WPA Enterprise, 802.1X, Freeradius, EAP & Kerberos
Scott Sears
scott at myemma.com
Fri May 8 20:09:55 CEST 2009
Hello,
I am trying to implement WPA Enterprise / 802.1X, Freeradius and
Kerberos. The client is a Linksys running DD-WRT. The Supplicant is
Mac OS Laptop. Both are most recent versions of OS.
I can exececute radtest on localhost and authenticate through
Freeradius to my KDC.
I can get my wireless AP to authenticate through WPA if the user is
located in /etc/raddb/users.
I cannot get all the pieces working together. Laptop->AP->Freeradius-
>Kerberos.
I can see this problem has been posted to the list many times, and I
have read all the archived followups to no avail. I apologize for
bringing it up again. Thanks for reading the details below and I
sincerely appreciate your time and assistance.
Here are the details:
FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu
All conf files are freshly installed default, with ONLY the following
exceptions:
== /etc/raddb/users =
(1st line)
DEFAULT Auth-Type = Kerberos
== /etc/raddb/clients.conf ==
client wireless {
ipaddr = 10.3.10.244
secret = testing123
require_message_authenticator = no
nastype = other
}
== /etc/raddb/modules/krb5 ==
krb5 {
keytab = /etc/krb5.keytab
service_principal = radius/phylloxera.int
}
== /etc/raddb/sites-enabled/default ==
(authenticate section, added just after pap)
Auth-Type Kerberos {
krb5
}
== /etc/raddb/sites-enabled/inner-tunnel ==
(authenticate section, added just after pap)
Auth-Type Kerberos {
krb5
}
Here is the debug when I execute
/usr/sbin/radiusd -X
[root at phylloxera raddb]# /usr/sbin/radiusd -X
FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on
Dec 8 2008 at 16:00:08
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/krb5.rpmsave
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/
sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client wireless {
ipaddr = 10.3.10.244
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_krb5
Module: Instantiating krb5
krb5 {
keytab = "/etc/krb5.keytab"
service_principal = "radius/phylloxera.int"
}
rlm_krb5: krb5_init ok
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m
%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=125
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000b01746573746572
Message-Authenticator = 0x21503e7549c19cf09711c9f0e287924d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message = 0x010100160410b73513541291ee275ba096e282e75d16
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd8c31a9cd8d359f12250e26f4639c84
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=138
Cleaning up request 0 ID 0 with timestamp +69
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0xcd8c31a9cd8d359f12250e26f4639c84
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100060319
Message-Authenticator = 0xca9d479dd79b6db64344460001c1dcff
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd8c31a9cc8e289f12250e26f4639c84
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=244
Cleaning up request 1 ID 0 with timestamp +69
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0xcd8c31a9cc8e289f12250e26f4639c84
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0202007019800000006616030100610100005d03014a046f6ffd4622727b7fe840548093a6cd6529401366712b6a4a021431d0890e000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100
Message-Authenticator = 0xc01bb915e0c7c19e635ab791c0a6f397
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 102
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0061], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 075b], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message =
0x0103040019c000000798160301002a0200002603014a046f70d73689ab83ac05850c5bd976108681d95b675f64a04355c10acba8f300002f00160301075b0b0007570007540003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3039303431353231323835395a170d3130303431353231323835395a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c21fdea27ea336dee51d82d37aa2cd6cb5ac428edc9589e722a11dd0b6d2406a3424524f18f4a4ac96cf1fe7efc4181966d8e3feb450d6d77663a5dc055b
EAP-Message =
0xb70617d30dec2ade308d5e6530e8a10239e8031b19e63a9e47a910d1001d2467f2698e7bda7440f9836e836ae8cfa0e0a399ba4daecbb10a39e87779c171f508403da72423897f9c29dc234729bc3e65f504a3008281ec186af0b66d3a85556c9155815a827275fdb08bbc88b853df3302f319e3797db5e4c73c35440ac088bb6f844de1f658e38f9d03065f1eb1753f1f366af383b8554dcb18515f8a6bdb218b193d22ecf42b31b5e90360f0c660874b06eceab5ce20164d113703bb519f897fe10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100ade71a6cecf1ac01e6
EAP-Message =
0xb8b60a0d957897b4d4150ad59299f204cae4806c36bb0c3df5dae241cbf61f9301544e29e51adc5836c0fe2c959c80f77ab2bd91e1a1faf7d42993133d836e4dc772edf387cb4972fcbed57654f0ec76218e39e550a45e7b772a5ef589e8f640da93a36de0d1dc9a24c05f46951ab9c0a74eacf63f4f12366007fdbc01e318dea668aabde8b3a27be808375ab6738e15f9c86478624d81b7af3d60ce6e0e2af140488e82c6ebc7876da321fdc5ff8306e02a7d0e2d4f8dcde33eaf4c0d7ea406bd6637dfc60149e46560bc24c1590514228aebfbeba23035df53620a390643848ceb4a848e6e873e194155abfb769df3b709a7f325735d0003a8308203
EAP-Message = 0xa43082028c020900b50dced6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd8c31a9cf8f289f12250e26f4639c84
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=138
Cleaning up request 2 ID 0 with timestamp +69
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0xcd8c31a9cf8f289f12250e26f4639c84
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061900
Message-Authenticator = 0x4efdc7a65d9102db211286ea4c3cbe37
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message =
0x010403a81900f8537e02300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303431353231323835375a170d3039303531353231323835375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f
EAP-Message =
0x6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d962c5440c1a7bf32c6cb7cf58cd4070ab1636d5bf0ca68ebcba4b97ec334a2672535a2ee47eb748a00041f3bc24c445e0c7fe7b1dc4ebcd64135451cd43934da86062a857131028e4a3be090b3d3fb774e5902597fc5c92ca1477d167014f49cd1b8f64b6d3a8e44a10734214fc8afd90dbd5e6
EAP-Message =
0x6b9ae7842a9fd5e9ff345e2a0a2ee39b7843a83ee1c05977ff5f05a8ec2a28515e402ec7e46a689977997d3d7b6b7b993dede03acee50e9b874d0d4fdfed37c0522512e03fa0cc040fd0d21cfacad236701204b05e9b72599e1ed17676c716da4e6907bf79de552365c842e55232bd29147fe17251edff51532e3c8810627e877d3ae0867a0fb3bd3ee712bf0203010001300d06092a864886f70d010105050003820101002ad962118ec199e96e24d6f6126e922ae96d14046ca2d1b4648610c97263f5df1d79e7ff2e5371ac3ca567c3fa98020582d955cc9a8e530910a2bae4772dfb102a1b061637c113cbc44dd22e3411b0c4f88afc2e946ead82
EAP-Message =
0xf7e596c56cb721acd62de2a4a89f772f74f4afac32c719b6280a4a5b29da6104c43e970ace2d6c7dc883b2c3eb9b3415e59b271fe2109460fdf1ab1d359fdc5ac71bcda1f350b6c951a3197cebb1be60f811bfe6b93d709455ee6d3f82e571318ebb2aa63fdd0916f4d93707b569ded3f429a4d7772d54d22274902a4c2338a3a6d269704e39ae5d83444a424c9ef607dd51c7a80157542bd8700e8d6c15bacc6f9032fdd0d7e6eb16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd8c31a9ce88289f12250e26f4639c84
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=470
Cleaning up request 3 ID 0 with timestamp +69
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0xcd8c31a9ce88289f12250e26f4639c84
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0204015019800000014616030101061000010201003b6a2b000b3edb3d8cfe2c7f98cccec696da6b9b38b21f0578e81534a5c3648e69c385a881e3071c633be194e036610c9485c0a435a3a3650c6f8410b5f2c651b4e8dfa827bedc6d9b7b7368af7b6ea9b8cc90df5227d46674ee65faff16e9e59aee2ad25d7452c54672464c06016cd4b34572170fd22ec0bc47a1bd330a17a46870694f269d88918e85793dcd68717483fa18bb509b492019f60e16cd467a6fae08e6ef9628e7c7dd32e15edcc6702e0f013c92d8ac953a751b35eeeda81268affd614a0491572dbff57d953a5ee96c2e100ad030a6e66d0ef5278ce1933a3652550c3db81e7169
EAP-Message =
0x5a6b42214104860bf1ff779d53c7369fc901e893cb13b70f1403010001011603010030523195a3c58ba7ffeac0e5c403f0ca3878dca29734948add69ddc734524a39037ac173eccf4d87495bcdc2bc32ee3d86
Message-Authenticator = 0xdef03fe0f2fd1527dad419f0ca4a82cb
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message =
0x0105004119001403010001011603010030d233d2d55b9a4773b9280a7c9a51eb7bb57d670664b97b90caa2f8b55fc49d00a4eea9079926b55a97ea4e5fd0139e40
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd8c31a9c989289f12250e26f4639c84
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=138
Cleaning up request 4 ID 0 with timestamp +69
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0xcd8c31a9c989289f12250e26f4639c84
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
Message-Authenticator = 0x5f15431a241e9da035a94719d1e153fd
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message =
0x0106002b190017030100202422b6d3cc58e9c4df6ddb64156b89872d122024724063adbb8dd5d4d59c1dfd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd8c31a9c88a289f12250e26f4639c84
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=175
Cleaning up request 5 ID 0 with timestamp +70
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0xcd8c31a9c88a289f12250e26f4639c84
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0206002b190017030100203b73588928855c05e8404224d308d774c925f454228cd76ac9d9ff8c7a501ad9
Message-Authenticator = 0xdc1cd39179ef119fe82530251f72204d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - tester
[peap] Got tunneled request
EAP-Message = 0x0206000b01746573746572
server {
PEAP: Got tunneled identity of tester
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to tester
Sending tunneled request
EAP-Message = 0x0206000b01746573746572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "tester"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010700201a0107001b10e3d69f888fd1a1c22ab23fdb0406c09d746573746572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe925397ee9222325c5dc4fd26464f2d4
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010700201a0107001b10e3d69f888fd1a1c22ab23fdb0406c09d746573746572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe925397ee9222325c5dc4fd26464f2d4
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message =
0x0107004b190017030100407c2585d5e3825e8c2a2405ff40a4a1b1bac08fc2db4a7f47db9369554831651a5092924a410547a5aa77723734e88014b3efcf29f2d4727e8a8db9b2cbc0e7f9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd8c31a9cb8b289f12250e26f4639c84
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=239
Cleaning up request 6 ID 0 with timestamp +70
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0xcd8c31a9cb8b289f12250e26f4639c84
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0207006b190017030100603baa25744d564eb3059d38dce66a6fbc9fc3d266380331153f90a67b079e2c023477c06ad51ea3c0639af5af9e8adea052387c1cc106d093f08bc1913f28228514d90caa0c377b3159424b1759395805f8f2c1455e1d724f66240edd2b30ca23
Message-Authenticator = 0x87c4ccaca90ff6414683bf77e1b9dfb5
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020700411a0207003c31f415ae70d8b3ae03bd6f856609f16b1600000000000000001486deed28060aea0af3df3e5f8887229975398b0694667a00746573746572
server {
PEAP: Setting User-Name to tester
Sending tunneled request
EAP-Message =
0x020700411a0207003c31f415ae70d8b3ae03bd6f856609f16b1600000000000000001486deed28060aea0af3df3e5f8887229975398b0694667a00746573746572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "tester"
State = 0xe925397ee9222325c5dc4fd26464f2d4
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for tester with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message =
0x0108002b19001703010020bc216b00504ff8add69117afc6cc7e928e4240d2bfcebe8be6530eab97bdf092
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd8c31a9ca84289f12250e26f4639c84
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=175
Cleaning up request 7 ID 0 with timestamp +70
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0xcd8c31a9ca84289f12250e26f4639c84
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0208002b19001703010020ef084f918baf1609d5265d80d08eff32798f600b5c92db2cb8e274078fbcc824
Message-Authenticator = 0x5699520904f01c53d5352d8738666a1a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this
session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> tester
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=125
Cleaning up request 8 ID 0 with timestamp +70
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000b01746573746572
Message-Authenticator = 0x3194e7f8f7a958e666638cd3182ddf80
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message = 0x010200160410f7612c264c829c4995aa9cda0e9b127c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x78dc58c578de5c52e669b108f8455764
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=138
Cleaning up request 9 ID 0 with timestamp +70
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0x78dc58c578de5c52e669b108f8455764
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200060319
Message-Authenticator = 0xa9a0893329cc091115343940f725fcec
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x78dc58c579df4152e669b108f8455764
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=244
Cleaning up request 10 ID 0 with timestamp +70
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0x78dc58c579df4152e669b108f8455764
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0203007019800000006616030100610100005d03014a046f6f7d6aaeb890601ac86bcecc8affe25094a4150fb95cbf3f7e1d160646000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100
Message-Authenticator = 0xe3c10ee0699969c4312d3bf0b58056d6
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 102
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0061], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 075b], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message =
0x0104040019c000000798160301002a0200002603014a046f71c8aacead425cef78684cae50dc0259c36026fbce1a09cb7e080a6f8c00002f00160301075b0b0007570007540003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3039303431353231323835395a170d3130303431353231323835395a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c21fdea27ea336dee51d82d37aa2cd6cb5ac428edc9589e722a11dd0b6d2406a3424524f18f4a4ac96cf1fe7efc4181966d8e3feb450d6d77663a5dc055b
EAP-Message =
0xb70617d30dec2ade308d5e6530e8a10239e8031b19e63a9e47a910d1001d2467f2698e7bda7440f9836e836ae8cfa0e0a399ba4daecbb10a39e87779c171f508403da72423897f9c29dc234729bc3e65f504a3008281ec186af0b66d3a85556c9155815a827275fdb08bbc88b853df3302f319e3797db5e4c73c35440ac088bb6f844de1f658e38f9d03065f1eb1753f1f366af383b8554dcb18515f8a6bdb218b193d22ecf42b31b5e90360f0c660874b06eceab5ce20164d113703bb519f897fe10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100ade71a6cecf1ac01e6
EAP-Message =
0xb8b60a0d957897b4d4150ad59299f204cae4806c36bb0c3df5dae241cbf61f9301544e29e51adc5836c0fe2c959c80f77ab2bd91e1a1faf7d42993133d836e4dc772edf387cb4972fcbed57654f0ec76218e39e550a45e7b772a5ef589e8f640da93a36de0d1dc9a24c05f46951ab9c0a74eacf63f4f12366007fdbc01e318dea668aabde8b3a27be808375ab6738e15f9c86478624d81b7af3d60ce6e0e2af140488e82c6ebc7876da321fdc5ff8306e02a7d0e2d4f8dcde33eaf4c0d7ea406bd6637dfc60149e46560bc24c1590514228aebfbeba23035df53620a390643848ceb4a848e6e873e194155abfb769df3b709a7f325735d0003a8308203
EAP-Message = 0xa43082028c020900b50dced6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x78dc58c57ad84152e669b108f8455764
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=138
Cleaning up request 11 ID 0 with timestamp +70
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0x78dc58c57ad84152e669b108f8455764
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061900
Message-Authenticator = 0x05c66744945082f28f36c2771a60e3f2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message =
0x010503a81900f8537e02300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303431353231323835375a170d3039303531353231323835375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f
EAP-Message =
0x6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d962c5440c1a7bf32c6cb7cf58cd4070ab1636d5bf0ca68ebcba4b97ec334a2672535a2ee47eb748a00041f3bc24c445e0c7fe7b1dc4ebcd64135451cd43934da86062a857131028e4a3be090b3d3fb774e5902597fc5c92ca1477d167014f49cd1b8f64b6d3a8e44a10734214fc8afd90dbd5e6
EAP-Message =
0x6b9ae7842a9fd5e9ff345e2a0a2ee39b7843a83ee1c05977ff5f05a8ec2a28515e402ec7e46a689977997d3d7b6b7b993dede03acee50e9b874d0d4fdfed37c0522512e03fa0cc040fd0d21cfacad236701204b05e9b72599e1ed17676c716da4e6907bf79de552365c842e55232bd29147fe17251edff51532e3c8810627e877d3ae0867a0fb3bd3ee712bf0203010001300d06092a864886f70d010105050003820101002ad962118ec199e96e24d6f6126e922ae96d14046ca2d1b4648610c97263f5df1d79e7ff2e5371ac3ca567c3fa98020582d955cc9a8e530910a2bae4772dfb102a1b061637c113cbc44dd22e3411b0c4f88afc2e946ead82
EAP-Message =
0xf7e596c56cb721acd62de2a4a89f772f74f4afac32c719b6280a4a5b29da6104c43e970ace2d6c7dc883b2c3eb9b3415e59b271fe2109460fdf1ab1d359fdc5ac71bcda1f350b6c951a3197cebb1be60f811bfe6b93d709455ee6d3f82e571318ebb2aa63fdd0916f4d93707b569ded3f429a4d7772d54d22274902a4c2338a3a6d269704e39ae5d83444a424c9ef607dd51c7a80157542bd8700e8d6c15bacc6f9032fdd0d7e6eb16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x78dc58c57bd94152e669b108f8455764
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=470
Cleaning up request 12 ID 0 with timestamp +70
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0x78dc58c57bd94152e669b108f8455764
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0205015019800000014616030101061000010201004202367899c3b793e58f85eec54ec3d11ea5c6800f075d699049871581144420a8d3dc1f2754eff11d2bf4203b2398b5a7a994b8de84c2f9e3d976e28e8576978d43173d352cfcf5cce2da6374106face22df881f22b3783440ff08496e7c85a180ba55837efc2ce7bc8d2dfb5e6db95b957c6caebf2dd48eee51b2314de51cde52bb1f3578efe428ac32c5a4f1a8263315fd59799e5449c166704227f3d1765891b47808ec9775bfe6863f9a75337c5968f2b81a3dc05f09ceb1151b9875c82f3c663958f578dc2b82c6fe04a949539041875efa0de9eae9e772592e6ae7f1b3d0328b6ad6a3a92
EAP-Message =
0xdd6767afc3d0ffaceeca4952958bf89b71f6e1d7d4b649b51403010001011603010030c258f6ca81c4367137829a379f872c85f15ec4e0ac8f51ed46ac28fb62eb72fa696e0ea9d4e0e443bec9c6535d7bc46a
Message-Authenticator = 0x4f3f3f37579e8ad0b7066fa0405493b0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message =
0x0106004119001403010001011603010030795e90a9ee62aefc345d48a85c3773deb9e5c7ca96666cab97a391a7270d20124acd3d2e60516e1437b69176e43a3f06
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x78dc58c57cda4152e669b108f8455764
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=138
Cleaning up request 13 ID 0 with timestamp +70
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0x78dc58c57cda4152e669b108f8455764
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020600061900
Message-Authenticator = 0x0127c630203668e74ce78a8061760d8a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message =
0x0107002b190017030100209f2268fee846793f5e2d91120ef82714cd39e92edbb90bb6a78247708dc580ec
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x78dc58c57ddb4152e669b108f8455764
Finished request 14.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=175
Cleaning up request 14 ID 0 with timestamp +70
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0x78dc58c57ddb4152e669b108f8455764
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0207002b19001703010020d1323b8745befe8dd0d52860fa045bff328dd0064886b2e1f65f720a8c6903ec
Message-Authenticator = 0xd56322919087c0d758cb8ec640899a42
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - tester
[peap] Got tunneled request
EAP-Message = 0x0207000b01746573746572
server {
PEAP: Got tunneled identity of tester
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to tester
Sending tunneled request
EAP-Message = 0x0207000b01746573746572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "tester"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010800201a0108001b10487952190361a4bc6c5211037f944c43746573746572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x64d177e764d96d1b400f4dd37b7bca98
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800201a0108001b10487952190361a4bc6c5211037f944c43746573746572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x64d177e764d96d1b400f4dd37b7bca98
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message =
0x0108004b19001703010040d219d80fa26576c8ce19ab7a9e891944155f20b7e19366e64b8975cbf8731f837b9dba4205dc568e146fd55941531e0b8d2669ec7dd8a0f2bf4dfe7f8357f2b2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x78dc58c57ed44152e669b108f8455764
Finished request 15.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=239
Cleaning up request 15 ID 0 with timestamp +70
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0x78dc58c57ed44152e669b108f8455764
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0208006b19001703010060bc0f8394d7a2889505db5d86be74fcfe859175dcdcbedd71a0c628ea107f34adb0a24bbdf710f0dd7219fea3387b0faa439facdaaf73bbef0b04b0ccf3c974df2cf4239525aa3638a8223a6bce230ab8ca0628a5fcfa3f020b4edf78b2ab0a7a
Message-Authenticator = 0xd95188675b4fad312942d9c5f83398af
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020800411a0208003c31944d3962585fa4571e78b1701f226610000000000000000026c2cd378ca09641cc901c546d5cb398beb1288fd42726c000746573746572
server {
PEAP: Setting User-Name to tester
Sending tunneled request
EAP-Message =
0x020800411a0208003c31944d3962585fa4571e78b1701f226610000000000000000026c2cd378ca09641cc901c546d5cb398beb1288fd42726c000746573746572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "tester"
State = 0x64d177e764d96d1b400f4dd37b7bca98
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for tester with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.3.10.244 port 1027
EAP-Message =
0x0109002b1900170301002060bfbfb66c2bd64e39f20872626195a181c0c08bca0521ea5b49bfac3a094a12
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x78dc58c57fd54152e669b108f8455764
Finished request 16.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.3.10.244 port 1027, id=0,
length=175
Cleaning up request 16 ID 0 with timestamp +74
User-Name = "tester"
NAS-IP-Address = 10.3.10.244
Called-Station-Id = "001a70e1d008"
Calling-Station-Id = "0017f242d025"
NAS-Identifier = "001a70e1d008"
NAS-Port = 55
Framed-MTU = 1400
State = 0x78dc58c57fd54152e669b108f8455764
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0209002b19001703010020602339290ccce2168a04de6503cc6adcfdbb2e0c274149a39c0980b0c64e6491
Message-Authenticator = 0xaff4f98041cc4d8d802f7e234a36ec41
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this
session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> tester
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 17 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 17
Sending Access-Reject of id 0 to 10.3.10.244 port 1027
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 17 ID 0 with timestamp +74
Ready to process requests.
Scott Sears
scott at myemma.com
More information about the Freeradius-Users
mailing list