087a89d301e8005ce74a0b3d4d7b26a2b762068bda46dd93173f3f5b024b0bb6882011 
9200adbbc72ed4e345aef5895a7c8da4ad856432c0278cc6f28a8092862456598d7468a2 
8342b39e3d5041866f206ef6fdced319e332cc8fed9a5e6d1f28f552ac6e185ef83dd192 
e5ba
	EAP-Message =  
0x6c01884b0af22dde65330542a04caa3176befdbf8178f9711c465e2d15952d30598e4c 
41d162ab3d0203010001a3633061300e0603551d0f0101ff040403020006301d0603551d 
0e0416041443248d70150862559c4f0c40175d865e0fa24cfb301f0603551d2304183016 
8014607b661a450d97ca89502f7d04cd34a8fffcfd4b300f0603551d130101ff04053003 
0101ff300d06092a864886f70d0101040500038201010066edb488691199822183aca16d 
8b9b84ad0f2dc81e8cca7b7eadaad48ede07d69e45c7a5b89c07396025551ac04f19e5cf 
17294989183566e5eb28404e57c9afb3e4b82005a33b9550914994297d2ce58841a54588 
5e9d
	EAP-Message =  
0x8227f7d2ef5bb54f9fbefe35652c55649fe151da226177ba584e8fc67959596e3080a2 
4f906e210badd0683990109bed22656f1e1138e67f8cd2f3396d47d521e8ea753a41d1ad 
f6169d5d0b21bdf31f6306251dc11f35712ceb2019d5c1b0ec3de56fed02073f137b6692 
d644c198f75f508b7a5bc26f6db0d1f8e574a04037a3250fe43dca643193905c307bb939 
319a5e4ccdb9414f50e43d38aec866d9c73b5d5147ac9babf2ad00037930820375308202 
5da003020102020b020000000000d678b79405300d06092a864886f70d01010405003057 
310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e 
762d
	EAP-Message =  
0x73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62 
616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d313430 
3132383132303030305a3057310b300906035504061302424531193017060355040a1310 
476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b 
301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a 
864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efb 
f18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf29 
8065
	EAP-Message =  
0xabe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952 
f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b8 
6c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d 
6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 738
	State = 0xcc2d10811ab9b5cb0aa0d64b62cc1143
	NAS-IP-Address = 10.120.0.3
	NAS-Identifier = "asq2-1st-Floor-110"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
   modcall[authorize]: module "preprocess" returns ok for request 7
   modcall[authorize]: module "chap" returns noop for request 7
   modcall[authorize]: module "mschap" returns noop for request 7
     rlm_realm: Looking up realm "bah.com" for User-Name =  
"miller_brett at bah.com"
     rlm_realm: No such realm "bah.com"
   modcall[authorize]: module "suffix" returns noop for request 7
   rlm_eap: EAP packet type response id 8 length 253
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 7
     users: Matched entry DEFAULT at line 163
   modcall[authorize]: module "files" returns ok for request 7
modcall: group authorize returns updated for request 7
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  More fragments to follow
   eaptls_verify returned 10
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 7
modcall: group authenticate returns handled for request 7
Sending Access-Challenge of id 241 to 10.120.0.3:1645
	EAP-Message = 0x010900060d00
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x8205233ea53e1eeb037578d078c3480d
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.120.0.3:1645, id=242,  
length=921
	User-Name = "miller_brett at bah.com"
	Framed-MTU = 1400
	Called-Station-Id = "000f.23d8.a391"
	Calling-Station-Id = "000a.95f3.1c2a"
	Service-Type = Login-User
	Message-Authenticator = 0x3f0cb9d0ffeee33f90c0c0a26e7ba5cd
	EAP-Message =  
0x020902f30d0034b58b058cb9778bb1db1f2091ab09536e90ce7b3774b9704791225163 
1679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf621 
68efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff04040302000630 
1d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300f0603551d 
130101ff040530030101ff300d06092a864886f70d01010405000382010100aeaa9ffcb7 
d2cb1f5f392928189e34c96c4f6f1af064a2704a4f13869b60289ee88149987d0abbe5b0 
9d3d36db8f0551ff09312a1fdd89779e0f2e6c9504ed86cbb4003f84024d806a2a2d780b 
ae6f
	EAP-Message =  
0x2ba28344831fcd50824c24afbdf7a5b4c85a0ff4e7475e498e3796fe9a88053ad9c0db 
2987e6199647a73aa68c8b3c77fe4663a753da21d1ac7e49a24be6c367592fb38a0ebb2c 
bda9aa427c35c1d87fd5a7313a4e634339af08b061348cd398a94334f60f87293b9dc256 
589877c3f71bacf69df83eaaa75445f0f5f9d53165fe6b589c71b31ed752ea3217fc4060 
1dc97924b2f66cfda8660e82dd98cbdac2444f2ea07bf2f76b2c761184468a78a3e31603 
010086100000820080b06b113eabb56159920da7646417fbb384ca4564d9632ab74c09d0 
9931a0192e151ad2c24a0f40f6f526d23c18d4dc9571a2e5f160accdd39eb4521f2d005a 
acfe
	EAP-Message =  
0xc2b7f6cd192b36134a07cc238798bb5a1b204c2159b15e5e3147ec683e9d2d1c56de88 
d79a0f70748be6277c044f54b3ca5ec038031b7911b2651c8b68c1cd16030100860f0000 
820080811ba133a8ae472b546ca68e5861dc0d0a4a8e7504fa656cde3473dd287352aa37 
2d5beac6f05358bc1be8d3e5ad59d7c7d970f4c3c60767c3ba23451718c7bc1e8c3fa16f 
49371864b67c864ac377d7a081383607b885120e78a1a287c0cca33406c7a0a5efb6634d 
9e79655329e0db9f19e37e145a3559b66ead4e9309a2701403010001011603010024bbff 
e5d0cf60ada4526f73b3e7df033db63cccc965186b2da150467f8b19b1136f46a883
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 738
	State = 0x8205233ea53e1eeb037578d078c3480d
	NAS-IP-Address = 10.120.0.3
	NAS-Identifier = "asq2-1st-Floor-110"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
   modcall[authorize]: module "preprocess" returns ok for request 8
   modcall[authorize]: module "chap" returns noop for request 8
   modcall[authorize]: module "mschap" returns noop for request 8
     rlm_realm: Looking up realm "bah.com" for User-Name =  
"miller_brett at bah.com"
     rlm_realm: No such realm "bah.com"
   modcall[authorize]: module "suffix" returns noop for request 8
   rlm_eap: EAP packet type response id 9 length 253
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 8
     users: Matched entry DEFAULT at line 163
   modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns updated for request 8
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
   eaptls_verify returned 7
   rlm_eap_tls: Done initial handshake
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 11e9], Certificate
chain-depth=3,
error=0
--> User-Name = miller_brett at bah.com
--> BUF-Name = GlobalSign Root CA
--> subject = /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
--> issuer  = /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
--> verify return:1
chain-depth=2,
error=0
--> User-Name = miller_brett at bah.com
--> BUF-Name = GlobalSign Partners CA
--> subject = /C=BE/O=GlobalSign nv-sa/OU=Partners CA/CN=GlobalSign  
Partners CA
--> issuer  = /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
--> verify return:1
chain-depth=1,
error=0
--> User-Name = miller_brett at bah.com
--> BUF-Name = Booz Allen Hamilton CA
--> subject = /C=US/O=BAH/OU=Components/CN=Booz Allen Hamilton CA
--> issuer  = /C=BE/O=GlobalSign nv-sa/OU=Partners CA/CN=GlobalSign  
Partners CA
--> verify return:1
radius_xlat:  'miller_brett at bah.com'
     rlm_eap_tls: checking certificate CN (Miller Brett) with xlat'ed  
value (miller_brett at bah.com)
rlm_eap_tls: Certificate CN (Miller Brett) does not match specified  
value (miller_brett at bah.com)!
chain-depth=0,
error=0
--> User-Name = miller_brett at bah.com
--> BUF-Name = Miller Brett
--> subject = /C=US/O=BAH/OU=SMTP/CN=Miller Brett
--> issuer  = /C=US/O=BAH/OU=Components/CN=Booz Allen Hamilton CA
--> verify return:0
   rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal  
certificate_unknown
TLS Alert write:fatal:certificate unknown
     TLS_accept:error in SSLv3 read client certificate B
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 8
modcall: group authenticate returns handled for request 8
Sending Access-Challenge of id 242 to 10.120.0.3:1645
	EAP-Message = 0x010a00110d80000000071503010002022e
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x54f7626909823ef4412c6f44d40fb505
Finished request 8
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.120.0.3:1645, id=243,  
length=199
	User-Name = "miller_brett at bah.com"
	Framed-MTU = 1400
	Called-Station-Id = "000f.23d8.a391"
	Calling-Station-Id = "000a.95f3.1c2a"
	Service-Type = Login-User
	Message-Authenticator = 0xa93097f74b6d8e6f36bbb1a01d28de62
	EAP-Message =  
0x020a00250d800000001b1503010016f161a3efe92d8c4f70d10582602ae3454a48b64c 
d98a
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 738
	State = 0x54f7626909823ef4412c6f44d40fb505
	NAS-IP-Address = 10.120.0.3
	NAS-Identifier = "asq2-1st-Floor-110"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
   modcall[authorize]: module "preprocess" returns ok for request 9
   modcall[authorize]: module "chap" returns noop for request 9
   modcall[authorize]: module "mschap" returns noop for request 9
     rlm_realm: Looking up realm "bah.com" for User-Name =  
"miller_brett at bah.com"
     rlm_realm: No such realm "bah.com"
   modcall[authorize]: module "suffix" returns noop for request 9
   rlm_eap: EAP packet type response id 10 length 37
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 9
     users: Matched entry DEFAULT at line 163
   modcall[authorize]: module "files" returns ok for request 9
modcall: group authorize returns updated for request 9
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
   eaptls_verify returned 11
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 11e9], Certificate
chain-depth=3,
error=0

Segfaults here .....


EAP.conf

#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
#	$Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $
#
	eap {
		#  Invoke the default supported EAP type when
		#  EAP-Identity response is received.
		#
		#  The incoming EAP messages DO NOT specify which EAP
		#  type they will be using, so it MUST be set here.
		#
		#  For now, only one default EAP type may be used at a time.
		#
		#  If the EAP-Type attribute is set by another module,
		#  then that EAP type takes precedence over the
		#  default type configured here.
		#
		default_eap_type = tls

		#  A list is maintained to correlate EAP-Response
		#  packets with EAP-Request packets.  After a
		#  configurable length of time, entries in the list
		#  expire, and are deleted.
		#
		timer_expire     = 60

		#  There are many EAP types, but the server has support
		#  for only a limited subset.  If the server receives
		#  a request for an EAP type it does not support, then
		#  it normally rejects the request.  By setting this
		#  configuration to "yes", you can tell the server to
		#  instead keep processing the request.  Another module
		#  MUST then be configured to proxy the request to
		#  another RADIUS server which supports that EAP type.
		#
		#  If another module is NOT configured to handle the
		#  request, then the request will still end up being
		#  rejected.
		ignore_unknown_eap_types = no

		# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
		# a User-Name attribute in an Access-Accept, it copies one
		# more byte than it should.
		#
		# We can work around it by configurably adding an extra
		# zero byte.
		cisco_accounting_username_bug = no

		# Supported EAP-types

		#
		#  We do NOT recommend using EAP-MD5 authentication
		#  for wireless connections.  It is insecure, and does
		#  not provide for dynamic WEP keys.
		#
		md5 {
		}

		# Cisco LEAP
		#
		#  We do not recommend using LEAP in new deployments.  See:
		#  http://www.securiteam.com/tools/5TP012ACKE.html
		#
		#  Cisco LEAP uses the MS-CHAP algorithm (but not
		#  the MS-CHAP attributes) to perform it's authentication.
		#
		#  As a result, LEAP *requires* access to the plain-text
		#  User-Password, or the NT-Password attributes.
		#  'System' authentication is impossible with LEAP.
		#
		leap {
		}

		#  Generic Token Card.
		#
		#  Currently, this is only permitted inside of EAP-TTLS,
		#  or EAP-PEAP.  The module "challenges" the user with
		#  text, and the response from the user is taken to be
		#  the User-Password.
		#
		#  Proxying the tunneled EAP-GTC session is a bad idea,
		#  the users password will go over the wire in plain-text,
		#  for anyone to see.
		#
		gtc {
			#  The default challenge, which many clients
			#  ignore..
			#challenge = "Password: "

			#  The plain-text response which comes back
			#  is put into a User-Password attribute,
			#  and passed to another module for
			#  authentication.  This allows the EAP-GTC
			#  response to be checked against plain-text,
			#  or crypt'd passwords.
			#
			#  If you say "Local" instead of "PAP", then
			#  the module will look for a User-Password
			#  configured for the request, and do the
			#  authentication itself.
			#
			auth_type = PAP
		}

		## EAP-TLS
		#
		#  To generate ctest certificates, run the script
		#
		#	../scripts/certs.sh
		#
		#  The documents on http://www.freeradius.org/doc
		#  are old, but may be helpful.
		#
		#  See also:
		#
		#  http://www.dslreports.com/forum/remark,9286052~mode=flat
		#
		tls {
			#private_key_password = whatever
			private_key_file = ${raddbdir}/certs/wirelesslan.bah.com.key
                  	#private_key_file = ${raddbdir}/certs/cert-srv.pem
			#  If Private key & Certificate are located in
			#  the same file, then private_key_file &
			#  certificate_file must contain the same file
			#  name.
			certificate_file = ${raddbdir}/certs/wirelesslan.bah.com.pub
			#certificate_file = ${raddbdir}/certs/cert-srv.pem
	
			#  Trusted Root CA list
			CA_file = ${raddbdir}/certs/certs.cer
			#CA_file = ${raddbdir}/certs/cacert.pem
			dh_file = ${raddbdir}/certs/dh
			random_file = ${raddbdir}/certs/random

			#
			#  This can never exceed the size of a RADIUS
			#  packet (4096 bytes), and is preferably half
			#  that, to accomodate other attributes in
			#  RADIUS packet.  On most APs the MAX packet
			#  length is configured between 1500 - 1600
			#  In these cases, fragment size should be
			#  1024 or less.
			#
			fragment_size = 1024

			#  include_length is a flag which is
			#  by default set to yes If set to
			#  yes, Total Length of the message is
			#  included in EVERY packet we send.
			#  If set to no, Total Length of the
			#  message is included ONLY in the
			#  First packet of a fragment series.
			#
			#include_length = yes

			#  Check the Certificate Revocation List
			#
			#  1) Copy CA certificates and CRLs to same directory.
			#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
			#    'c_rehash' is OpenSSL's command.
			#  3) Add 'CA_path=<CA certs&CRLs directory>'
			#      to radiusd.conf's tls section.
			#  4) uncomment the line below.
			#  5) Restart radiusd
			check_crl = no
			CA_path=/etc/freeradius3/certs

                        #
                        #  If check_cert_cn is set, the value will
                        #  be xlat'ed and checked against the CN
                        #  in the client certificate.  If the values
                        #  do not match, the certificate verification
                        #  will fail rejecting the user.
                        #
                       check_cert_cn = %{User-Name}
		}

		#  The TTLS module implements the EAP-TTLS protocol,
		#  which can be described as EAP inside of Diameter,
		#  inside of TLS, inside of EAP, inside of RADIUS...
		#
		#  Surprisingly, it works quite well.
		#
		#  The TTLS module needs the TLS module to be installed
		#  and configured, in order to use the TLS tunnel
		#  inside of the EAP packet.  You will still need to
		#  configure the TLS module, even if you do not want
		#  to deploy EAP-TLS in your network.  Users will not
		#  be able to request EAP-TLS, as it requires them to
		#  have a client certificate.  EAP-TTLS does not
		#  require a client certificate.
		#
		#ttls {
			#  The tunneled EAP session needs a default
			#  EAP type which is separate from the one for
			#  the non-tunneled EAP module.  Inside of the
			#  TTLS tunnel, we recommend using EAP-MD5.
			#  If the request does not contain an EAP
			#  conversation, then this configuration entry
			#  is ignored.
		#	default_eap_type = md5

			#  The tunneled authentication request does
			#  not usually contain useful attributes
			#  like 'Calling-Station-Id', etc.  These
			#  attributes are outside of the tunnel,
			#  and normally unavailable to the tunneled
			#  authentication request.
			#
			#  By setting this configuration entry to
			#  'yes', any attribute which NOT in the
			#  tunneled authentication request, but
			#  which IS available outside of the tunnel,
			#  is copied to the tunneled request.
			#
			# allowed values: {no, yes}
		#	copy_request_to_tunnel = no

			#  The reply attributes sent to the NAS are
                         #  usually based on the name of the user
			#  'outside' of the tunnel (usually
			#  'anonymous').  If you want to send the
			#  reply attributes based on the user name
			#  inside of the tunnel, then set this
			#  configuration entry to 'yes', and the reply
			#  to the NAS will be taken from the reply to
			#  the tunneled request.
			#
			# allowed values: {no, yes}
		#	use_tunneled_reply = no			
			
		#}

		#
		#  The tunneled EAP session needs a default EAP type
		#  which is separate from the one for the non-tunneled
		#  EAP module.  Inside of the TLS/PEAP tunnel, we
		#  recommend using EAP-MS-CHAPv2.
		#
		#  The PEAP module needs the TLS module to be installed
		#  and configured, in order to use the TLS tunnel
		#  inside of the EAP packet.  You will still need to
		#  configure the TLS module, even if you do not want
		#  to deploy EAP-TLS in your network.  Users will not
		#  be able to request EAP-TLS, as it requires them to
		#  have a client certificate.  EAP-PEAP does not
		#  require a client certificate.
		#
		peap {
			#  The tunneled EAP session needs a default
			#  EAP type which is separate from the one for
			#  the non-tunneled EAP module.  Inside of the
			#  PEAP tunnel, we recommend using MS-CHAPv2,
			#  as that is the default type supported by
			#  Windows clients.
			#default_eap_type = mschapv2
			default_eap_type = tls
		}

		#
		#  This takes no configuration.
		#
		#  Note that it is the EAP MS-CHAPv2 sub-module, not
		#  the main 'mschap' module.
		#
		#  Note also that in order for this sub-module to work,
		#  the main 'mschap' module MUST ALSO be configured.
		#
		#  This module is the *Microsoft* implementation of MS-CHAPv2
		#  in EAP.  There is another (incompatible) implementation
		#  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
		#  currently support.
		#
		mschapv2 {
		}
	}


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3399 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051209/aae94d13/attachment.bin>


More information about the Freeradius-Users mailing list