eap-tls authentication with free radius 1.1.5
anoop_c at sifycorp.com
anoop_c at sifycorp.com
Thu May 10 11:36:54 CEST 2007
Dear all
With free radius 1.1.6 i am getting the following debug messages.Still authnticationi is not happenig
[root at anoop raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = \"/usr/local\"
main: localstatedir = \"/usr/local/var\"
main: logdir = \"/usr/local/var/log/radius\"
main: libdir = \"/usr/local/lib\"
main: radacctdir = \"/usr/local/var/log/radius/radacct\"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = \"/usr/local/var/log/radius/radius.log\"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\"
main: user = \"(null)\"
main: group = \"(null)\"
main: usercollide = no
main: lower_user = \"no\"
main: lower_pass = \"no\"
main: nospace_user = \"no\"
main: nospace_pass = \"no\"
main: checkrad = \"/usr/local/sbin/checkrad\"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = \"(null)\"
exec: input_pairs = \"request\"
exec: output_pairs = \"(null)\"
exec: packet_type = \"(null)\"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = \"(null)\"
unix: shadow = \"(null)\"
unix: group = \"(null)\"
unix: radwtmp = \"/usr/local/var/log/radius/radwtmp\"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = \"tls\"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = \"(null)\"
tls: pem_file_type = yes
tls: private_key_file = \"/etc/1x/07xwifi.pem\"
tls: certificate_file = \"/etc/1x/07xwifi.pem\"
tls: CA_file = \"/etc/1x/root.pem\"
tls: private_key_password = \"password\"
tls: dh_file = \"/etc/1x/DH\"
tls: random_file = \"/etc/1x/random\"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = \"(null)\"
tls: cipher_list = \"(null)\"
tls: check_cert_issuer = \"(null)\"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = \"/etc/raddb/huntgroups\"
preprocess: hints = \"/etc/raddb/hints\"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = \"suffix\"
realm: delimiter = \"@\"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = \"/etc/raddb/users\"
files: acctusersfile = \"/etc/raddb/acct_users\"
files: preproxy_usersfile = \"/etc/raddb/preproxy_users\"
files: compat = \"no\"
Module: Instantiated files (files)
Module: Loaded PAP
pap: encryption_scheme = \"crypt\"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = \"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Addre ss, NAS-Port\"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = \"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/de tail-%Y%m%d\"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = \"/usr/local/var/log/radius/radutmp\"
radutmp: username = \"%{User-Name}\"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.50:1026, id=0, length=197
Message-Authenticator = 0x58682b62b2334fb6e661df414bc30e61
Service-Type = Framed-User
User-Name = \"anoop07\"
Framed-MTU = 1488
Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
Calling-Station-Id = \"00-0E-35-F3-A1-67\"
NAS-Identifier = \"D-Link Access Point\"
NAS-Port-Type = Wireless-802.11
Connect-Info = \"CONNECT 54Mbps 802.11g\"
EAP-Message = 0x0200000c01616e6f6f703037
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = \"STA port # 1\"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module \"preprocess\" returns ok for request 0
rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
rlm_realm: No such realm \"NULL\"
modcall[authorize]: module \"suffix\" returns noop for request 0
rlm_eap: EAP packet type response id 0 length 12
rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
modcall[authorize]: module \"eap\" returns updated for request 0
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 172
modcall[authorize]: module \"files\" returns ok for request 0
rlm_pap: WARNING! No \"known good\" password found for the user. Authentication m ay fail because of this.
modcall[authorize]: module \"pap\" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type \"EAP\"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module \"eap\" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 192.168.0.50 port 1026
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf149907fc590a6e39f01cbbd9619107b
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.50:1026, id=1, length=299
Message-Authenticator = 0x4fd5a9fe11d848f8f7a1324997be4a8e
Service-Type = Framed-User
User-Name = \"anoop07\"
Framed-MTU = 1488
State = 0xf149907fc590a6e39f01cbbd9619107b
Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
Calling-Station-Id = \"00-0E-35-F3-A1-67\"
NAS-Identifier = \"D-Link Access Point\"
NAS-Port-Type = Wireless-802.11
Connect-Info = \"CONNECT 54Mbps 802.11g\"
EAP-Message = 0x020100600d800000005616030100510100004d03014642cb0590f008 20866efd284d568c69cde48b6530bced71bd7a674a2a46e36e103102d6b9e079cbcf0242e2192803 fe40001600040005000a000900640062000300060013001200630100
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = \"STA port # 1\"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module \"preprocess\" returns ok for request 1
rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
rlm_realm: No such realm \"NULL\"
modcall[authorize]: module \"suffix\" returns noop for request 1
rlm_eap: EAP packet type response id 1 length 96
rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
modcall[authorize]: module \"eap\" returns updated for request 1
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 172
modcall[authorize]: module \"files\" returns ok for request 1
rlm_pap: WARNING! No \"known good\" password found for the user. Authentication m ay fail because of this.
modcall[authorize]: module \"pap\" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type \"EAP\"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 04bf], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004c], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module \"eap\" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 1 to 192.168.0.50 port 1026
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0102040a0dc000000564160301004a0200004603014642cb066051eb 4f14285a58bcd1249829d97ad27f846524d57f7a25b0a3981720143a0cfecdd12ac8ec78c09d87f3 05ba498dcfe95c07b2b76e9b8510cfc644fd00040016030104bf0b0004bb0004b800022c30820228 30820191a003020102020101300d06092a864886f70d0101040500303b310b300906035504061302 494e310b300906035504081302544e310d300b060355040a1304536966793110300e060355040313 0730377877696669301e170d3037303131323135333533305a170d3038303131323135333533305a 3060310b300906035504061302494e310b3009060355040813
EAP-Message = 0x02544e310d300b060355040a1304536966793110300e060355040313 07303778776966693123302106092a864886f70d0109011614616e6f6f705f634073696679636f72 702e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d2bbbe35bc8a 47709632284aff484695385e69c3522f63da46834f9586a420bda380889693fa77fedd9ed4290e6f 9ff4436721775294fc65a38fea098f18975b34b5063de27220e18a07d433cbb6e19aeb3f84b012f7 c20071dd280457a932634bbe50f438cc2ee6f4d65fa395a10bdecc4bf9087979ec45af000940e186 ed290203010001a317301530130603551d25040c300a06082b
EAP-Message = 0x06010505070301300d06092a864886f70d0101040500038181000afe a7f2a8a9cffe60baa8f779353c523457f8237faeff81ba5f2c22664c70b6b2fb58c8967ca4a4c847 b80e1d5a6cc4558ffa1d161614f374d8b5efd565aa66045b192b3ac3da82c81c4a99fc10cfe473f9 ac258ef99b16cbd335004677694a05addae48c6a9dcdb26b86ddb56c635266c33c7de75865435326 92e5220d30b100028630820282308201eba003020102020100300d06092a864886f70d0101040500 303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a130453 6966793110300e0603550403130730377877696669301e170d
EAP-Message = 0x3037303131323135333435305a170d3038303131323135333435305a 303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a130453 6966793110300e060355040313073037787769666930819f300d06092a864886f70d010101050003 818d0030818902818100ba8b07a479bb6ce9adf2d8bc6ac9cf214506dfc039cb10c3b4d27d1bbc08 2caff0bb77424819728977f04b32e231a3c4755a65823b366f1a604f15ce6c499883ab7d2757a5a2 c07a11e75b7a00d6c55a8fb7443b202a25a3cdaad39579b2d8f4c09c974056f0c8666fff754d5748 36fcaf105200fcd5df5158e2b387310c4ed90203010001a381
EAP-Message = 0x95308192301d0603551d0e041604149eda6f69065423
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2fdcf333629491d0e1c1ee647458de64
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.50:1026, id=2, length=209
Message-Authenticator = 0x4ad9312009d92ce8a0efb591a5179928
Service-Type = Framed-User
User-Name = \"anoop07\"
Framed-MTU = 1488
State = 0x2fdcf333629491d0e1c1ee647458de64
Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
Calling-Station-Id = \"00-0E-35-F3-A1-67\"
NAS-Identifier = \"D-Link Access Point\"
NAS-Port-Type = Wireless-802.11
Connect-Info = \"CONNECT 54Mbps 802.11g\"
EAP-Message = 0x020200060d00
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = \"STA port # 1\"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module \"preprocess\" returns ok for request 2
rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
rlm_realm: No such realm \"NULL\"
modcall[authorize]: module \"suffix\" returns noop for request 2
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
modcall[authorize]: module \"eap\" returns updated for request 2
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 172
modcall[authorize]: module \"files\" returns ok for request 2
rlm_pap: WARNING! No \"known good\" password found for the user. Authentication m ay fail because of this.
modcall[authorize]: module \"pap\" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type \"EAP\"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module \"eap\" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 2 to 192.168.0.50 port 1026
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0103016e0d80000005647ec1c9e4d07a608e0e6dcd730f3063060355 1d23045c305a80149eda6f690654237ec1c9e4d07a608e0e6dcd730fa13fa43d303b310b30090603 5504061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e06 03550403130730377877696669820100300c0603551d13040530030101ff300d06092a864886f70d 0101040500038181006b514f008b6a77757fc73ddbe9d54e4ea925a1ab9ce80ad7895d6d19661d8b 8558d0e359876aac023aa52d4273e00407b9b588b30dbc35c5911bc89d2d99677e0ec8dea17fece3 5d0b4dfab8775ba73eaeb0a0998bcdf1437cff0a1031f6a5b1
EAP-Message = 0x7e8bcdc01e2e964cb256f49d947eea2cfd42989aef397fa438be294f a3dc7a3d160301004c0d000044020102003f003d303b310b300906035504061302494e310b300906 035504081302544e310d300b060355040a1304536966793110300e06035504031307303778776966 690e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8312be86097e0bba014e67facd670e26
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.50:1026, id=3, length=209
Message-Authenticator = 0xd1d028ef0c35ada1104dae076b233114
Service-Type = Framed-User
User-Name = \"anoop07\"
Framed-MTU = 1488
State = 0x8312be86097e0bba014e67facd670e26
Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
Calling-Station-Id = \"00-0E-35-F3-A1-67\"
NAS-Identifier = \"D-Link Access Point\"
NAS-Port-Type = Wireless-802.11
Connect-Info = \"CONNECT 54Mbps 802.11g\"
EAP-Message = 0x020300060d00
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = \"STA port # 1\"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module \"preprocess\" returns ok for request 3
rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
rlm_realm: No such realm \"NULL\"
modcall[authorize]: module \"suffix\" returns noop for request 3
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
modcall[authorize]: module \"eap\" returns updated for request 3
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 172
modcall[authorize]: module \"files\" returns ok for request 3
rlm_pap: WARNING! No \"known good\" password found for the user. Authentication m ay fail because of this.
modcall[authorize]: module \"pap\" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type \"EAP\"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module \"eap\" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 3 to 192.168.0.50 port 1026
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0104000a0d8000000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc08d54ac02795c8e31c2f7865a609bd5
Finished request 3
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 4642cb06
Cleaning up request 1 ID 1 with timestamp 4642cb06
Cleaning up request 2 ID 2 with timestamp 4642cb06
Cleaning up request 3 ID 3 with timestamp 4642cb06
Nothing to do. Sleeping until we see a request.
[root at anoop raddb]#
Wat is the meaning of
--- TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13----
this in eap_process returned 13 in the debug log
as well as
---rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation----
Regards
Anoop
Quoting freeradius-users-request at lists.freeradius.org:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body \'help\' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than \"Re: Contents of Freeradius-Users digest...\"
>
>
> Today\'s Topics:
>
> 1. RE: FR with MySQL - Stored Procedures (Gunther)
> 2. Re: freeradius & redback sms (Alan DeKok)
> 3. Re: Date expansion fails for inner encryption tunnel log
> files. (Alan DeKok)
> 4. Re: 1.1.6 with rlm_sqlippool: ip=[] len=0 (Alan DeKok)
> 5. Re: ttls problem (tevfik)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 10 May 2007 03:15:09 -0400
> From: \"Gunther\" <freeradius at caribsms.com>
> Subject: RE: FR with MySQL - Stored Procedures
> To: \"\'FreeRadius users mailing list\'\"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <001a01c792d2$f23b79c0$0419a8c0 at ultra3>
> Content-Type: text/plain; charset=\"US-ASCII\"
>
> Did some further research on the MySQL - FR Stored Procedure (SP)
> problem.
>
> When calling the SP, MySQL always returns two results. One is the
> actual
> result and
> the other is the number of affected rows, which is different to a
> normal
> e.g. SELECT query.
>
> SP:
> mysql> call CheckIt(\'myString\');
> +--------+
> | result |
> +--------+
> | 10 | (result is correct)
> +--------+
> 1 row in set (0.00 sec)
>
> Query OK, 0 rows affected (0.00 sec) <-- Result plus the number of
> affected
> rows!
>
> Normal Query:
> mysql> select 25 AS result;
> +--------+
> | result |
> +--------+
> | 25 |
> +--------+
> 1 row in set (0.00 sec) <--- Normal query with one result
>
> -------- MYSQL 5.0 Ref manual ----
> If you write C programs that use the CALL SQL statement to execute
> stored
> procedures that produce result sets, you must set the
> CLIENT_MULTI_RESULTS
> flag, either explicitly, or implicitly by setting
> CLIENT_MULTI_STATEMENTS
> when you call mysql_real_connect(). This is because each such stored
> procedure produces multiple results: the result sets returned by
> statements
> executed within the procedure, as well as a result to indicate the call
> status. To process the result of a CALL statement, use a loop that
> calls
> mysql_next_result() to determine whether there are more results.
>
> The following procedure outlines a suggested strategy for handling
> multiple
> statements:
> 1. Pass CLIENT_MULTI_STATEMENTS to mysql_real_connect(), to fully
> enable
> multiple-statement execution and multiple-result processing.
> 2. After calling mysql_query() or mysql_real_query() and verifying that
> it
> succeeds, enter a loop within which you process statement results.
> 3. For each iteration of the loop, handle the current statement
> result,
> retrieving either a result set or an affected-rows count. If an error
> occurs, exit the loop.
> 4. At the end of the loop, call mysql_next_result() to check whether
> another result exists and initiate retrieval for it if so. If no more
> results are available, exit the loop.
> ----------------------------------
>
> Just for a test, I added a very quick and dirty \'mysql_next_result\' into
> the
> sql_free_result function of
> \"sql_mysql.c\" in row 292 of FR 1.1.6, the same location Thomas used the
>
> .....
> if (sqlsocket->row == NULL) {
> return sql_check_error(mysql_errno(mysql_sock->sock));
> }
> mysql_next_result(mysql_sock->sock); /* eat the number of
> affected
> rows result */
> return 0;
> }
> .....
>
> As a result I do not get the 2014 error anymore and everything seems to
> be
> working fine.
> Since I do not really know the implications of just adding this
> command,
> maybe one of the experts
> could help out here.
>
> In an ealier posting 3 days ago I said that the problem is not really
> stored
> procedure related ...
> but it is! Once the SP is called at least once other queries will have
> errors too.
>
> Gunther
>
> FR 1.1.6 - MySQL 5.0.41 - CentOS 4.4
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 10 May 2007 09:27:45 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: freeradius & redback sms
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4642C971.3060509 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Samson Martinez wrote:
> > We are currently using a Redback SMS 500 to terminate PPPoE sessions
> for
> > client desktops. Up until now an older Steelbelted Radius server has
> > been used to authenticate RADIUS requests forwarded by the Redback
> and
> > it\'s worked ok. We want to transfer the RADIUS support to a
> freeradius
> > installation but I am having a bit of a fit trying to get it to work.
>
> See \"radsniff\" from the current release. Watch the packets going TO
> your old RADIUS server, and the responses comign BACK from it.
> Configure FreeRADIUS to respond to requests with the same attributes.
>
> The NAS has no idea which server you\'re running. All it sees is the
> attributes in the packet.
>
> The solution is to first find out what needs to be sent back, and
> then
> make FreeRADIUS send the correct response. There is no magic, and
> there
> is no need to fight with any configuration.
>
> The redback log looks like you\'re not sending back the correct
> attributes. If you don\'t know what attributes to send back, you WILL
> NOT be able to solve the problem.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 10 May 2007 09:39:36 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Date expansion fails for inner encryption tunnel log
> files.
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4642CC38.9050204 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Arran Cudbard-Bell wrote:
> > Firstly is is possible to specify return codes for users files
> depending
> > on matched sections ? Or will the files module always return ok ?
>
> You can\'t specify return codes from the \"users\" file.
>
> > Secondly, whats considered decent throughput in terms of (serial)
> > requests per second...
> > With none of the SQL or LDAP checking i\'m getting around 300ish
> requests
> > per second ;
>
> That\'s a little low, to be honest. My tests on a dual core 1.8GHz
> intel show 25k PAP requests per second from localhost to localhost.
> That\'s rather different from what you\'re seeing.
>
> Unless you mean 300 full EAP-TLS/TTLS/PEAP authentications per
> second.
> That\'s pretty fast, considering that almost all of the CPU time is
> spent doing RSA key operations. And with 5-10 RADIUS packets per EAP
> authentication, that\'s 3k requests/s, not 300.
>
> > We have a user base of around 10,000 users with a absolute maximum of
>
> > 4,000 logged in at any one time, and two Dual Core 2.13ghz 64bit Apple
>
> > Xserves with basic load balancing.
> >
> > It\'s obvious that the SQL server is lagging behind, and the LDAP
> cluster
> > is on some ageing Xserves so probably isn\'t performing at it\'s
> peak...
> >
> > If you have any recommended figures that I could aim for, would be
> very
> > useful.
>
> For plain PAP: 10k+ requests/s would be expected. For EAP,
> substantially less than that.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 10 May 2007 09:40:13 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: 1.1.6 with rlm_sqlippool: ip=[] len=0
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4642CC5D.7070602 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Guilherme Franco wrote:
> > This was happening with 1.1.4 and I thought that 1.1.6 would
> correct
> > this.
> >
> > Wasn\'t 1.1.6 supposed to work this out?
>
> Which part of the ChangeLog said that?
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 10 May 2007 00:41:14 -0700 (PDT)
> From: tevfik <tevfikkiziloren at gmail.com>
> Subject: Re: ttls problem
> To: freeradius-users at lists.freeradius.org
> Message-ID: <10408620.post at talk.nabble.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> >did you configure SecureW2 to allow new connections?
>
> Yes i tried both combinations, nothing is changed.
>
> In addition to this when I enter correct username but wrong password, I
> got
> similar debug log which i lised below.
>
> I wasn\'t able to see any problem with ldap configuration because it
> works
> with radtest command. (That is when i entered correct usrname but wrong
> password, I got Access-Rejected message. When both of them was true, I
> got
> Access-Accepted)
>
> Is there a problem with my ldap configuration. Is there any weird
> message in
> my debug log?
>
> I am dealing with this thing about 20 days. Could anybody tell me whats
> wrong with it?
>
> Thanks in advance:
>
> My full debug log: (username was entered true, password was entered
> false )
> -------------------------------------------------------------------------------------------------
> ldap:~ # radiusd -X -A
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /etc/raddb/proxy.conf
> Config: including file: /etc/raddb/clients.conf
> Config: including file: /etc/raddb/snmp.conf
> Config: including file: /etc/raddb/eap.conf
> Config: including file: /etc/raddb/sql.conf
> main: prefix = \"/usr\"
> main: localstatedir = \"/var\"
> main: logdir = \"/var/log/radius\"
> main: libdir = \"/usr/lib/freeradius\"
> main: radacctdir = \"/var/log/radius/radacct\"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = \"/var/log/radius/radius.log\"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = \"/var/run/radiusd/radiusd.pid\"
> main: user = \"radiusd\"
> main: group = \"radiusd\"
> main: usercollide = no
> main: lower_user = \"no\"
> main: lower_pass = \"no\"
> main: nospace_user = \"no\"
> main: nospace_pass = \"no\"
> main: checkrad = \"/usr/sbin/checkrad\"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/lib/freeradius
> Module: Loaded exec
> exec: wait = yes
> exec: program = \"(null)\"
> exec: input_pairs = \"request\"
> exec: output_pairs = \"(null)\"
> exec: packet_type = \"(null)\"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = \"crypt\"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = \"(null)\"
> mschap: authtype = \"MS-CHAP\"
> mschap: ntlm_auth = \"(null)\"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
> unix: cache = no
> unix: passwd = \"(null)\"
> unix: shadow = \"(null)\"
> unix: group = \"(null)\"
> unix: radwtmp = \"/var/log/radius/radwtmp\"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded LDAP
> ldap: server = \"ldap.anadolu.edu.tr\"
> ldap: port = 389
> ldap: net_timeout = 1
> ldap: timeout = 4
> ldap: timelimit = 3
> ldap: identity = \"\"
> ldap: tls_mode = no
> ldap: start_tls = no
> ldap: tls_cacertfile = \"(null)\"
> ldap: tls_cacertdir = \"(null)\"
> ldap: tls_certfile = \"(null)\"
> ldap: tls_keyfile = \"(null)\"
> ldap: tls_randfile = \"(null)\"
> ldap: tls_require_cert = \"allow\"
> ldap: password = \"\"
> ldap: basedn = \"ou=people,dc=anadolu,dc=edu,dc=tr\"
> ldap: filter = \"(uid=%u)\"
> ldap: base_filter = \"(objectclass=radiusprofile)\"
> ldap: default_profile = \"(null)\"
> ldap: profile_attribute = \"(null)\"
> ldap: password_header = \"(null)\"
> ldap: password_attribute = \"(null)\"
> ldap: access_attr = \"(null)\"
> ldap: groupname_attribute = \"cn\"
> ldap: groupmembership_filter =
> \"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))\"
> ldap: groupmembership_attribute = \"(null)\"
> ldap: dictionary_mapping = \"/etc/raddb/ldap.attrmap\"
> ldap: ldap_debug = 0
> ldap: ldap_connections_number = 5
> ldap: compare_check_items = no
> ldap: access_attr_used_for_allow = yes
> ldap: do_xlat = yes
> ldap: edir_account_policy_check = yes
> ldap: set_auth_type = yes
> rlm_ldap: Registering ldap_groupcmp for Ldap-Group
> rlm_ldap: Creating new attribute ldap_1x-Ldap-Group
> rlm_ldap: Registering ldap_groupcmp for ldap_1x-Ldap-Group
> rlm_ldap: Registering ldap_xlat with xlat_name ldap_1x
> rlm_ldap: Over-riding set_auth_type, as we\'re not listed in the
> \"authenticate\" section.
> rlm_ldap: reading ldap<->radius mappings from file
> /etc/raddb/ldap.attrmap
> rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
> rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
> rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
> rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
> Calling-Station-Id
> rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
> rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
> rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
> rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
> rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
> rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
> rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
> rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
> rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
> rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
> rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
> rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
> rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
> Framed-Compression
> rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
> rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
> rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
> rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
> rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
> rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
> Framed-IPX-Network
> rlm_ldap: LDAP radiusClass mapped to RADIUS Class
> rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
> rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
> rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
> Termination-Action
> rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
> rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
> rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
> rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
> Framed-AppleTalk-Link
> rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
> Framed-AppleTalk-Network
> rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
> Framed-AppleTalk-Zone
> rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
> rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
> conns: 0x800d0420
> Module: Instantiated ldap (ldap_1x)
> Module: Loaded eap
> eap: default_eap_type = \"ttls\"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = \"Password: \"
> gtc: auth_type = \"PAP\"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = \"(null)\"
> tls: pem_file_type = yes
> tls: private_key_file = \"/etc/raddb/certs/server_keycert.pem\"
> tls: certificate_file = \"/etc/raddb/certs/server_keycert.pem\"
> tls: CA_file = \"/etc/raddb/certs/cacert.pem\"
> tls: private_key_password = \"1234\"
> tls: dh_file = \"/etc/raddb/certs/dh\"
> tls: random_file = \"/etc/raddb/certs/random\"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = \"(null)\"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap: Loaded and initialized type tls
> ttls: default_eap_type = \"md5\"
> ttls: copy_request_to_tunnel = yes
> ttls: use_tunneled_reply = no
> rlm_eap: Loaded and initialized type ttls
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups = \"/etc/raddb/huntgroups\"
> preprocess: hints = \"/etc/raddb/hints\"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> realm: format = \"suffix\"
> realm: delimiter = \"@\"
> realm: ignore_default = yes
> realm: ignore_null = yes
> Module: Instantiated realm (suffix)
> Module: Loaded files
> files: usersfile = \"/etc/raddb/users\"
> files: acctusersfile = \"/etc/raddb/acct_users\"
> files: preproxy_usersfile = \"/etc/raddb/preproxy_users\"
> files: compat = \"no\"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = \"User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port\"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
> \"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename = \"/var/log/radius/radutmp\"
> radutmp: username = \"%{User-Name}\"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Ready to process requests.
> rad_recv: Access-Request packet from host 10.10.7.203:1645, id=146,
> length=139
> User-Name = \"tkiziloren\"
> Framed-MTU = 1400
> Called-Station-Id = \"0017.0e85.f190\"
> Calling-Station-Id = \"0011.2fb9.d08b\"
> Service-Type = Login-User
> Message-Authenticator = 0x4bf1be37ab5fc1598c68bd249777d10d
> EAP-Message = 0x0202000f01746b697a696c6f72656e
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 322
> NAS-IP-Address = 10.10.7.203
> NAS-Identifier = \"testbaum\"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module \"preprocess\" returns ok for request 0
> modcall[authorize]: module \"chap\" returns noop for request 0
> modcall[authorize]: module \"mschap\" returns noop for request 0
> rlm_realm: No \'@\' in User-Name = \"tkiziloren\", skipping NULL due to
> config.
> modcall[authorize]: module \"suffix\" returns noop for request 0
> rlm_eap: EAP packet type response id 2 length 15
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 0
> users: Matched entry DEFAULT at line 29
> modcall[authorize]: module \"files\" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for tkiziloren
> radius_xlat: \'(uid=tkiziloren)\'
> radius_xlat: \'ou=people,dc=anadolu,dc=edu,dc=tr\'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap.anadolu.edu.tr:389, authentication 0
> rlm_ldap: bind as / to ldap.anadolu.edu.tr:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with
> filter (uid=tkiziloren)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user tkiziloren authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module \"ldap_1x\" returns ok for request 0
> modcall: leaving group authorize (returns updated) for request 0
> rad_check_password: Found Auth-Type EAP
> auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module \"eap\" returns handled for request 0
> modcall: leaving group authenticate (returns handled) for request 0
> Sending Access-Challenge of id 146 to 10.10.7.203 port 1645
> EAP-Message = 0x010300061520
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x0aacb6009ffcc2e6b40b7487d9b49dce
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 10.10.7.203:1645, id=147,
> length=202
> User-Name = \"tkiziloren\"
> Framed-MTU = 1400
> Called-Station-Id = \"0017.0e85.f190\"
> Calling-Station-Id = \"0011.2fb9.d08b\"
> Service-Type = Login-User
> Message-Authenticator = 0xec986e334fed0be253f43e2461d77e42
> EAP-Message =
> 0x0203003c158000000032160301002d01000029030146cbafcad15f26ee9c399c30942cb9a40c438dfa3f0aeb13b9b68e7fd7fa6e64000002000a0100
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 322
> State = 0x0aacb6009ffcc2e6b40b7487d9b49dce
> NAS-IP-Address = 10.10.7.203
> NAS-Identifier = \"testbaum\"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
> modcall[authorize]: module \"preprocess\" returns ok for request 1
> modcall[authorize]: module \"chap\" returns noop for request 1
> modcall[authorize]: module \"mschap\" returns noop for request 1
> rlm_realm: No \'@\' in User-Name = \"tkiziloren\", skipping NULL due to
> config.
> modcall[authorize]: module \"suffix\" returns noop for request 1
> rlm_eap: EAP packet type response id 3 length 60
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 1
> users: Matched entry DEFAULT at line 29
> modcall[authorize]: module \"files\" returns ok for request 1
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for tkiziloren
> radius_xlat: \'(uid=tkiziloren)\'
> radius_xlat: \'ou=people,dc=anadolu,dc=edu,dc=tr\'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with
> filter (uid=tkiziloren)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user tkiziloren authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module \"ldap_1x\" returns ok for request 1
> modcall: leaving group authorize (returns updated) for request 1
> rad_check_password: Found Auth-Type EAP
> auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/ttls
> rlm_eap: processing type ttls
> rlm_eap_ttls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Length Included
> eaptls_verify returned 11
> (other): before/accept initialization
> TLS_accept: before/accept initialization
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello
> TLS_accept: SSLv3 read client hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
> TLS_accept: SSLv3 write server hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 05e7], Certificate
> TLS_accept: SSLv3 write certificate A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> TLS_accept: SSLv3 write server done A
> TLS_accept: SSLv3 flush data
> TLS_accept:error in SSLv3 read client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> eaptls_process returned 13
> modcall[authenticate]: module \"eap\" returns handled for request 1
> modcall: leaving group authenticate (returns handled) for request 1
> Sending Access-Challenge of id 147 to 10.10.7.203 port 1645
> EAP-Message =
> 0x0104040a15c000000644160301004a0200004603014642d682aa7f984a7fcdbc4a6bc13b1d264b81e704929e445b4ebf174c04b7cc20d1ee663783e4d828257c89be8df743bbae47180d8e7bd7a41edc3742644c918a000a0016030105e70b0005e30005e00002c5308202c13082022aa003020102020101300d06092a864886f70d010105050030818f310b300906035504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a86
> EAP-Message =
> 0x4886f70d01090116136c64617040616e61646f6c752e6564752e7472301e170d3037303530383130333833325a170d3038303530373130333833325a3081a3310b300906035504061302545231123010060355040813095452416e61646f6c75311230100603550407130945736b697365686972311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d003081890281
> EAP-Message =
> 0x8100aa7e832714838afb5c85df7c60afaf107142a9e077659f216e0b0cee26180413d2ce23bd4551cb0e7243dbae482db8757502159b52b08f8776b1fef8110ea8798dc7bd0db591296d73e37cad9a07ad8b1c1db6360104861ae0405cab03544b1ae33633df6a5403c79bdde9ab57ed2dcfe191f5f34418b555c953351acc461ce70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181003c0a0c3e188348ce41725b4c062f8a8570a1bf407bb6ee3504b9df6a18e935fe2f8792c914c2eabadd85e6ea701ec99443a06e436152b7b9fd413cf44fbd09db68cdf3879c76ea673153
> EAP-Message =
> 0xb8adc112064df7b8369c796d37251577569523b465b686408649adbb9f9006148c9e8df035dec411681b9365b9d317f44efd89b9b42b000315308203113082027aa003020102020100300d06092a864886f70d010105050030818f310b300906035504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e7472301e170d3037303530383130333734345a170d
> EAP-Message = 0x3130303530373130333734345a30818f310b30090603
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x2c09c8f35ddc35ecd609188a17165621
> Finished request 1
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 10.10.7.203:1645, id=148,
> length=148
> User-Name = \"tkiziloren\"
> Framed-MTU = 1400
> Called-Station-Id = \"0017.0e85.f190\"
> Calling-Station-Id = \"0011.2fb9.d08b\"
> Service-Type = Login-User
> Message-Authenticator = 0x9b4e281f16c2c5d3cf691e6e195bea68
> EAP-Message = 0x020400061500
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 322
> State = 0x2c09c8f35ddc35ecd609188a17165621
> NAS-IP-Address = 10.10.7.203
> NAS-Identifier = \"testbaum\"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 2
> modcall[authorize]: module \"preprocess\" returns ok for request 2
> modcall[authorize]: module \"chap\" returns noop for request 2
> modcall[authorize]: module \"mschap\" returns noop for request 2
> rlm_realm: No \'@\' in User-Name = \"tkiziloren\", skipping NULL due to
> config.
> modcall[authorize]: module \"suffix\" returns noop for request 2
> rlm_eap: EAP packet type response id 4 length 6
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 2
> users: Matched entry DEFAULT at line 29
> modcall[authorize]: module \"files\" returns ok for request 2
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for tkiziloren
> radius_xlat: \'(uid=tkiziloren)\'
> radius_xlat: \'ou=people,dc=anadolu,dc=edu,dc=tr\'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with
> filter (uid=tkiziloren)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user tkiziloren authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module \"ldap_1x\" returns ok for request 2
> modcall: leaving group authorize (returns updated) for request 2
> rad_check_password: Found Auth-Type EAP
> auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 2
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/ttls
> rlm_eap: processing type ttls
> rlm_eap_ttls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake fragment handler
> eaptls_verify returned 1
> eaptls_process returned 13
> modcall[authenticate]: module \"eap\" returns handled for request 2
> modcall: leaving group authenticate (returns handled) for request 2
> Sending Access-Challenge of id 148 to 10.10.7.203 port 1645
> EAP-Message =
> 0x0105024e1580000006445504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d0030818902818100f87fe052d754f4586d4e311ea15bb54cd7bbe1e505e648171bfa44c6a1523906cc31d776e4a8113dd3f002e7ddd43868af03076e0f4c57c6791845adc2f7732d909e58267dc127244ebe656f95
> EAP-Message =
> 0xf53a09222a4a3451369f97a04391610dc4b77848268d41b7f9bc37f04654d00abdc0ee376c8aad064e5ac5a5a1595bffeea9b30203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041450fd81eacea4e2d3d18547e154bc515d08630096301f0603551d2304183016801450fd81eacea4e2d3d18547e154bc515d08630096300d06092a864886f70d01010505000381810092f44ed2dade447e098f90432e2a2b58d93139471c0b41d3bbdebf1c2d09e321b43bbe2faad7d8c60e6642f5b6c2746fbb4be07033
> EAP-Message =
> 0x4b77db5093871b2203bf2271cb97b98cc169c03f4f67d7a01261d971dfddc176cce3a42e1dd1e37037060a528db7e8481722e222549b882a93cfa582a29df0f1b401a28e197772410a1f1016030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xb63cf9e5375c651683e69b8c2d8543fc
> Finished request 2
> Going to the next request
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 146 with timestamp 4642d682
> Cleaning up request 1 ID 147 with timestamp 4642d682
> Cleaning up request 2 ID 148 with timestamp 4642d682
> Nothing to do. Sleeping until we see a request.
>
>
>
>
> A.L.M.Buxey wrote:
> >
> > Hi,
> >
> >> However when i try to perform same task by using securew2 on XP
> client,
> >> it
> >> always shows \"attempting to authenticate\",
> >
> > did you configure SecureW2 to allow new connections?
> >
> > alan
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/ttls-problem-tf3717596.html#a10408620
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 25, Issue 36
> ************************************************
>
More information about the Freeradius-Users
mailing list