PEAP/MSCHAPv2, Post-Auth-Type REJECT {} of inner-tunnel is never entered for access reject
Fads Afds
down101load at yahoo.com.hk
Thu Jul 8 13:15:36 CEST 2010
Hi Fellows,
I have configured FreeRadius 2.1.8 running on SLES 11 for PEAP/MSCHAPv2. MySQL is used for user database. I have tested using "eapol_test" and win/XP SP3 supplicant.
Accounting data can be received & stored to radacct table.
Inner-server can successfully accept user with accumulated session time quota not exceeded and reject user with accumulated session time quota exceeded.
My problem:
I expect to store accept or reject log with rejecting message to radpostauth table.
For access-accept case, sql inside post-auth {} of inner-tunnl is invoked and logging message is written to radpostauth table as expected.
For access-reject cases (username not existed in db, wrong username, accumulated session time quota exceeded, etc), Post-Auth-Type REJECT {} of inner-tunnel is never entered. What is wrong? Any help? Thanks in advance.
Cheers,
Joe
Below include:
1. Content of post-auth section of file /etc/raddb/sites-available/inner-server:
2. content of authorize section of file /etc/raddb/sites-available/inner-server:
3. radiusd -X debug message for access-accept case
4. radiusd -X debug message for access-reject case
-------1. Content of post-auth section of file /etc/raddb/sites-available/inner-server:---------
post-auth {
#1st successful login and account NOT expired: update "ticket_expiration" and "1st_login_date" in table "radreply" by external script
if ( ("%{reply:1st_login_date}" == "29991231") && ("%{reply:acct_expiration}" >= "%D") ) {
#invoke external script by module "exec"
1st_login_update
noop
}
sql
Post-Auth-Type REJECT {
sql
reply_log
attr_filter.access_reject
}
}
----1. ends-------------------------------------------------------------
----2. Content of authorize {} section of file /etc/raddb/sites-available/inner-server:------
authorize {
mschap
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
auth_log
sql
#Username NOT existed in db
if (!(control:Cleartext-Password)) {
update control {
My-Err-Message := "Username %{request:User-Name} not existed in db"
Post-Auth-Type := "REJECT" //same result with or without this statement
}
reject
}
#account expired
elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") ) {
update control {
My-Err-Message := "Your BU-Guest account has been expired since %{reply:acct_expiration}"
Post-Auth-Type := "REJECT" //same result with or without this statement
}
reject
}
#account NOT expired. Already login before and ticket expired: Rejected and return message "Your BU-Guest ticket has expired"
elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_expiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expiration}" < "%D") ) {
update control {
My-Err-Message := "Your BU-Guest ticket has been expired since %{reply:ticket_expiration}"
Post-Auth-Type := "REJECT" //same result with or without this statement
}
reject
}
#for session-time quota, modify My-Err-Message if exceeded
noreset_time_counter {
reject = 1
}
if (reject) {
update control {
My-Err-Message := "Your session-time quota has been used up."
}
reject = return
}
#for session-traffic quota, modify My-Err-Message if exceeded
noreset_traffic_counter {
reject = 1
}
if (reject) {
update control {
My-Err-Message := "Your session-traffic quota has been used up."
}
reject = return
}
}
-------2. ends---------------------------------------------------------
--------------3. radiusd -X debug message for access-accept case -------
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 58342, id=0, length=118
User-Name = "time3"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000a0174696d6533
Message-Authenticator = 0x86d8b188ea06f1e2db10c3c3f095378f
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Flushing SSL sessions (of #0)
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 58342
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x710c3420710d2d583cbd5e9f57d1d5e1
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 58342, id=1, length=235
User-Name = "time3"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0201006d198000000063160301005e0100005a03014c35a79c66aa56
b5c22cbfc40e708d0c8c7f35b5d8f5b657853a6a25057c2de3000032003900380035008800870084
00160013000a00330032002f00450044004100050004001500120009001400110008000600030201
00
State = 0x710c3420710d2d583cbd5e9f57d1d5e1
Message-Authenticator = 0xef0d3c6f293a95565fa98cb8eb7bc11e
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 109
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 99
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005e], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 004a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 084d], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 58342
EAP-Message = 0x0102040019c000000abc160301004a0200004603014c35a79c7bfdb3
61e9348ae2501e91aca3880058ed5258cf4b1ad43c4c1ee7522042bd3af4db1b4644e3a178f359c0
982943e723d7f05cd6cd24524614ee6c0313003901160301084d0b0008490008460003a8308203a4
3082028ca003020102020101300d06092a864886f70d010104050030818c310b3009060355040613
02434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a13
04484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e
6564752e686b312a302806035504031321484b425520477565
EAP-Message = 0x73742043412063657274202836346269742073657276657229302017
0d3130303632343033353835305a180f32303530303631343033353835305a308182310b30090603
5504061302434e310b300906035504081302484b310d300b060355040a1304484b4255312e302c06
035504031325484b4255204775657374207365727665722063657274696669636174652028363462
6974293127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564
752e686b30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7649e
e337738ce465aec9a12a375bd4d76fc3c2f50ac701065d1433
EAP-Message = 0x22c38dd78776d5ad0cb747a32f6b512dce6d26cccffefd49cf151767
0305c6cb6eee0b70c86cb259383ca439bf011e8d8689cd17c41e99498256f13e6f14282b8eeef46f
95e742d40254b69d7270d1d349e8cd41cff1dc98ea38fb494ea6007aed1575391d69e9f1c230fea9
125f09a28d544282e9520e4c5987f54ff43f94567991d6172f98bfd3a200aeb07e60345e40caff2f
1f34c52e77707e3321a774bc7601827ccbd723e044ee635de38dc174e37aea2640f5dbacb3454bd8
9bd2e03b81031365232fe8f014c069983950f75aa8fdcce7a9ee52d57dc7fec1512a57fabb3b993b
0203010001a317301530130603551d25040c300a06082b0601
EAP-Message = 0x0505070301300d06092a864886f70d01010405000382010100192613
ffaf84004131ad7ce0d3da7b42d8a594371b96058ea7dc28554921dfd279076ad03cbf83ab81d7d3
ac909202e97a3c22fdad6eee38f2961ef4e9cc9398c5e4bd8a0f41c9174d4fa44a1e77e95c887c06
5197300ea90c8ffc1d32c898c4e137b6a74834c769d7be8008fea4b3ca9c5a33505b588fd93fa440
584d00f8c0c11d62bd886037289e5f27cec1039a4c311a04a7cf75b9ed578b840c66993dea65d31a
df591ffc290d98d6565e70a1d3d45ae3f0c877c5104d1def8c23a79f38c92731165bfb2a84759f2c
6c07e15ff75e4fe6f99e67dac4fc5ca7bf6cbdf849c44b77f6
EAP-Message = 0x614977256b1dcde1b92a76f3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x710c3420700e2d583cbd5e9f57d1d5e1
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 58342, id=2, length=132
User-Name = "time3"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200061900
State = 0x710c3420700e2d583cbd5e9f57d1d5e1
Message-Authenticator = 0x891c4b49a9002f7d191a0b0a552ce142
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 58342
EAP-Message = 0x010303fc1940d8d084a884e20a2a165c46af33618c22000498308204
943082037ca003020102020900a00b0c8b6ee723bb300d06092a864886f70d010105050030818c31
0b300906035504061302434e310b300906035504081302484b310c300a0603550407130365647531
0d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f744066726775
6573742e686b62752e6564752e686b312a302806035504031321484b425520477565737420434120
636572742028363462697420736572766572293020170d3130303632343033353833335a180f3230
3530303631343033353833335a30818c310b30090603550406
EAP-Message = 0x1302434e310b300906035504081302484b310c300a06035504071303
656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440
667267756573742e686b62752e6564752e686b312a302806035504031321484b4255204775657374
204341206365727420283634626974207365727665722930820122300d06092a864886f70d010101
05000382010f003082010a0282010100c001917da3c962085a616702fa98c2bd794c7edfa3a1f038
258e018a126e736e3a61ae5120b956ab0566a9258b889d66e616e2d702b1a0f5ec79b1b484a9a9ec
5ff3ba49d31895a6073ac132c9aa28f3e9906d0a6e3c24e852
EAP-Message = 0x621586b8db41ce111ebf2befc143a5cc9d562d020594fe407135ec1c
068dd0303eca75e5c5dd9cab898af3e870072ea3eca78602644eea0bac0c5619925b56aba1b1c1fc
4c48fded87cdcf44d1b99a2c1f534e8b88e4a35f9d1ffa8a50cdb402743516a0cbce2a4796459501
875ec225357d4a362202e15ee12a0154f018e5b84a5e5884c268d3154ed41f7b78ea2f6df852e07b
dd50a55c26467bcaf75c41d393bc78b27fb5170203010001a381f43081f1301d0603551d0e041604
14c134ca58d9d8f09b9207417630a08266b192ef523081c10603551d230481b93081b68014c134ca
58d9d8f09b9207417630a08266b192ef52a18192a4818f3081
EAP-Message = 0x8c310b300906035504061302434e310b300906035504081302484b31
0c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d
0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321
484b42552047756573742043412063657274202836346269742073657276657229820900a00b0c8b
6ee723bb300c0603551d13040530030101ff300d06092a864886f70d010105050003820101000d81
bb75569e9ce10ee1cc274ce224d6d175d681f14079bdb2953b179dc9e15eedecd08f8d61f1759f3b
b4c97458573e0b9b6b6be66954fc48d713a54ad949e99d806a
EAP-Message = 0x400957b5cd394c74
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x710c3420730f2d583cbd5e9f57d1d5e1
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 58342, id=3, length=132
User-Name = "time3"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061900
State = 0x710c3420730f2d583cbd5e9f57d1d5e1
Message-Authenticator = 0x79334670af1988e1500764f8893519a6
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 58342
EAP-Message = 0x010402d6190012c062cd3163799ab42c262a3b39ee4aadeba8ca0584
510b5f850ecbe4afc188b998b5b79ebc112998a4791842e212835761d44b5202634a16bdc8886be5
a2a6ddef1becbbaa64117a58fd73726f412c140197da3a29fc44aa1b67361c18f9f72312826067f6
4edc638e6a8b5511cd2c9eff129e700e0d88cb6de9ef5c6c909025dc37b4abdc9fdc643561bb06b1
e07e30de728a7e8a4dc07dda92896b8975d7907b85b66fedf2623b70b61a7757012cb421a8c76616
0301020d0c00020900808fcc5daaf65ec4b9ed53a13aa5563c3a857d7b01a0935ce18302cbbd8117
bdcee617438d810d33e6737c2b63ad1b1e728d85e9aa9c155d
EAP-Message = 0x84c5499240de4a0574ca81181dd71a196f1dccceee978f8380d16b7e
6019d903f2d5ed2428b8649b958dbd4a5c52b8f99989c064eb651266552a0b7eab32727454b2eee7
89c78aee3b000102008060d8a5934ce34b81cafd1c3fc8d46c5a388ed272c775dc16850bcf8d809b
5993441c997f71796739ce92d291e79f35676eb5c9bd803930ffbb7c1f1970328686307c6b6a6b33
22f3b0d6dcba4517a1af53ab3cf8a94ccc14999749239a1f1c141a3caab94646d10555148c750103
7469ed434c26f16fe521d5b9c63390591e9e010073b6d948f1730fabd195f88b32ab2073c1177e3f
8313ff0fb86c4516230d64748f4ad6e05d3a74c60a5e3771c5
EAP-Message = 0xb48e7440d370543c830387f08a3c5f8deef8c1def77e7e7114997e5d
fcfa90d5d07d583b5e1913372411b2713f6c433f7feaf0cbb11357370479999f6ed5f02a67817c27
97f3e751f6e2636654cca929d4ea24237452d4ecc44466c0e5b8ef89e38d633335debe853d61d61a
f6e12e19984be1e4d05264eef13ffb0f4e295f30d6ccb0990906f3086641ebae82786bc7765ecc90
f7aafd63506946bc0d548f62c6fd3d3ccce0926860b91a4f44f8368a1cd6cef37b4299cb396a415a
4efb937eafe3460f003aa489ea61a63d3d645ed26883a716030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x710c342072082d583cbd5e9f57d1d5e1
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 58342, id=4, length=334
User-Name = "time3"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400d01980000000c616030100861000008200801d83588e38d9da
df4ffe23f7ed3b2b90f36c0943746527fc0bb73b2c79a83dc173d0ec11b22f40f9fa76c19a6ea462
a2d9269ab0ea7f5550b600a937d2ad6732c27835d982a04e89c69ec524012ce45abadffdec3023be
60a2d2b26a3a0402508b51917d53c3c62dcae67677282e66794baa766791251219f7e9de3b739abe
7d1403010001011603010030ed2012e3aa97c24fa0a52ec354e56dfdc5b34487cc0e70fbb71eb3f8
5860f8eac1199394ced9ca49eb9563a06a35e79d
State = 0x710c342072082d583cbd5e9f57d1d5e1
Message-Authenticator = 0x751c2b6c92f2074d37c88e84f2454e0d
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
SSL: adding session 42bd3af4db1b4644e3a178f359c0982943e723d7f05cd6cd24524614ee
6c0313 to cache
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 58342
EAP-Message = 0x0105004119001403010001011603010030723f44d9944d700c443127
d161158b7db2f0787daccd60449dc6784b09a0a8d384d46ac7acac5b8084f40b7a9bc03f77
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x710c342075092d583cbd5e9f57d1d5e1
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 58342, id=5, length=132
User-Name = "time3"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500061900
State = 0x710c342075092d583cbd5e9f57d1d5e1
Message-Authenticator = 0xe84f03f178a81841fb46d3c61aa66e99
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 5 to 127.0.0.1 port 58342
EAP-Message = 0x0106002b19001703010020745a8862fff74372e41763caf7ac58d0a9
10a05c983876e0f379e1d7752e07ef
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x710c3420740a2d583cbd5e9f57d1d5e1
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 58342, id=6, length=222
User-Name = "time3"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02060060190017030100204f0b0f1efbcee34d4265a97b4fc13660be
ff23b2408795c7ffc1a1c02227390e17030100300d3f41614731127eab3ca84d6cbfd7487854adc3
a6be922e4bd29675dad485590057a354a2723f2afd8b58c4e211661b
State = 0x710c3420740a2d583cbd5e9f57d1d5e1
Message-Authenticator = 0xbdc712363b5e27d3228a5a4d717c3bd6
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - time3
[peap] Got tunnled request
EAP-Message = 0x0206000a0174696d6533
server (null) {
PEAP: Got tunneled identity of time3
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to time3
Sending tunneled request
EAP-Message = 0x0206000a0174696d6533
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "time3"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
server inner-tunnel {
+- entering group authorize {...}
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail
-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expan
ds to /var/log/radius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] expand: %t -> Thu Jul 8 18:25:32 2010
++[auth_log] returns ok
[sql] expand: %{User-Name} -> time3
[sql] sql_set_user escaped user --> 'time3'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: (SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' and attribute != 'Cleartext-Password') UNION (SEL
ECT id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck
WHERE username = '%{SQL-User-Name}' and attribute = 'Cleartext-Password') ORDER
BY id -> (SELECT id, username, attribute, value, op FROM radcheck WHERE usern
ame = 'time3' and attribute != 'Cleartext-Password') UNION (SELECT id, username,
attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHERE username =
'time3' and attribute = 'Cleartext-Password') ORDER BY id
rlm_sql_mysql: query: (SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'time3' and attribute != 'Cleartext-Password') UNION (SELECT
id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHE
RE username = 'time3' and attribute = 'Cleartext-Password') ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radrepl
y WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id, username, attribute, value, op FROM radreply WHERE usern
ame = 'time3' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'time3' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE user
name = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'time3' ORDER BY prior
ity
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHE
RE username = 'time3' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++? if (!(control:Cleartext-Password))
?? Evaluating (control:Cleartext-Password) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(control:Cleartext-Password)) -> FALSE
++? elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") )
?? Evaluating (reply:acct_expiration) -> TRUE
expand: %{reply:acct_expiration} -> 29991231
expand: %D -> 20100708
?? Evaluating ("%{reply:acct_expiration}" < "%D") -> FALSE
++? elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") ) ->
FALSE
++? elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_e
xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi
ration}" < "%D") )
?? Evaluating (reply:acct_expiration) -> TRUE
?? Evaluating (reply:1st_login_date) -> TRUE
?? Evaluating (reply:ticket_expiration) -> TRUE
expand: %{reply:1st_login_date} -> 20100601
?? Evaluating ("%{reply:1st_login_date}" != "29991231") -> TRUE
expand: %{reply:ticket_expiration} -> 20100830
expand: %D -> 20100708
?? Evaluating ("%{reply:ticket_expiration}" < "%D") -> FALSE
++? elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_e
xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi
ration}" < "%D") ) -> FALSE
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{
User-Name}''
[noreset_time_counter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U
serName='%{User-Name}' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNam
e='time3'
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNa
me='time3'}'
[noreset_time_counter] sql_xlat
[noreset_time_counter] expand: %{User-Name} -> time3
[noreset_time_counter] sql_set_user escaped user --> 'time3'
[noreset_time_counter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U
serName='time3' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='time
3'
[noreset_time_counter] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/
sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='
time3'
[noreset_time_counter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
[noreset_time_counter] expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct W
HERE UserName='time3'} -> 314
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user time3, check_item=4000000000, counter=314
rlm_sqlcounter: Sent Reply-Item for user time3, Type=Session-Timeout, value=3999
999686
++[noreset_time_counter] returns ok
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noreset_traffic_counter] returns noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
1st_login_date := "20100601"
acct_expiration := "29991231"
ticket_days := "90"
ticket_expiration := "20100830"
Session-Timeout = 3999999686
EAP-Message = 0x0107001f1a0107001a10fff84cf3de7f4c94dd82062ae0a7cc3a7469
6d6533
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0a6fce370a68d41840671b0d943be774
[peap] Got tunneled reply RADIUS code 11
1st_login_date := "20100601"
acct_expiration := "29991231"
ticket_days := "90"
ticket_expiration := "20100830"
Session-Timeout = 3999999686
EAP-Message = 0x0107001f1a0107001a10fff84cf3de7f4c94dd82062ae0a7cc3a7469
6d6533
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0a6fce370a68d41840671b0d943be774
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 6 to 127.0.0.1 port 58342
EAP-Message = 0x0107004b19001703010040dcc0c868deed88fa3789019a7fea4c9f76
adf44ae61e81ee6667849626e5908b85dbe5a43227c582a624c356435ccad8d0249db5cbb190a77c
e4d8652b4bc46b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x710c3420770b2d583cbd5e9f57d1d5e1
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 58342, id=7, length=270
User-Name = "time3"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0207009019001703010020d4d6a820410d0522989fa80aa89cec5b6e
14721ddccc2012d5e5c5c7214caeee17030100609922e3d2b5a68f441931df2eb4f29652a9111634
f2a22b98d51f5873e7034b798ac6660188bb1398c03e7cb9299417260b45ba08275c3ef3c7492f77
37672412dea92f4c9b13049b4a56421e5bcf158f9883c805399c096733f112a8b0e9873a
State = 0x710c3420770b2d583cbd5e9f57d1d5e1
Message-Authenticator = 0x822422970a0a08993b17aa87398031b9
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x020700401a0207003b31ca83d4b3a63676473f79a8407ad5a3510000
00000000000072fec53acc650555265ec2e8be09158058c8f9d2f675a4a50074696d6533
server (null) {
PEAP: Setting User-Name to time3
Sending tunneled request
EAP-Message = 0x020700401a0207003b31ca83d4b3a63676473f79a8407ad5a3510000
00000000000072fec53acc650555265ec2e8be09158058c8f9d2f675a4a50074696d6533
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "time3"
State = 0x0a6fce370a68d41840671b0d943be774
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
server inner-tunnel {
+- entering group authorize {...}
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail
-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expan
ds to /var/log/radius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] expand: %t -> Thu Jul 8 18:25:32 2010
++[auth_log] returns ok
[sql] expand: %{User-Name} -> time3
[sql] sql_set_user escaped user --> 'time3'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: (SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' and attribute != 'Cleartext-Password') UNION (SEL
ECT id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck
WHERE username = '%{SQL-User-Name}' and attribute = 'Cleartext-Password') ORDER
BY id -> (SELECT id, username, attribute, value, op FROM radcheck WHERE usern
ame = 'time3' and attribute != 'Cleartext-Password') UNION (SELECT id, username,
attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHERE username =
'time3' and attribute = 'Cleartext-Password') ORDER BY id
rlm_sql_mysql: query: (SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'time3' and attribute != 'Cleartext-Password') UNION (SELECT
id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHE
RE username = 'time3' and attribute = 'Cleartext-Password') ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radrepl
y WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id, username, attribute, value, op FROM radreply WHERE usern
ame = 'time3' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'time3' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE user
name = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'time3' ORDER BY prior
ity
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHE
RE username = 'time3' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++? if (!(control:Cleartext-Password))
?? Evaluating (control:Cleartext-Password) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(control:Cleartext-Password)) -> FALSE
++? elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") )
?? Evaluating (reply:acct_expiration) -> TRUE
expand: %{reply:acct_expiration} -> 29991231
expand: %D -> 20100708
?? Evaluating ("%{reply:acct_expiration}" < "%D") -> FALSE
++? elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") ) ->
FALSE
++? elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_e
xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi
ration}" < "%D") )
?? Evaluating (reply:acct_expiration) -> TRUE
?? Evaluating (reply:1st_login_date) -> TRUE
?? Evaluating (reply:ticket_expiration) -> TRUE
expand: %{reply:1st_login_date} -> 20100601
?? Evaluating ("%{reply:1st_login_date}" != "29991231") -> TRUE
expand: %{reply:ticket_expiration} -> 20100830
expand: %D -> 20100708
?? Evaluating ("%{reply:ticket_expiration}" < "%D") -> FALSE
++? elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_e
xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi
ration}" < "%D") ) -> FALSE
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{
User-Name}''
[noreset_time_counter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U
serName='%{User-Name}' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNam
e='time3'
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNa
me='time3'}'
[noreset_time_counter] sql_xlat
[noreset_time_counter] expand: %{User-Name} -> time3
[noreset_time_counter] sql_set_user escaped user --> 'time3'
[noreset_time_counter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U
serName='time3' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='time
3'
[noreset_time_counter] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/
sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='
time3'
[noreset_time_counter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 1
[noreset_time_counter] expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct W
HERE UserName='time3'} -> 314
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user time3, check_item=4000000000, counter=314
rlm_sqlcounter: Sent Reply-Item for user time3, Type=Session-Timeout, value=3999
999686
++[noreset_time_counter] returns ok
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noreset_traffic_counter] returns noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for time3 with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
1st_login_date := "20100601"
acct_expiration := "29991231"
ticket_days := "90"
ticket_expiration := "20100830"
Session-Timeout = 3999999686
EAP-Message = 0x010800331a0307002e533d4545334331373933383638393534324139
3230333839453445413539304631343245394331413644
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0a6fce370b67d41840671b0d943be774
[peap] Got tunneled reply RADIUS code 11
1st_login_date := "20100601"
acct_expiration := "29991231"
ticket_days := "90"
ticket_expiration := "20100830"
Session-Timeout = 3999999686
EAP-Message = 0x010800331a0307002e533d4545334331373933383638393534324139
3230333839453445413539304631343245394331413644
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0a6fce370b67d41840671b0d943be774
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 127.0.0.1 port 58342
EAP-Message = 0x0108005b19001703010050e73c970ca872a0406dea9360b2831f3b4d
9960df3c69a3fbee615eeb461f2fd621df7bb4814edcbd8952534c49ff889f58899e53a1a6099006
bfe22eb8b1fdfeacfc1a435958aa40fb51e66f3f33ab3a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x710c342076042d583cbd5e9f57d1d5e1
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 58342, id=8, length=206
User-Name = "time3"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02080050190017030100208c1a2ad8f6faa9398231e3290f605b26d3
3f89f219417d2c4d81e7a5ce15783a17030100208f66bbcfa14f3568277f9989d3d544cfcb74e6a8
2e519f4d1212795b984a53e3
State = 0x710c342076042d583cbd5e9f57d1d5e1
Message-Authenticator = 0x796dd15b9a449f6a220364198f52ca5d
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x020800061a03
server (null) {
PEAP: Setting User-Name to time3
Sending tunneled request
EAP-Message = 0x020800061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "time3"
State = 0x0a6fce370b67d41840671b0d943be774
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
server inner-tunnel {
+- entering group authorize {...}
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail
-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expan
ds to /var/log/radius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] expand: %t -> Thu Jul 8 18:25:32 2010
++[auth_log] returns ok
[sql] expand: %{User-Name} -> time3
[sql] sql_set_user escaped user --> 'time3'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: (SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' and attribute != 'Cleartext-Password') UNION (SEL
ECT id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck
WHERE username = '%{SQL-User-Name}' and attribute = 'Cleartext-Password') ORDER
BY id -> (SELECT id, username, attribute, value, op FROM radcheck WHERE usern
ame = 'time3' and attribute != 'Cleartext-Password') UNION (SELECT id, username,
attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHERE username =
'time3' and attribute = 'Cleartext-Password') ORDER BY id
rlm_sql_mysql: query: (SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'time3' and attribute != 'Cleartext-Password') UNION (SELECT
id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHE
RE username = 'time3' and attribute = 'Cleartext-Password') ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radrepl
y WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id, username, attribute, value, op FROM radreply WHERE usern
ame = 'time3' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'time3' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE user
name = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'time3' ORDER BY prior
ity
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHE
RE username = 'time3' ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++? if (!(control:Cleartext-Password))
?? Evaluating (control:Cleartext-Password) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(control:Cleartext-Password)) -> FALSE
++? elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") )
?? Evaluating (reply:acct_expiration) -> TRUE
expand: %{reply:acct_expiration} -> 29991231
expand: %D -> 20100708
?? Evaluating ("%{reply:acct_expiration}" < "%D") -> FALSE
++? elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") ) ->
FALSE
++? elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_e
xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi
ration}" < "%D") )
?? Evaluating (reply:acct_expiration) -> TRUE
?? Evaluating (reply:1st_login_date) -> TRUE
?? Evaluating (reply:ticket_expiration) -> TRUE
expand: %{reply:1st_login_date} -> 20100601
?? Evaluating ("%{reply:1st_login_date}" != "29991231") -> TRUE
expand: %{reply:ticket_expiration} -> 20100830
expand: %D -> 20100708
?? Evaluating ("%{reply:ticket_expiration}" < "%D") -> FALSE
++? elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_e
xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi
ration}" < "%D") ) -> FALSE
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{
User-Name}''
[noreset_time_counter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U
serName='%{User-Name}' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNam
e='time3'
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNa
me='time3'}'
[noreset_time_counter] sql_xlat
[noreset_time_counter] expand: %{User-Name} -> time3
[noreset_time_counter] sql_set_user escaped user --> 'time3'
[noreset_time_counter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U
serName='time3' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='time
3'
[noreset_time_counter] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/
sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='
time3'
[noreset_time_counter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 4
[noreset_time_counter] expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct W
HERE UserName='time3'} -> 314
rlm_sqlcounter: Check item is greater than query result
rlm_sqlcounter: Authorized user time3, check_item=4000000000, counter=314
rlm_sqlcounter: Sent Reply-Item for user time3, Type=Session-Timeout, value=3999
999686
++[noreset_time_counter] returns ok
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noreset_traffic_counter] returns noop
++? if (reject)
? Evaluating (reject) -> FALSE
++? if (reject) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [time3] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tu
nnel)
+- entering group post-auth {...}
++? if (("%{reply:1st_login_date}" == "29991231") && ("%{reply:acct_expiration}"
>= "%D") )
expand: %{reply:1st_login_date} -> 20100601
?? Evaluating ("%{reply:1st_login_date}" == "29991231") -> FALSE
?? Skipping ("%{reply:acct_expiration}" >= "%D")
++? if (("%{reply:1st_login_date}" == "29991231") && ("%{reply:acct_expiration}"
>= "%D") ) -> FALSE
[reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detai
l-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/reply-detail-20100708
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d exp
ands to /var/log/radius/radacct/127.0.0.1/reply-detail-20100708
[reply_log] expand: %t -> Thu Jul 8 18:25:32 2010
++[reply_log] returns ok
[sql] expand: %{User-Name} -> time3
[sql] sql_set_user escaped user --> 'time3'
[sql] expand: INSERT INTO radpostauth (ID, username,
password, nas_ip, auth_result, reply_message, authdate)
VALUES (NULL, '%{User-Name}',
aes_encrypt('NA', 'abc123456def'), '%{NAS-IP-ADD
RESS}', '%{reply:Packet-Type}',
'%{control:My-Err-Message}',
'%S') -> INSERT INTO radpostauth (ID, username, passw
ord, nas_ip, auth_result, reply_message, authdate) VAL
UES (NULL, 'time3', aes_enc
rypt('NA', 'abc123456def'), '127.0.0.1',
'Access-Accept', '',
'2010-07-08 18:25:32')
[sql] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(ID, username, password, nas_ip, auth_result, reply_message, authdate)
VALUES (NULL, 'time3',
aes_encrypt('NA', 'abc123456def'),
'127.0.0.1', 'Access-Accept',
'', '2010-
07-08 18:25:32')
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: INSERT INTO radpostauth (ID, us
ername, password, nas_ip, auth_result, reply_message, authdate)
VALUES (NULL, 'time3',
aes_encrypt('NA', 'abc123456def'), '127.0.0.1',
'Access-Accept', '',
'2010-07-08 18:25:32')
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
1st_login_date := "20100601"
acct_expiration := "29991231"
ticket_days := "90"
ticket_expiration := "20100830"
Session-Timeout = 3999999686
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "time3"
[peap] Got tunneled reply RADIUS code 2
1st_login_date := "20100601"
acct_expiration := "29991231"
ticket_days := "90"
ticket_expiration := "20100830"
Session-Timeout = 3999999686
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "time3"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 8 to 127.0.0.1 port 58342
EAP-Message = 0x0109003b190017030100303e08b1a2d1b28a52af62ee2de46fc70bb5
1f2c8876b709dc033eb67dac4e7d107d42328990db41d176b866c9b5dc3462
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x710c342079052d583cbd5e9f57d1d5e1
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 58342, id=9, length=222
User-Name = "time3"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0209006019001703010020f5e34f99dabb9426b2cc077cd20d75cb1f
6d178a72b0136017f56929a9ebe876170301003069dd3e6ac821e2782dc47cab7eed4e0de694f6d0
49d02248c6e282c7d2f80b70690eac89370dbb302e008b76429ad113
State = 0x710c342079052d583cbd5e9f57d1d5e1
Message-Authenticator = 0x2e48e39d1253678a90df25d2cbeb7ce3
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[peap] Saving response in the cache
[eap] Freeing handler
++[eap] returns ok
Login OK: [time3] (from client localhost port 0 cli 02-00-00-00-00-01)
Sending Access-Accept of id 9 to 127.0.0.1 port 58342
Session-Timeout = 3999999686
User-Name = "time3"
MS-MPPE-Recv-Key = 0xcfc895845e6aca093ab94dcd81afd5096eac3b2ca11ec8bd708
711bd6f520f97
MS-MPPE-Send-Key = 0xe82169d80dd32224262bded10d64df4472ece71e5d99b29a578
3ca4f590d0a64
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +9
Cleaning up request 1 ID 1 with timestamp +9
Cleaning up request 2 ID 2 with timestamp +9
Cleaning up request 3 ID 3 with timestamp +9
Cleaning up request 4 ID 4 with timestamp +9
Cleaning up request 5 ID 5 with timestamp +9
Cleaning up request 6 ID 6 with timestamp +9
Cleaning up request 7 ID 7 with timestamp +9
Cleaning up request 8 ID 8 with timestamp +9
Cleaning up request 9 ID 9 with timestamp +9
Ready to process requests.
---3. ends------------------------------------------------------------
---------4. radiusd -X debug message for access-reject case-----------
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 49468, id=0, length=118
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000a0174696d6531
Message-Authenticator = 0x24f4eb8ed73570357fa509e716f4ec3a
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Flushing SSL sessions (of #0)
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 49468
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x379da9e0379cb0870007f99580c2a718
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 49468, id=1, length=235
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0201006d198000000063160301005e0100005a03014c35a8163bcc47
f3eeba48e97b7cabeda316ba25231834b83b7576019349dd53000032003900380035008800870084
00160013000a00330032002f00450044004100050004001500120009001400110008000600030201
00
State = 0x379da9e0379cb0870007f99580c2a718
Message-Authenticator = 0x7051a1856d18e6337c951776482ca698
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 109
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 99
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005e], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 004a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 084d], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 49468
EAP-Message = 0x0102040019c000000abc160301004a0200004603014c35a81667db13
e25f9bd85df914215360be8e2418dd50ed30f6b066d6aadfc42066e05cf10dd059ad56a7d8a36cb5
0353917b6f4635d6a24b23d44c25faea1c00003901160301084d0b0008490008460003a8308203a4
3082028ca003020102020101300d06092a864886f70d010104050030818c310b3009060355040613
02434e310b300906035504081302484b310c300a06035504071303656475310d300b060355040a13
04484b42553127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e
6564752e686b312a302806035504031321484b425520477565
EAP-Message = 0x73742043412063657274202836346269742073657276657229302017
0d3130303632343033353835305a180f32303530303631343033353835305a308182310b30090603
5504061302434e310b300906035504081302484b310d300b060355040a1304484b4255312e302c06
035504031325484b4255204775657374207365727665722063657274696669636174652028363462
6974293127302506092a864886f70d0109011618726f6f7440667267756573742e686b62752e6564
752e686b30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7649e
e337738ce465aec9a12a375bd4d76fc3c2f50ac701065d1433
EAP-Message = 0x22c38dd78776d5ad0cb747a32f6b512dce6d26cccffefd49cf151767
0305c6cb6eee0b70c86cb259383ca439bf011e8d8689cd17c41e99498256f13e6f14282b8eeef46f
95e742d40254b69d7270d1d349e8cd41cff1dc98ea38fb494ea6007aed1575391d69e9f1c230fea9
125f09a28d544282e9520e4c5987f54ff43f94567991d6172f98bfd3a200aeb07e60345e40caff2f
1f34c52e77707e3321a774bc7601827ccbd723e044ee635de38dc174e37aea2640f5dbacb3454bd8
9bd2e03b81031365232fe8f014c069983950f75aa8fdcce7a9ee52d57dc7fec1512a57fabb3b993b
0203010001a317301530130603551d25040c300a06082b0601
EAP-Message = 0x0505070301300d06092a864886f70d01010405000382010100192613
ffaf84004131ad7ce0d3da7b42d8a594371b96058ea7dc28554921dfd279076ad03cbf83ab81d7d3
ac909202e97a3c22fdad6eee38f2961ef4e9cc9398c5e4bd8a0f41c9174d4fa44a1e77e95c887c06
5197300ea90c8ffc1d32c898c4e137b6a74834c769d7be8008fea4b3ca9c5a33505b588fd93fa440
584d00f8c0c11d62bd886037289e5f27cec1039a4c311a04a7cf75b9ed578b840c66993dea65d31a
df591ffc290d98d6565e70a1d3d45ae3f0c877c5104d1def8c23a79f38c92731165bfb2a84759f2c
6c07e15ff75e4fe6f99e67dac4fc5ca7bf6cbdf849c44b77f6
EAP-Message = 0x614977256b1dcde1b92a76f3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x379da9e0369fb0870007f99580c2a718
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 49468, id=2, length=132
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200061900
State = 0x379da9e0369fb0870007f99580c2a718
Message-Authenticator = 0x1ab17d06723c9f5f8f9bf484468c6dc5
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 49468
EAP-Message = 0x010303fc1940d8d084a884e20a2a165c46af33618c22000498308204
943082037ca003020102020900a00b0c8b6ee723bb300d06092a864886f70d010105050030818c31
0b300906035504061302434e310b300906035504081302484b310c300a0603550407130365647531
0d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f744066726775
6573742e686b62752e6564752e686b312a302806035504031321484b425520477565737420434120
636572742028363462697420736572766572293020170d3130303632343033353833335a180f3230
3530303631343033353833335a30818c310b30090603550406
EAP-Message = 0x1302434e310b300906035504081302484b310c300a06035504071303
656475310d300b060355040a1304484b42553127302506092a864886f70d0109011618726f6f7440
667267756573742e686b62752e6564752e686b312a302806035504031321484b4255204775657374
204341206365727420283634626974207365727665722930820122300d06092a864886f70d010101
05000382010f003082010a0282010100c001917da3c962085a616702fa98c2bd794c7edfa3a1f038
258e018a126e736e3a61ae5120b956ab0566a9258b889d66e616e2d702b1a0f5ec79b1b484a9a9ec
5ff3ba49d31895a6073ac132c9aa28f3e9906d0a6e3c24e852
EAP-Message = 0x621586b8db41ce111ebf2befc143a5cc9d562d020594fe407135ec1c
068dd0303eca75e5c5dd9cab898af3e870072ea3eca78602644eea0bac0c5619925b56aba1b1c1fc
4c48fded87cdcf44d1b99a2c1f534e8b88e4a35f9d1ffa8a50cdb402743516a0cbce2a4796459501
875ec225357d4a362202e15ee12a0154f018e5b84a5e5884c268d3154ed41f7b78ea2f6df852e07b
dd50a55c26467bcaf75c41d393bc78b27fb5170203010001a381f43081f1301d0603551d0e041604
14c134ca58d9d8f09b9207417630a08266b192ef523081c10603551d230481b93081b68014c134ca
58d9d8f09b9207417630a08266b192ef52a18192a4818f3081
EAP-Message = 0x8c310b300906035504061302434e310b300906035504081302484b31
0c300a06035504071303656475310d300b060355040a1304484b42553127302506092a864886f70d
0109011618726f6f7440667267756573742e686b62752e6564752e686b312a302806035504031321
484b42552047756573742043412063657274202836346269742073657276657229820900a00b0c8b
6ee723bb300c0603551d13040530030101ff300d06092a864886f70d010105050003820101000d81
bb75569e9ce10ee1cc274ce224d6d175d681f14079bdb2953b179dc9e15eedecd08f8d61f1759f3b
b4c97458573e0b9b6b6be66954fc48d713a54ad949e99d806a
EAP-Message = 0x400957b5cd394c74
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x379da9e0359eb0870007f99580c2a718
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 49468, id=3, length=132
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061900
State = 0x379da9e0359eb0870007f99580c2a718
Message-Authenticator = 0x48ddac2a23034188ff380052d31d8a44
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 49468
EAP-Message = 0x010402d6190012c062cd3163799ab42c262a3b39ee4aadeba8ca0584
510b5f850ecbe4afc188b998b5b79ebc112998a4791842e212835761d44b5202634a16bdc8886be5
a2a6ddef1becbbaa64117a58fd73726f412c140197da3a29fc44aa1b67361c18f9f72312826067f6
4edc638e6a8b5511cd2c9eff129e700e0d88cb6de9ef5c6c909025dc37b4abdc9fdc643561bb06b1
e07e30de728a7e8a4dc07dda92896b8975d7907b85b66fedf2623b70b61a7757012cb421a8c76616
0301020d0c00020900808fcc5daaf65ec4b9ed53a13aa5563c3a857d7b01a0935ce18302cbbd8117
bdcee617438d810d33e6737c2b63ad1b1e728d85e9aa9c155d
EAP-Message = 0x84c5499240de4a0574ca81181dd71a196f1dccceee978f8380d16b7e
6019d903f2d5ed2428b8649b958dbd4a5c52b8f99989c064eb651266552a0b7eab32727454b2eee7
89c78aee3b00010200802d40d68a213037fdef2a05b0d02557ad19514062a6c2b6b77514fd1c15a1
3933b75408fca1c9a173e2cb20808dc07fffb36fc03e041b17e407ccc97a6c2d7f1f91b3a9e0d248
f2dc467c3aec0912ca55badcf050965c6138dff792352fa2292f92a152149a5f5cf7961a5c1e9656
b7be37b32b22d9f677473e118e41b63b0a8c010017a57998cc2de71d0802f9766a65e11f23cd01db
a7580d288f40939c2c03e243e1dfbf8b14f9ac287474fe444e
EAP-Message = 0xe026a49e96cdf3c242e82468aaf6e46fc45f16517d36d91a2a014805
0a1d39fb3b83505165efb521155a4cafb52c3ed39d5bb7950f9fd3d4cb6d38e7a790b5ad63064fae
c1792f3e5ce8e811f991a2ca0e687146ed2d3d4fce292922c8fb820058f9385703a984f6f34ce14b
9c2919f7efc83e9b3173bdb14403ea336c4ce9a36173ebf7c59142b0fdf2a57dc568453512ddf1a9
aae97bd70550d99c001c62b5265a49aa276f0fc854f8d69c145125020662caac7bcff0f71955c5e5
c0448184b0b0cfbd48409afec8bb1029595b585034991416030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x379da9e03499b0870007f99580c2a718
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 49468, id=4, length=334
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400d01980000000c61603010086100000820080467a2d89b7410f
afe4361812717c3cec8717c16174a7e281b953d403a7773e8d6479fb7a0db7ecbd39f8b221bc892c
e53c59806567d87532666bf0bb115fd666e64f00c2736933ed590bf8ee24f253bdeecca351ec9a29
c467089d4b1b96afb0e8365fecb17dc727289a21786810c9a85af0bd459190512000905dc6780ca6
ef1403010001011603010030744197a78d5f100a2b1e0dde24bef68f84fe93ac677aeb3d028edcfc
1cbc4e6996be46522959cf1556c5c8386a508b77
State = 0x379da9e03499b0870007f99580c2a718
Message-Authenticator = 0xf65a0c170c026c7e4e0e661823bd744e
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
SSL: adding session 66e05cf10dd059ad56a7d8a36cb50353917b6f4635d6a24b23d44c25fa
ea1c00 to cache
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 49468
EAP-Message = 0x01050041190014030100010116030100304e5c1baf2a1b8d5d2a18b7
c4d1c1a3f22154ee783c7db5fd17ea3e0a7fd2ab6d247705d7edda9f423498bed6aeafbdf9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x379da9e03398b0870007f99580c2a718
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 49468, id=5, length=132
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500061900
State = 0x379da9e03398b0870007f99580c2a718
Message-Authenticator = 0x12fb97053e91f203df1581c6975b8c01
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 5 to 127.0.0.1 port 49468
EAP-Message = 0x0106002b190017030100201171e1d1767e10f9d06c480a092e9b8ba3
c07b0e05262131dd5705132f367257
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x379da9e0329bb0870007f99580c2a718
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 49468, id=6, length=222
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0206006019001703010020a9d556b45919401ae1e4790740371c1be9
d6ed285273ed06042e3ec0bd020c471703010030a782020930967cc5584d7791eeeb903ef19a6ad8
5588c048606fba479e03a8ad8ee74ef22f1f16a685d6e3f142564c55
State = 0x379da9e0329bb0870007f99580c2a718
Message-Authenticator = 0xd9002ff440753be497004076fb58a195
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - time1
[peap] Got tunnled request
EAP-Message = 0x0206000a0174696d6531
server (null) {
PEAP: Got tunneled identity of time1
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to time1
Sending tunneled request
EAP-Message = 0x0206000a0174696d6531
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
server inner-tunnel {
+- entering group authorize {...}
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail
-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expan
ds to /var/log/radius/radacct/127.0.0.1/auth-detail-20100708
[auth_log] expand: %t -> Thu Jul 8 18:27:34 2010
++[auth_log] returns ok
[sql] expand: %{User-Name} -> time1
[sql] sql_set_user escaped user --> 'time1'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: (SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' and attribute != 'Cleartext-Password') UNION (SEL
ECT id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck
WHERE username = '%{SQL-User-Name}' and attribute = 'Cleartext-Password') ORDER
BY id -> (SELECT id, username, attribute, value, op FROM radcheck WHERE usern
ame = 'time1' and attribute != 'Cleartext-Password') UNION (SELECT id, username,
attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHERE username =
'time1' and attribute = 'Cleartext-Password') ORDER BY id
rlm_sql_mysql: query: (SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'time1' and attribute != 'Cleartext-Password') UNION (SELECT
id, username, attribute, aes_decrypt(value,'abc123456def'), op FROM radcheck WHE
RE username = 'time1' and attribute = 'Cleartext-Password') ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radrepl
y WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id, username, attribute, value, op FROM radreply WHERE usern
ame = 'time1' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'time1' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE user
name = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'time1' ORDER BY prior
ity
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHE
RE username = 'time1' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++? if (!(control:Cleartext-Password))
?? Evaluating (control:Cleartext-Password) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(control:Cleartext-Password)) -> FALSE
++? elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") )
?? Evaluating (reply:acct_expiration) -> TRUE
expand: %{reply:acct_expiration} -> 29991231
expand: %D -> 20100708
?? Evaluating ("%{reply:acct_expiration}" < "%D") -> FALSE
++? elsif ((reply:acct_expiration) && ("%{reply:acct_expiration}" < "%D") ) ->
FALSE
++? elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_e
xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi
ration}" < "%D") )
?? Evaluating (reply:acct_expiration) -> TRUE
?? Evaluating (reply:1st_login_date) -> TRUE
?? Evaluating (reply:ticket_expiration) -> TRUE
expand: %{reply:1st_login_date} -> 20100601
?? Evaluating ("%{reply:1st_login_date}" != "29991231") -> TRUE
expand: %{reply:ticket_expiration} -> 20100830
expand: %D -> 20100708
?? Evaluating ("%{reply:ticket_expiration}" < "%D") -> FALSE
++? elsif ((reply:acct_expiration) && (reply:1st_login_date) && (reply:ticket_e
xpiration) && ("%{reply:1st_login_date}" != "29991231") && ("%{reply:ticket_expi
ration}" < "%D") ) -> FALSE
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{
User-Name}''
[noreset_time_counter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U
serName='%{User-Name}' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNam
e='time1'
sqlcounter_expand: '%{sql:SELECT SUM(AcctSessionTime) FROM radacct WHERE UserNa
me='time1'}'
[noreset_time_counter] sql_xlat
[noreset_time_counter] expand: %{User-Name} -> time1
[noreset_time_counter] sql_set_user escaped user --> 'time1'
[noreset_time_counter] expand: SELECT SUM(AcctSessionTime) FROM radacct WHERE U
serName='time1' -> SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='time
1'
[noreset_time_counter] expand: /var/log/radius/sqltrace.sql -> /var/log/radius/
sqltrace.sql
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='
time1'
[noreset_time_counter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
[noreset_time_counter] expand: %{sql:SELECT SUM(AcctSessionTime) FROM radacct W
HERE UserName='time1'} -> 205
rlm_sqlcounter: (Check item - counter) is less than zero
rlm_sqlcounter: Rejected user time1, check_item=20, counter=205
++[noreset_time_counter] returns reject
++? if (reject)
? Evaluating (reject) -> TRUE
++? if (reject) -> TRUE
++- entering if (reject) {...}
+++[control] returns reject
++- if (reject) returns reject
Invalid user (rlm_sqlcounter: Maximum never usage time reached): [time1/<via Aut
h-Type = EAP>] (from client localhost port 0 cli 02-00-00-00-00-01 via TLS tunne
l)
} # server inner-tunnel
[peap] Got tunneled reply code 3
1st_login_date := "20100601"
acct_expiration := "29991231"
ticket_days := "90"
ticket_expiration := "20100830"
Reply-Message = "Your maximum never usage time has been reached"
[peap] Got tunneled reply RADIUS code 3
1st_login_date := "20100601"
acct_expiration := "29991231"
ticket_days := "90"
ticket_expiration := "20100830"
Reply-Message = "Your maximum never usage time has been reached"
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 6 to 127.0.0.1 port 49468
EAP-Message = 0x0107003b19001703010030d0af2dcdbaada51c12d0570f41e8542218
7c12e87263aa128b7647209c78495a9ebc2ae2ade479af15debdfbed77aa3f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x379da9e0319ab0870007f99580c2a718
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 49468, id=7, length=222
User-Name = "time1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02070060190017030100202178f5d5c8f7282c6e2609da3fec65309e
f28ebeadf1dce71e775f3bdab51a1817030100300f13973ec6c006332d406b716cefe650fe7a9462
eed07219b551403dbec4b6d042a2025fe07f3b07314212ce9f57a4b9
State = 0x379da9e0319ab0870007f99580c2a718
Message-Authenticator = 0x9976397d6fffc38a9e78034df8c3a0d5
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "time1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
SSL: Removing session 66e05cf10dd059ad56a7d8a36cb50353917b6f4635d6a24b23d44c25
faea1c00 from the cache
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [time1/<via Auth-Type = EAP>] (from client localhost port 0 cli
02-00-00-00-00-01)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
++- group REJECT returns noop
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 7 to 127.0.0.1 port 49468
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +2
Cleaning up request 1 ID 1 with timestamp +2
Cleaning up request 2 ID 2 with timestamp +2
Cleaning up request 3 ID 3 with timestamp +2
Cleaning up request 4 ID 4 with timestamp +2
Cleaning up request 5 ID 5 with timestamp +2
Cleaning up request 6 ID 6 with timestamp +2
Waking up in 0.9 seconds.
Cleaning up request 7 ID 7 with timestamp +2
Ready to process requests.
----4. ends ------------------------------------------------------------
More information about the Freeradius-Users
mailing list