how to set eap/ttls tunnel with auth-type pap work
Andy An
andyan at eciad.ca
Wed Jul 23 03:13:34 CEST 2008
Hi Alan/Ivan:
As i configured my freeradius server 2.0.5 for our realm xxxx.ca with
Ivan's guides it works well by local test or NTRadPing (from WinXP)
which did not use any eap stuff.
But as I tested by Netgear AP which needs to use eap/ttls/ tunnel and
in the tunnel to use pap then it failed with message "rlm_pap: No
clear-text password in the request. Not performing PAP. ++[pap] returns
noop auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user." (no matter if my username
with/without realm). Before I created realm xxxx.ca in proxy.conf file
both types of tests( i.e. with/without eap/ttls tunnel)work fine.
enclosed here the debugging output message:
rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=52,
length=153
User-Name = "andyan"
NAS-IP-Address = 10.10.10.29
NAS-Port = 2
Called-Station-Id = "00-14-6C-CC-93-E8:eduroam"
Calling-Station-Id = "00-17-F2-52-8A-C7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200000b01616e6479616e
Message-Authenticator = 0x9b0622cd28c0ca07a2894252266d9582
+- entering group authorize
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
expand: %t -> Tue Jul 22 17:29:18 2008
++[auth_log] returns ok
rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "andyan"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 0 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: - authorize
rlm_ldap: performing user authorization for andyan
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=andyan)
expand: ou=People,dc=eciad,dc=ca -> ou=People,dc=eciad,dc=ca
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.eciad.ca:389, authentication 0
rlm_ldap: bind as cn=radius,ou=Applications,dc=eciad,dc=ca/#password to
ldap1.eciad.ca:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=eciad,dc=ca, with filter
(uid=andyan)
rlm_ldap: Added User-Password = {crypt}24234234fsdgfs2342 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user andyan authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 52 to 10.10.10.29 port 1265
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4c8576424c846361777cb0ac160f1e24
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=53,
length=272
User-Name = "andyan"
NAS-IP-Address = 10.10.10.29
NAS-Port = 2
Called-Station-Id = "00-14-6C-CC-93-E8:eduroam"
Calling-Station-Id = "00-17-F2-52-8A-C7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0201007015800000006616030100610100005d030148867b68f229dc3370728c32f16cc8eba5dace189d85f03d39f18438ab70dbde000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100
State = 0x4c8576424c846361777cb0ac160f1e24
Message-Authenticator = 0x5d147b305a321b03b57beb1712544955
+- entering group authorize
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
expand: %t -> Tue Jul 22 17:29:18 2008
++[auth_log] returns ok
rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "andyan"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 1 length 112
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 102
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 53 to 10.10.10.29 port 1265
EAP-Message =
0x0102040015c0000008bb160301004a02000046030148867b5eef813368f7f8a4d7a1763bcb77f3abe2e302c009685f134c0dd2a5d820f3f04518281bc20040b6888ed2ac438c03f5acefad34e1e45c69a9d22ddd6349002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message =
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631383232303934315a170d3039303631383232303934315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c5d8f1bfb0aec2555c5e034ee4677c814ac120afc2c6737fae65f755df4a
EAP-Message =
0x2af9434f85596064fc5bcd9b5f2e16f426c39ff51614c80a65c2e067a3a4c7911a38a3b8839007ea4d03cbda93410f383e643cd8bd788e9e14d2b3abd1067ad10efcc6eb0f8b8c0302ff00327e8604af8c16debd1e6ca2195d2b8187ca25e77d5f7bd4c84b985981baf5fd0be7cabe98da5d14817bd3ad62f2ac4f281098433100a22663ddb348f2a6ed0dd82f1de13a8ad2a57a3afe6d1e82eca0bf7f708ef7b7999a1af5b78b30171d2a40ce03d8b4daedcacd5bd389559f4b7fc82a4c411712829a3b5a09686b33a1c50abe21e8cff6189d8a481e19871e6f8b629e79dbf5ff590203010001a317301530130603551d25040c300a06082b06010505
EAP-Message =
0x070301300d06092a864886f70d01010405000382010100abdc8d29f0855dd309bd358b192e5c368fa45e161de5671519a4ae6db6c8ed586c8a6c3565dbc39b7c3c648061daabd6d1a220997c7caf6d105df85affd385a5dbae3b9b9040f59b066fa399496d909f04ffbe88e13cb90791e3fa8cb66577101e2967fe5a9d562b5c903c7f3625c59de375241836391ccb85aaad9d02a15af33203b928cdff6276ad00bfdaf17f5ef12d0370926d5dee595b22f0dd8a332ffe2c6e3f80d55551787a6b58e31933c44a6282f6eaaefc8c454955db064b742cf6907cf558d08da46b3a3e1925581fee05bb6ca641511d4f35c7880bbedfed8ea20f0276b21a85
EAP-Message = 0x2889877f5db3c70defc739be
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4c8576424d876361777cb0ac160f1e24
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=54,
length=166
User-Name = "andyan"
NAS-IP-Address = 10.10.10.29
NAS-Port = 2
Called-Station-Id = "00-14-6C-CC-93-E8:eduroam"
Calling-Station-Id = "00-17-F2-52-8A-C7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020200061500
State = 0x4c8576424d876361777cb0ac160f1e24
Message-Authenticator = 0x0b5f2f4dbef2761860878e8a58a3fb97
+- entering group authorize
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
expand: %t -> Tue Jul 22 17:29:19 2008
++[auth_log] returns ok
rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "andyan"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 54 to 10.10.10.29 port 1265
EAP-Message =
0x0103040015c0000008bbcef8e8135051d22c8e604c46bbe50004ab308204a73082038fa003020102020900964407b7ca8a72e7300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303631383232303933395a170d3038303731383232303933395a308193310b
EAP-Message =
0x3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e71a28d861d1bc000ead67dda77fc24c88fd7f4e6b154ec39e6c1328da93acb45c4203d45485a76bd3ebf28e55486d785b45f54c81ee601a8e73e1c07d16f606a1b6146055903f54ebc8a5
EAP-Message =
0x06d421fb703b664bc1a37493d95559d894f04a2ca09c3c5292e9d82cff10a031177cab034ab883b3871e6c2460325a0d8a2a68322698cde33ad81ed808a429177249ff720932bea36f3558c8037fba4110a20451ed263bdd7021686bc816249ff209de18ebc36a923977b852b198a70b3601fb87b263c740a0d191a59591300981709f9beb6987b67bdfa820db88dcb3c3af3fa827552afb43f6accf386739f292c311b7f6287609afec629a4b8f1c0c0d4a9e165d0203010001a381fb3081f8301d0603551d0e041604148fc1ab4304f6a473ea66c4512ef6f9a078dbe3623081c80603551d230481c03081bd80148fc1ab4304f6a473ea66c4512ef6
EAP-Message =
0xf9a078dbe362a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900964407b7ca8a72e7300c0603551d13040530030101ff300d06092a864886f70d010105050003820101008c2687a029f098693008dbc4ee9968c7e71b0a4792003dc2d62403a142c75c227df610ac8979ffd430cf55103bab
EAP-Message = 0xb78977c9a55b9a3571e655a3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4c8576424e866361777cb0ac160f1e24
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=55,
length=166
User-Name = "andyan"
NAS-IP-Address = 10.10.10.29
NAS-Port = 2
Called-Station-Id = "00-14-6C-CC-93-E8:eduroam"
Calling-Station-Id = "00-17-F2-52-8A-C7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020300061500
State = 0x4c8576424e866361777cb0ac160f1e24
Message-Authenticator = 0x427b0f9046aa0368441bfe10c2d7179a
+- entering group authorize
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
expand: %t -> Tue Jul 22 17:29:19 2008
++[auth_log] returns ok
rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "andyan"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 55 to 10.10.10.29 port 1265
EAP-Message =
0x010400d91580000008bb04ae601515d34e563c02cc3de859401a836dc8d5b9e0c675cc610078839fc238a6f3ca30ce79381a61c588416489587635fe1fa874b66bc643d652e322305ad54f40382d23f7fe74c6df9df734c099780d8604e304ca13d8bc9e2bb3ebd9221731634de6099bb36ff584bae8b16bfd00d3b19ffe67c20b40e9d66366325f55810904fc6fa593c6186bf3cedd075e3c447a65a23d444547c434ec02220b377133980437496ee79601f296ea241e10ed902bcdf83adac9980a26ac91f4b034ef1e88febcd2e3a416030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4c8576424f816361777cb0ac160f1e24
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=56,
length=498
User-Name = "andyan"
NAS-IP-Address = 10.10.10.29
NAS-Port = 2
Called-Station-Id = "00-14-6C-CC-93-E8:eduroam"
Calling-Station-Id = "00-17-F2-52-8A-C7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0204015015800000014616030101061000010201004ceebe5f879c41a3395d900eea4eb9966d09e70dc9df76e62f4b0affb35186dbaf85a117a323524a163eaa6f96d26ed9c7e9e75bbf86c15067035166e9e00b5e7226527516b954ba6b671993562c37555bbfe8a01223163311723e6e54d4f799c84d5c31745b311c0ac699953c5b854eb6f490116780513148e5d1e65c5974824b5fb3d951969c0e631c0511f7a5e4362927de0802017cb1bddf30bcf459b83f4faf5c1bc0e9b3d2714121d5e8952ab7746f63747bfb56134f5943d006a9c08a66de60ee8f2bf08ecea6919f8c9b1fd54dd4ad4d4ceefe6ac7bdeb8a4618549b22278c2065efcff4
EAP-Message =
0x24092ced63af3d613749e3b3b718a8050e3598c26e4fa27914030100010116030100300e32ab01355213c817cdedc7514b16d9b5f9e654efa6b9719e0270680c1ba911b01901404fc087870162cdadcd55db30
State = 0x4c8576424f816361777cb0ac160f1e24
Message-Authenticator = 0x35b507b12476ef1128fe82146ce3a7eb
+- entering group authorize
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
expand: %t -> Tue Jul 22 17:29:19 2008
++[auth_log] returns ok
rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "andyan"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 4 length 253
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 326
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 56 to 10.10.10.29 port 1265
EAP-Message =
0x0105004515800000003b1403010001011603010030fde8c6f00ff0117be406521d638021351155e4bf6e518fe011ae9856c9a02a77a7c883770992848eb3f5ef926cb0a2cd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4c85764248806361777cb0ac160f1e24
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=57,
length=319
User-Name = "andyan"
NAS-IP-Address = 10.10.10.29
NAS-Port = 2
Called-Station-Id = "00-14-6C-CC-93-E8:eduroam"
Calling-Station-Id = "00-17-F2-52-8A-C7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0205009f1580000000951703010090a9ab31a7f43c2c59f864f296d626095e508727aa6d4307653d6b9ecbe7650e8ea07fdb2154f9309e6beae535be1fff046b09d490cb1812abd04d9786a8581c5aff4c9bcded643edc67f71220341b01f4bcc1cd1eb13f3610fe7ddef6bb2b7b78f9d131f3c788f156c965e1fcd9fa219ae71b29e33f8cb796582208aa4155e240d2f19d32eb483e97707ca9d74e47924c
State = 0x4c85764248806361777cb0ac160f1e24
Message-Authenticator = 0x0ae56b01a9b527a7ea9ec6b016b0f1c3
+- entering group authorize
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
expand: %t -> Tue Jul 22 17:29:19 2008
++[auth_log] returns ok
rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "andyan"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 5 length 159
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 149
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled
attributes.
+- entering group authorize
expand:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
expand: %t -> Tue Jul 22 17:29:19 2008
++[auth_log] returns ok
rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "andyan"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for andyan
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=andyan)
expand: ou=People,dc=eciad,dc=ca -> ou=People,dc=eciad,dc=ca
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=eciad,dc=ca, with filter
(uid=andyan)
rlm_ldap: Added User-Password = {crypt}26dafouiho8902 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user andyan authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: No clear-text password in the request. Not performing PAP.
++[pap] returns noop
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> andyan
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 57 to 10.10.10.29 port 1265
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 5.
Going to the next request
Thanks in advance for any guide/clue.
--
Andy An Junior Programmer
Information Technology Services
Emily Carr University of Art and Design
Tel: 604-630-4556 Fax: 604-844-3801
SB Room 341
More information about the Freeradius-Users
mailing list