FreeRadius in proxy mode does not transfer IP address to client
Elia Dreytser
ilia.esq at gmail.com
Fri Jun 18 11:55:11 CEST 2010
Hi all,
I need to authorize wireless users by the protocol EAP-PEAP on Cisco
Air 350, but,
unfortunately, the radius of the billing system can not EAP-PEAP.
Freeradius server
in proxy mode terminates the tunnel TLS, and requests the radius of
the billing system
goes on algorithm mschapv2.
All right, authorization correct, but one problem: freeradius does not
pass attribute
FRAMED-IP-Address to Win wireless client.
Show, what my mistake, please!
192.168.2.252 - IP address server
port 1645 for freeradius auth packets
ports 1812,1813 for billing radius
10.1.1.30 - Cisco Air 350 wireless AP
========================= FreeRadius Configs ==============================
______________ proxy.conf __________________________
proxy server {
default_fallback = no
}
home_server BGBILLING {
type = auth+acct
ipaddr = 192.168.2.252
port = 1812
secret = bgbilling
zombie_period=30
response_window=20
status_check = none
ping_check = none
}
realm BGBILLING {
nostrip
authhost = 192.168.2.252:1812
accthost = 192.168.2.252:1813
secret = bgbilling
type = radius
}
_______________________ epa.conf ____________________________
eap {
default_eap_type = mschapv2
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
mschapv2 {
}
}
_____________________ proxy-inner-tunnel _________________________
server proxy-inner-tunnel {
authorize {
update control {
Proxy-To-Realm := "BGBILLING"
}
}
authenticate {
eap
}
post-proxy {
eap
}
}
============= output listing /usr/local/sbin/radiusd -X ===============
.....
Listening on authentication address * port 1645
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1647
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=72, length=160
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
Message-Authenticator = 0x494e97d46fe81b971dc73dd31ff16394
EAP-Message = 0x0202000b016b6e79726b6f
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:01 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 72 to 10.1.1.30 port 1645
EAP-Message =
0x010300201a0103001b109438e3fc9d17289fae6cb63fc00e7aa66b6e79726b6f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb96e281cb96d3292c40f2d5bd304aa6d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=73, length=173
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
Message-Authenticator = 0x5da76e7269b5dfd3bc0e5c1e22572792
EAP-Message = 0x020300060319
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
State = 0xb96e281cb96d3292c40f2d5bd304aa6d
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:01 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 73 to 10.1.1.30 port 1645
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb96e281cb86a3192c40f2d5bd304aa6d
Finished request 1.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=74, length=282
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
Message-Authenticator = 0xb109fb190497ea0d7fc6b2c278edde68
EAP-Message =
0x0204007319800000006916030100640100006003014c0db953af95c919c15ef30ba4aac16c460fb4eab05a9f6dd857d064cd90464a000018002f00350005000ac013c014c009c00a00320038001300040100001f0000000b00090000066b6e79726b6f000a0006000400170018000b00020100
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
State = 0xb96e281cb86a3192c40f2d5bd304aa6d
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:01 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 115
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 105
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0064], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 74 to 10.1.1.30 port 1645
EAP-Message =
0x0105040019c00000089b160301002a0200002603014c0db9756b6e53c47cac8e4dc2ebce5c1ba29354bbea9e75f6770d61e9f4955000002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3130303132353036343530305a170d3131303132353036343530305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d604f22bbe85c388ea55a91233f374414ad7858a481168372c824bff2a89e7592c4cb557215bab8a2770319bee2edee12a077119a3c546c6556a6542cd17
EAP-Message =
0x314c3aa522f28d353c376f57bda10dc1d885dbdf1998881a5cc849eb9d690afe4acf5f9788e57bf697a69f79982fed14deb5c818fede3a2738889cef2bdef52ee3b66b7515522624c4c2966968f402ca83cbbf9d54ebbba44f61b10770671d05bdcd61986de0a69bf70f86da40d45d7b73d544aa90fd621c9be16feefccfd9a63c25fe8b162e96e2e125c976ed97e1fd35a180c3f00ad95c3f1e17ba0f2689c4a2315641dfa3c305df06ce967569aecf6bcba740dc1bd887848ff36dbe8e39c914d50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101006330573529444d8fdf
EAP-Message =
0x8af16f441adc5fb781962cdea7037b1f61da6aa7c39dd35b0d396d056dc8fbd74f808fa96a6a3891f18cd4b97c22758a5f66fa66222d2b5edeaac355ee75ea406e7a5504480c9a04dc22925cd13f5976b12f12c3674d3ded930dd3494f7aadd44f265d49452e9987b37b89d08baeb9ad871d3b0540fe55fa8f5ae666fa003459cc392b8fcacc1e79db91a91cab9cb7d5fc7acd7c14fc970e81962ea223a66160865aab8aacec6a91f71d536cd2912d4eb47f2ca9395639e81378559fce55e89c85eea597e02983b3526b8200f8609c05ea9530386e52885a542e4f7c57f7636cceff67da659a12656ac8d27669919d193e57f0de1319d50004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb96e281cbb6b3192c40f2d5bd304aa6d
Finished request 2.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=75, length=173
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
Message-Authenticator = 0xf52ad6f161d75123fe2abd219470982e
EAP-Message = 0x020500061900
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
State = 0xb96e281cbb6b3192c40f2d5bd304aa6d
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:01 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 75 to 10.1.1.30 port 1645
EAP-Message =
0x010603fc194000c3450bd4360aab67300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303132353036343530305a170d3131303132353036343530305a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message =
0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009b7df1a9d164a4f3318491a72fa28eea6be0c1392b9b588f84feea33f7fa75cf049eebc9405629ce22a20761bfb6b0cf8fc3e697477054ebd67b858244c5d866a7857fc1653f98b1d77f8c415464b2935d10b11cdfe8845478255176b5799ef2e5fdf1984c294b1c0bc31d62f1d6ee
EAP-Message =
0xf35530f7ffd88a635cb52a3c0e8918fb11b1900ecd2ee9efc69aaf37eef2c1eb371a5746fe973edcedd4378a36acc5ec8790ab337b05a7a20ae549e82782c438aad5cf54147d4b9237c75f092de3480b464049b10325903b95c37252cb9926d1fcf8bb68e6aa7cd3fa89bd4899561b55cf28babe2b4b437742a80ed66c742c88dd838084e004dae70e902a4afabb346d110203010001a381fb3081f8301d0603551d0e04160414e6fea2d5a6e9fbc8ae6f3fc410711fd9545a86603081c80603551d230481c03081bd8014e6fea2d5a6e9fbc8ae6f3fc410711fd9545a8660a18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message =
0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900c3450bd4360aab67300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100810219eb113cdb3c6ec57eefd1bf89d806132cdc04936328f3a8ef700999921f6e16119c2c138cbcd0ad519af85a8810981a5acadd77946cebdbc402511806fdb457c3b7e2d6c68d0fd57c5373830fb9ed35
EAP-Message = 0x5c9187d4a4579346
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb96e281cba683192c40f2d5bd304aa6d
Finished request 3.
Going to the next request
Waking up in 4.2 seconds.
rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=76, length=173
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
Message-Authenticator = 0x26fdb62570e22ae7e620484a395896af
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
State = 0xb96e281cba683192c40f2d5bd304aa6d
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:01 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 76 to 10.1.1.30 port 1645
EAP-Message =
0x010700b5190044f055e573d738d504987b55f6f03e1948e7d2d7dbacb011aaf5aebdf9065f187c0b5e96b54bc0b364423644b9d3c23312fce681f932ce3118bcb897f86b8baf7a29503854fb791fb2719f21318b6ec050d76ffe34e6a187f7930586ceb74de1640d8e390bc753e5b39e4a3d2ebbc10c09fb22aba90160a193b8a52c1a8917ba83a3fd6f21824c02f19bee53a7ad1fb5768e24db328f22f1ff2d71d26e57a6d06f50ce04ac0616030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb96e281cbd693192c40f2d5bd304aa6d
Finished request 4.
Going to the next request
Waking up in 4.1 seconds.
rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=77, length=505
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
Message-Authenticator = 0x1ad2ffe0e14528adc87c4041553f7a82
EAP-Message =
0x0207015019800000014616030101061000010201007cc01f9338d7c2cea8976ad3beb12743f5fb7ff61ba23633ec80147334d13d83ddb24878e2e18a3c622ed34d35793dfc411c2959d2570c2d55a06d3b0ec982f1422d6460794c8036fab4635d162a6ed6d6b271a36f0180caa8ef319ec5220769fefa599e4ac1cded6832959067126cdaac4a04a4093924cfa504cf7f880cab76f51262a643eff2c64d93ceea0e7904758dd77bc11f183f00cab15f249f0f493fa425f5967bb610338201b317e5bd81231dae0e378205a2f9b4ca00114e61cd0889b4d52967f0ef3d2064c132d1c84cd1645129726856cb17c1dcad50ede110b476fba41cb17ff9ba
EAP-Message =
0xa7a034091776d1a06bb859db6d710abed6407ab76869fa07140301000101160301003060b0129d6f502b4a4baf38296ef7870dd58319111bba5aafe2b339a2244d5099ec2fabe68c6b150e8798833e08be47a7
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
State = 0xb96e281cbd693192c40f2d5bd304aa6d
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:02 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 77 to 10.1.1.30 port 1645
EAP-Message =
0x010800411900140301000101160301003059bf40066161ba7b9bc89876ddca50e8dac6ffdebb75de45834d3df7b033b094bfab27efb9bcf049c6cc5d3102e62340
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb96e281cbc663192c40f2d5bd304aa6d
Finished request 5.
Going to the next request
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=78, length=173
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
Message-Authenticator = 0x6f002e36d5971bf5cd3dd1aa9ea9d130
EAP-Message = 0x020800061900
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
State = 0xb96e281cbc663192c40f2d5bd304aa6d
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:02 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 78 to 10.1.1.30 port 1645
EAP-Message =
0x0109002b19001703010020240976f4b60da3fa472d90bc15dff92ea15d0c0dd63f4b6e793e08b31f1479e2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb96e281cbf673192c40f2d5bd304aa6d
Finished request 6.
Going to the next request
Waking up in 3.6 seconds.
rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=79, length=210
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
Message-Authenticator = 0x1b2a6ee5e33e06c80dffba188c743fc6
EAP-Message =
0x0209002b190017030100201246827da5deb469c615b1f6612fc7e0efd1a6cf80bd60db6e0ba481b3ec86eb
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
State = 0xb96e281cbf673192c40f2d5bd304aa6d
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:02 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - user1
[peap] Got tunneled request
EAP-Message = 0x0209000b016b6e79726b6f
server {
PEAP: Got tunneled identity of user1
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to user1
Sending tunneled request
EAP-Message = 0x0209000b016b6e79726b6f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
server proxy-inner-tunnel {
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
PEAP: Cancelling proxy to realm BGBILLING until the tunneled EAP
session has been established
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010a00201a010a001b106c8016823c336d61519e51fc4ee6c0036b6e79726b6f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc76f110ac7650b9c62c6ece3f4691f2d
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 79 to 10.1.1.30 port 1645
EAP-Message =
0x010a004b19001703010040c74e658780df12a4060414a2d457aeaee36041d6d5b2b538fbe076b655db122a0c5ce268f4fecb5c90e76e1ba4f33d54f5a3898f5a53b5f366d61973b18c0aba
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb96e281cbe643192c40f2d5bd304aa6d
Finished request 7.
Going to the next request
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=80, length=274
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
Message-Authenticator = 0xc899033d21dca9e2fa7980f5a74228c1
EAP-Message =
0x020a006b19001703010060b1e61384342076d9a4394fa854e80636ec4f86c7cffd5120ea58f87445d83e78080812186d5ad9919030e664b9d0e66a4196d66ef0100d062c10e33a80e4f078eb2256c4a2a93b93755c7f296995bcb9f487258f62dc704c8e637244f2c29c2f
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
State = 0xb96e281cbe643192c40f2d5bd304aa6d
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:03 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020a00411a020a003c31b0ee06e46d905e4ed7d763609a5a2535000000000000000019b2ed0e1ce1f5198d7f46cd0ef0c16551cfcdf7e5ac8937006b6e79726b6f
server {
PEAP: Setting User-Name to user1
Sending tunneled request
EAP-Message =
0x020a00411a020a003c31b0ee06e46d905e4ed7d763609a5a2535000000000000000019b2ed0e1ce1f5198d7f46cd0ef0c16551cfcdf7e5ac8937006b6e79726b6f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "user1"
State = 0xc76f110ac7650b9c62c6ece3f4691f2d
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
server proxy-inner-tunnel {
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Not-EAP proxy set. Not composing EAP
++[eap] returns handled
PEAP: Tunneled authentication will be proxied to BGBILLING
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap] Tunneled session will be proxied. Not doing EAP.
++[eap] returns handled
Sending Access-Request of id 0 to 192.168.2.252 port 1812
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
MS-CHAP-Challenge = 0x6c8016823c336d61519e51fc4ee6c003
MS-CHAP2-Response =
0x0a6eb0ee06e46d905e4ed7d763609a5a2535000000000000000019b2ed0e1ce1f5198d7f46cd0ef0c16551cfcdf7e5ac8937
Proxy-State = 0x3830
Proxying request 8 to home server 192.168.2.252 port 1812
Sending Access-Request of id 0 to 192.168.2.252 port 1812
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
MS-CHAP-Challenge = 0x6c8016823c336d61519e51fc4ee6c003
MS-CHAP2-Response =
0x0a6eb0ee06e46d905e4ed7d763609a5a2535000000000000000019b2ed0e1ce1f5198d7f46cd0ef0c16551cfcdf7e5ac8937
Proxy-State = 0x3830
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 192.168.2.252 port 1812,
id=0, length=207
Acct-Interim-Interval = 60
Proxy-State = 0x3830
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 10.1.2.199
MS-MPPE-Send-Key = 0x198c7e625f58d59e8a2bdbc3430e5754
MS-MPPE-Recv-Key = 0x8fffb24fe737a4f5e91764e1112e87a9
MS-CHAP2-Success =
0x3f533d42373644303537323430393544334131333434353245353237443933373439364645303536303245
MS-MPPE-Encryption-Types = 0x00000004
MS-MPPE-Encryption-Policy = 0x00000001
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server proxy-inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x801157240 2.
rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
++[eap] returns ok
} # server proxy-inner-tunnel
[eap] Final reply from tunneled session code 11
Acct-Interim-Interval = 60
Proxy-State = 0x3830
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 10.1.2.199
EAP-Message =
0x010b00331a030a002e533d42373644303537323430393544334131333434353245353237443933373439364645303536303245
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc76f110ac6640b9c62c6ece3f4691f2d
[eap] Got reply 11
[eap] Got tunneled reply RADIUS code 11
Acct-Interim-Interval = 60
Proxy-State = 0x3830
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 10.1.2.199
EAP-Message =
0x010b00331a030a002e533d42373644303537323430393544334131333434353245353237443933373439364645303536303245
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc76f110ac6640b9c62c6ece3f4691f2d
[eap] Got tunneled Access-Challenge
[eap] Saving tunneled attributes for later
[eap] Reply was handled
++[eap] returns ok
Sending Access-Challenge of id 80 to 10.1.1.30 port 1645
EAP-Message =
0x010b005b19001703010050dfe77e0a225e61d5455d1443bd5fd250ac27b94fcddb0a4a2c7fbd56c402cdb1bb1d7810323a0124f3b2856070d3d7682b110d546914df753e8db8d0b823b1412ab963a217719e3c3889b6f8f8bf0a13
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb96e281cb1653192c40f2d5bd304aa6d
Finished request 8.
Going to the next request
Waking up in 2.8 seconds.
rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=81, length=210
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
Message-Authenticator = 0xc0d3ce2339948cee0e870e4921cfc1d1
EAP-Message =
0x020b002b19001703010020a7612e29eb6c9a041989740818859639dc2e36389dac01b9ec1646e17fe16276
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
State = 0xb96e281cb1653192c40f2d5bd304aa6d
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:04 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020b00061a03
server {
PEAP: Setting User-Name to user1
Sending tunneled request
EAP-Message = 0x020b00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "user1"
State = 0xc76f110ac6640b9c62c6ece3f4691f2d
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
server proxy-inner-tunnel {
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "user1"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 81 to 10.1.1.30 port 1645
EAP-Message =
0x010c002b19001703010020f46739737b83372fd9351e206398bcff3b954696d2d82a5ee0d7b131ed5aee48
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb96e281cb0623192c40f2d5bd304aa6d
Finished request 9.
Going to the next request
Waking up in 1.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.30 port 1645, id=82, length=210
User-Name = "user1"
Framed-MTU = 1400
Called-Station-Id = "0040.9645.a099"
Calling-Station-Id = "001a.73f3.d763"
Cisco-AVPair = "ssid=hotel"
Service-Type = Login-User
Message-Authenticator = 0x5a6bdcacc004c7551aea1c950b1c57df
EAP-Message =
0x020c002b1900170301002086e59e080b073e48dc4329f4b5ecd8c0f17b3de2518dc716f682f87afd0f3c8d
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
State = 0xb96e281cb0623192c40f2d5bd304aa6d
NAS-IP-Address = 10.1.1.30
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:04 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 12 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
NAS-Identifier = "wifi-tur"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.30/auth-detail-20100608
[auth_log] expand: %t -> Tue Jun 8 11:31:04 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 12 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
Login OK: [user1/<via Auth-Type = EAP>] (from client wifi-tur port 265
cli 001a.73f3.d763)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 82 to 10.1.1.30 port 1645
User-Name = "user1"
MS-MPPE-Recv-Key =
0x35342a56a23ada1ad2d9a47b9cdbf83772c622a3e9a106eb579826ab30c57309
MS-MPPE-Send-Key =
0x2562ae6db4deae0501fa49f229d6c49f8a1afdd34e7ec37a8e0e867c4efbfa89
EAP-Message = 0x030c0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
=====================================================================================
_______________________ Cisco AP350 config about radius AAA
__________________________
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.2.252 auth-port 1645 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
server 192.168.2.252 auth-port 1645 acct-port 1813
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
!
aaa group server radius rad_acct1
!
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
dot11 ssid hotel
authentication open eap eap_methods
authentication network-eap eap_methods
accounting acct_methods
guest-mode
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.2.252 auth-port 1645 acct-port 1813 key 7
110B1E071E1E07050A2D
radius-server vsa send accounting
radius-server vsa send authentication
Best regards
Ilia Dreytser
More information about the Freeradius-Users
mailing list