Authentication via ntlm_auth with check the user group

Сергей Усов usows at pomorsu.ru
Wed Dec 7 11:06:44 CET 2011


Thanks for your reply




radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
  modules {
  Module: Checking authenticate {...} for more modules to load
  Module: Linked to module rlm_mschap
  Module: Instantiating module "mschap" from file 
/etc/freeradius/modules/mschap
   mschap {
     use_mppe = yes
     require_encryption = yes
     require_strong = yes
     with_ntdomain_hack = yes
     ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} 
--challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00} 
--require-membership-of=POMORSU+%{AD-Group}"
   }



Ready to process requests.
rad_recv: Access-Request packet from host 192.168.213.210 port 1067, 
id=0, length=210
     Message-Authenticator = 0x76f5e1499b3c78689adf8fb623dc7c4e
     Service-Type = Framed-User
     User-Name = "POMORSU\\rahs"
     Framed-MTU = 1488
     Called-Station-Id = "04-11-9A-D1-44-39:localnet1"
     Calling-Station-Id = "00-1F-3C-3D-DF-8C"
     NAS-Identifier = "D-Link Access Point"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x0200001201504f4d4f5253555c75736f7773
     NAS-IP-Address = 192.168.213.210
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
? Evaluating (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++- entering if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
{...}
     expand: %{7} -> localnet1
++++[request] returns ok
++++? if (Called-Station-SSID == localnet1)
? Evaluating (Called-Station-SSID == localnet1) -> TRUE
++++? if (Called-Station-SSID == localnet1) -> TRUE
++++- entering if (Called-Station-SSID == localnet1) {...}
+++++[request] returns ok
++++- if (Called-Station-SSID == localnet1) returns ok
++++ ... skipping else for request 0: Preceding "if" was taken
+++- if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
returns ok
+++ ... skipping else for request 0: Preceding "if" was taken
++- policy extract_ssid returns ok
[suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Flushing SSL sessions (of #0)
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.213.210 port 1067
     EAP-Message = 0x010100061920
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x140c0338140d1ab54c20eb7bf1588770
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.213.210 port 1067, 
id=1, length=315
     Message-Authenticator = 0x52b3370475dcad2571d8a4ef20d46246
     Service-Type = Framed-User
     User-Name = "POMORSU\\rahs"
     Framed-MTU = 1488
     State = 0x140c0338140d1ab54c20eb7bf1588770
     Called-Station-Id = "04-11-9A-D1-44-39:localnet1"
     Calling-Station-Id = "00-1F-3C-3D-DF-8C"
     NAS-Identifier = "D-Link Access Point"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 
0x0201006919800000005f160301005a0100005603014ede257a500dcb4913694c60469b783a7bdaa0d482ac13baa056619eb2d75c37000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
     NAS-IP-Address = 192.168.213.210
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
? Evaluating (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++- entering if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
{...}
     expand: %{7} -> localnet1
++++[request] returns ok
++++? if (Called-Station-SSID == localnet1)
? Evaluating (Called-Station-SSID == localnet1) -> TRUE
++++? if (Called-Station-SSID == localnet1) -> TRUE
++++- entering if (Called-Station-SSID == localnet1) {...}
+++++[request] returns ok
++++- if (Called-Station-SSID == localnet1) returns ok
++++ ... skipping else for request 1: Preceding "if" was taken
+++- if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
returns ok
+++ ... skipping else for request 1: Preceding "if" was taken
++- policy extract_ssid returns ok
[suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
   TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0051], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0aa2], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.213.210 port 1067
     EAP-Message = 
0x0102040019c000000b0616030100510200004d03014ede257d5214a614052a2f4ae8eaa694e5a613fb016bae2820961cc559eaf4ac2007f4d62a74fd69c2f9c148b84c4d48990f576d732ef00472799c3937e4940d62002f000005ff010001001603010aa20b000a9e000a9b0006203082061c30820504a003020102020a5a2edc82000000001329300d06092a864886f70d0101050500304131153013060a0992268993f22c64011916056c6f63616c31173015060a0992268993f22c6401191607706f6d6f727375310f300d060355040313066f63656c6f74301e170d3131313230353131303332345a170d3133313230343131303332345a308195
     EAP-Message = 
0x310b3009060355040613025255311330110603550408130a536f6d652d5374617465311430120603550407130b41726b68616e67656c736b310e300c060355040a13054e41524655310c300a060355040b13034f5341311e301c06035504031315726164697573322e706f6d6f7273752e6c6f63616c311d301b06092a864886f70d010901160e6f736140706f6d6f7273752e727530820122300d06092a864886f70d01010105000382010f003082010a0282010100d9dabf36461ecb485ff65384f7019ed1e937d59adafac95f0de0cdd780bfb12c5e9a7b1739ca8e4e986e94999693e205fd00928bb3fa30a9cd04100e032cd9aee6fb67923c9b8f
     EAP-Message = 
0xe754943b37b13e8206b158d44f0261eb77f45a3b2b1984bf36d51141879dd82634a0f2fc55072885f20a3d78491cf8db1de52cca2d3952d5fadf4e6a45da1ed9eda6d21e0af13050584ecfe934f2a256fc9c6fb0ee3edab0331d17cd1356a12de2d40e45e9def0764b5b80ca7a32fbe0c404247f697ebe644bc3d716cb08d6779eca29053a972a8440ff4e677ae229dd82fdb96093f5c21ae5a264bc466a7c7543dc435c4b4dc0c3769b0c7e75ad3a4bbc1b5ec6a288993e0d0203010001a38202bf308202bb301d0603551d0e041604141c4267da2c09e9603568f0141bbf6cd57a1742ea301f0603551d23041830168014e20df80dccdf76296d4dbe
     EAP-Message = 
0x8c0a1533e789410190308201040603551d1f0481fc3081f93081f6a081f3a081f08681b46c6461703a2f2f2f434e3d6f63656c6f742c434e3d68712d7073752d63612d30312c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d706f6d6f7273752c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e748637687474703a2f2f68712d7073752d63612d30312e706f6d6f7273752e6c6f63616c2f43
     EAP-Message = 0x657274456e726f6c6c2f6f63
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x140c0338150e1ab54c20eb7bf1588770
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.213.210 port 1067, 
id=2, length=216
     Message-Authenticator = 0xec25df49dc4e71a8ab902d62111a2943
     Service-Type = Framed-User
     User-Name = "POMORSU\\rahs"
     Framed-MTU = 1488
     State = 0x140c0338150e1ab54c20eb7bf1588770
     Called-Station-Id = "04-11-9A-D1-44-39:localnet1"
     Calling-Station-Id = "00-1F-3C-3D-DF-8C"
     NAS-Identifier = "D-Link Access Point"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x020200061900
     NAS-IP-Address = 192.168.213.210
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
? Evaluating (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++- entering if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
{...}
     expand: %{7} -> localnet1
++++[request] returns ok
++++? if (Called-Station-SSID == localnet1)
? Evaluating (Called-Station-SSID == localnet1) -> TRUE
++++? if (Called-Station-SSID == localnet1) -> TRUE
++++- entering if (Called-Station-SSID == localnet1) {...}
+++++[request] returns ok
++++- if (Called-Station-SSID == localnet1) returns ok
++++ ... skipping else for request 2: Preceding "if" was taken
+++- if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
returns ok
+++ ... skipping else for request 2: Preceding "if" was taken
++- policy extract_ssid returns ok
[suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.213.210 port 1067
     EAP-Message = 
0x010303fc1940656c6f742e63726c3082011c06082b060105050701010482010e3082010a3081a706082b0601050507300286819a6c6461703a2f2f2f434e3d6f63656c6f742c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d706f6d6f7273752c44433d6c6f63616c3f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479305e06082b060105050730028652687474703a2f2f68712d7073752d63612d30312e706f6d6f7273752e6c6f63616c
     EAP-Message = 
0x2f43657274456e726f6c6c2f68712d7073752d63612d30312e706f6d6f7273752e6c6f63616c5f6f63656c6f742e637274302106092b060104018237140204141e12005700650062005300650072007600650072300c0603551d130101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010086d899336d4ae8012861dd16e2621ad32f419a774d1a528db018d9e7ada46eec0f2cd753028a867098d5b53e62954c15d76cd11c348e6fad7519a2cf8d721231f6f2dde973a392192576c483c682ff28afcef70f48a33ea446009179c03c02a3337919cc38
     EAP-Message = 
0x015a75b0addafa49551dab3f968349a15d9749fc6b5334f24415af3d49e7407936887f9c9fcdb5d2a30b28f60560f24ef583df16b0110abda12ea8d2474f8a18b84657f4eee5fe4841b6e7843893271e94d759e47ebce86f55d2fc42c058eb9d4205ed77ce3a4d180ec1222638711decab6ae50b973d487addb978c357395a5296efe40723db9e026155c1791f5b98fdefc31d1ceee2eee98c71b80004753082047130820359a00302010202107980e4b2631f4a92442eaf634e19ddbc300d06092a864886f70d0101050500304131153013060a0992268993f22c64011916056c6f63616c31173015060a0992268993f22c6401191607706f6d6f7273
     EAP-Message = 
0x75310f300d060355040313066f63656c6f74301e170d3039303131353138323733365a170d3134303131353138333432305a304131153013060a0992268993f22c64011916056c6f63616c31173015060a0992268993f22c6401191607706f6d6f727375310f300d060355040313066f63656c6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100c39c48714a962a776b9cc59bb38728441e5ec681f876dd3ae2fec05b821a96b6f629c43a1dcb95d22952047099b04fed8d2ac93c69ec20c3c91e6850965bd1ae205c21106c71cf664dbff15b6d7370a90cfe701326b9b933bb2b1d63721d89dab56a5d5bc2abf3
     EAP-Message = 0xc8afaf4178ed1028
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x140c0338160f1ab54c20eb7bf1588770
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.213.210 port 1067, 
id=3, length=216
     Message-Authenticator = 0xfa2905a5466f4dfecef8a595cdce93fd
     Service-Type = Framed-User
     User-Name = "POMORSU\\rahs"
     Framed-MTU = 1488
     State = 0x140c0338160f1ab54c20eb7bf1588770
     Called-Station-Id = "04-11-9A-D1-44-39:localnet1"
     Calling-Station-Id = "00-1F-3C-3D-DF-8C"
     NAS-Identifier = "D-Link Access Point"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x020300061900
     NAS-IP-Address = 192.168.213.210
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
? Evaluating (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++- entering if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
{...}
     expand: %{7} -> localnet1
++++[request] returns ok
++++? if (Called-Station-SSID == localnet1)
? Evaluating (Called-Station-SSID == localnet1) -> TRUE
++++? if (Called-Station-SSID == localnet1) -> TRUE
++++- entering if (Called-Station-SSID == localnet1) {...}
+++++[request] returns ok
++++- if (Called-Station-SSID == localnet1) returns ok
++++ ... skipping else for request 3: Preceding "if" was taken
+++- if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
returns ok
+++ ... skipping else for request 3: Preceding "if" was taken
++- policy extract_ssid returns ok
[suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.213.210 port 1067
     EAP-Message = 
0x010403201900c6c3d0687a50d3315b0ff6207fa5c68a64bf8de0be136d648a63e14067dfe168a805e4f15af641579af9e9eb647ba41ac1054f3d9f9adbc689cb2b1d01747c7da16d5cdbfd3c2fdee76ebb89b8266b114c99020b1c332932e88184707292a7c55113d839a057766086d329d8fe96cec9b4fe09e02b23587846a9bae05403f9450f88739a5b963f1d04166caafe2431933d0203010001a38201633082015f301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414e20df80dccdf76296d4dbe8c0a1533e7894101903081f80603551d
     EAP-Message = 
0x1f0481f03081ed3081eaa081e7a081e48681ae6c6461703a2f2f2f434e3d6f63656c6f742c434e3d6f63656c6f742c434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d706f6d6f7273752c44433d6c6f63616c3f63657274696669636174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e748631687474703a2f2f6f63656c6f742e706f6d6f7273752e6c6f63616c2f43657274456e726f6c6c2f6f63656c6f742e63726c301006092b06010401
     EAP-Message = 
0x823715010403020100300d06092a864886f70d0101050500038201010082f863c4e6a1326e0ad69d775dedc50df5d8fd92e9e7a8e2910869a737bc3803a2a17cc4181468aa73acb084b59d6c4ba8764b1e91e86d5200cff7f5263e7da82b7cbe376fc831708cf438bab348dd6168e8d4ffb40625f1a833b05ded0de22c3f9ef0047f16a84396d062a5af0dcedaf01de627a24a5f46f94c0fb471f448fa58d6bcdd2192aef902e0236d187df9b83105b89cc83af7bb2a56aa9521a9d79203b3f61eac7511c7154f2eead368fd49264d5bc7f2ebb4d770a28400eab64949a70aeabfa88564331cb4b36da2583f2900e21c8d5ebce3e545e83351acced626
     EAP-Message = 
0xe0d0d0c2a95ec527dd7638711f1a4459fdc66656931df9ad2ab46a1e9a7028d316030100040e000000
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x140c033817081ab54c20eb7bf1588770
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.213.210 port 1067, 
id=4, length=548
     Message-Authenticator = 0x1f8babc53208d84dff4b518dad41482f
     Service-Type = Framed-User
     User-Name = "POMORSU\\rahs"
     Framed-MTU = 1488
     State = 0x140c033817081ab54c20eb7bf1588770
     Called-Station-Id = "04-11-9A-D1-44-39:localnet1"
     Calling-Station-Id = "00-1F-3C-3D-DF-8C"
     NAS-Identifier = "D-Link Access Point"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 
0x02040150198000000146160301010610000102010072e7a1a4e07f9abe55b3da4cfc482c20c573164b92130286276d372f6c1f3a79694b169cb8393a6b0094730e0811a15f0d273073fa553d246fd1fccbe352952a8f33a742198a5867de686412f8a834aa1dcf1136dcca634b9e99e52220285fbc96fb01a0326c7630edf0288f0e6374fdb6ffaac319cd020d2bc5c3626aafde52dd22d0781d855606d35a4ae9c77fec576efa397591e24008905764aad24c0b60cc385dd6f8af2c74a773a9bc799a8edd695ae35f171366ed508299ab262978a2a49b615850649f30d654cfaca00df0fc8bd03e51054598a32e068e9bd98a1884eb1ab0dc2eaae168
     EAP-Message = 
0x13ca0ba9653d9e0b17d672bd60f7bccd749c662735103c071403010001011603010030f711f2e238918f27b44cd51d5175ae050c3f2f461b346ec944834b53b14a464fc5fba56d6354a5bf3b91bbb1eddff456
     NAS-IP-Address = 192.168.213.210
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
? Evaluating (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++- entering if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
{...}
     expand: %{7} -> localnet1
++++[request] returns ok
++++? if (Called-Station-SSID == localnet1)
? Evaluating (Called-Station-SSID == localnet1) -> TRUE
++++? if (Called-Station-SSID == localnet1) -> TRUE
++++- entering if (Called-Station-SSID == localnet1) {...}
+++++[request] returns ok
++++- if (Called-Station-SSID == localnet1) returns ok
++++ ... skipping else for request 4: Preceding "if" was taken
+++- if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
returns ok
+++ ... skipping else for request 4: Preceding "if" was taken
++- policy extract_ssid returns ok
[suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
   TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
   SSL: adding session 
07f4d62a74fd69c2f9c148b84c4d48990f576d732ef00472799c3937e4940d62 to cache
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.213.210 port 1067
     EAP-Message = 
0x0105004119001403010001011603010030298180873d3f4e5440ba30c711070f1ffeb5992384662bcfeadbb8d3e89b5070a186fc070f3316599a9cf94b9e4ab05d
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x140c033810091ab54c20eb7bf1588770
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.213.210 port 1067, 
id=5, length=216
     Message-Authenticator = 0x2cac919d164387ddc825c989d5c197e1
     Service-Type = Framed-User
     User-Name = "POMORSU\\rahs"
     Framed-MTU = 1488
     State = 0x140c033810091ab54c20eb7bf1588770
     Called-Station-Id = "04-11-9A-D1-44-39:localnet1"
     Calling-Station-Id = "00-1F-3C-3D-DF-8C"
     NAS-Identifier = "D-Link Access Point"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x020500061900
     NAS-IP-Address = 192.168.213.210
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
? Evaluating (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++- entering if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
{...}
     expand: %{7} -> localnet1
++++[request] returns ok
++++? if (Called-Station-SSID == localnet1)
? Evaluating (Called-Station-SSID == localnet1) -> TRUE
++++? if (Called-Station-SSID == localnet1) -> TRUE
++++- entering if (Called-Station-SSID == localnet1) {...}
+++++[request] returns ok
++++- if (Called-Station-SSID == localnet1) returns ok
++++ ... skipping else for request 5: Preceding "if" was taken
+++- if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
returns ok
+++ ... skipping else for request 5: Preceding "if" was taken
++- policy extract_ssid returns ok
[suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 5 to 192.168.213.210 port 1067
     EAP-Message = 
0x0106002b1900170301002053a780d9c0f3ca9b195e38b9697b45e0eae817c1ec0f172ffec177e8714208da
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x140c0338110a1ab54c20eb7bf1588770
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.213.210 port 1067, 
id=6, length=269
     Message-Authenticator = 0x07372ed61087d095166610e927fb148a
     Service-Type = Framed-User
     User-Name = "POMORSU\\rahs"
     Framed-MTU = 1488
     State = 0x140c0338110a1ab54c20eb7bf1588770
     Called-Station-Id = "04-11-9A-D1-44-39:localnet1"
     Calling-Station-Id = "00-1F-3C-3D-DF-8C"
     NAS-Identifier = "D-Link Access Point"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 
0x0206003b19001703010030c34f2c5b9c08e2e0d50ead10130291b17dfbe159fa0a1d1bd634f5188f13d1859bc17dd94ef124e1e33588a5825dd88f
     NAS-IP-Address = 192.168.213.210
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
? Evaluating (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++- entering if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
{...}
     expand: %{7} -> localnet1
++++[request] returns ok
++++? if (Called-Station-SSID == localnet1)
? Evaluating (Called-Station-SSID == localnet1) -> TRUE
++++? if (Called-Station-SSID == localnet1) -> TRUE
++++- entering if (Called-Station-SSID == localnet1) {...}
+++++[request] returns ok
++++- if (Called-Station-SSID == localnet1) returns ok
++++ ... skipping else for request 6: Preceding "if" was taken
+++- if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
returns ok
+++ ... skipping else for request 6: Preceding "if" was taken
++- policy extract_ssid returns ok
[suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - POMORSU\rahs
[peap] Got inner identity 'POMORSU\rahs'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
     EAP-Message = 0x0206001201504f4d4f5253555c75736f7773
server  {
   PEAP: Setting User-Name to POMORSU\rahs
Sending tunneled request
     EAP-Message = 0x0206001201504f4d4f5253555c75736f7773
     FreeRADIUS-Proxied-To = 127.0.0.1
     User-Name = "POMORSU\\rahs"
server  {
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
     (Attribute Called-Station-Id was not found)
? Evaluating (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> FALSE
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> FALSE
+++- entering else else {...}
++++[noop] returns noop
+++- else else returns noop
++- policy extract_ssid returns noop
[suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server
[peap] Got tunneled reply code 11
     EAP-Message = 
0x010700271a0107002210d6925886b862a504eb6b55d312656f74504f4d4f5253555c75736f7773
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x7e9ab6a97e9dacde2a97339e291c9d54
[peap] Got tunneled reply RADIUS code 11
     EAP-Message = 
0x010700271a0107002210d6925886b862a504eb6b55d312656f74504f4d4f5253555c75736f7773
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x7e9ab6a97e9dacde2a97339e291c9d54
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.213.210 port 1067
     EAP-Message = 
0x0107004b190017030100401918b2856d2a053eb747138f06f073e03afa717026737760282561356040e458f02c871626106dbd20a3b3dea0c08d5b193226e4ac5fbc9df1c860d32576b134
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x140c0338120b1ab54c20eb7bf1588770
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.213.210 port 1067, 
id=7, length=317
     Message-Authenticator = 0x42d12e68ead55a70709a762bdf1c067a
     Service-Type = Framed-User
     User-Name = "POMORSU\\rahs"
     Framed-MTU = 1488
     State = 0x140c0338120b1ab54c20eb7bf1588770
     Called-Station-Id = "04-11-9A-D1-44-39:localnet1"
     Calling-Station-Id = "00-1F-3C-3D-DF-8C"
     NAS-Identifier = "D-Link Access Point"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 
0x0207006b19001703010060c41186f2cf41d55750b4e6f2d6aec2644d88dc5e8cb5a933bcd3ffe919977510236b26c30a2546eb6b2564da426d1fcf8a7ec2433c480a7f3ee861b4ca86ab71c63246b5b541043ac881dc6e351fe40c1a81337b2b0b647a8bfab0bd8b1e17a5
     NAS-IP-Address = 192.168.213.210
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
? Evaluating (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> TRUE
+++- entering if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
{...}
     expand: %{7} -> localnet1
++++[request] returns ok
++++? if (Called-Station-SSID == localnet1)
? Evaluating (Called-Station-SSID == localnet1) -> TRUE
++++? if (Called-Station-SSID == localnet1) -> TRUE
++++- entering if (Called-Station-SSID == localnet1) {...}
+++++[request] returns ok
++++- if (Called-Station-SSID == localnet1) returns ok
++++ ... skipping else for request 7: Preceding "if" was taken
+++- if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
returns ok
+++ ... skipping else for request 7: Preceding "if" was taken
++- policy extract_ssid returns ok
[suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
     EAP-Message = 
0x020700481a0207004331a1167cc77188ebb67c99c3cbea43b32a000000000000000051a42d5e5822c1170d326960eae781a91b746bf0486a7ffc00504f4d4f5253555c75736f7773
server  {
   PEAP: Setting User-Name to POMORSU\rahs
Sending tunneled request
     EAP-Message = 
0x020700481a0207004331a1167cc77188ebb67c99c3cbea43b32a000000000000000051a42d5e5822c1170d326960eae781a91b746bf0486a7ffc00504f4d4f5253555c75736f7773
     FreeRADIUS-Proxied-To = 127.0.0.1
     User-Name = "POMORSU\\rahs"
     State = 0x7e9ab6a97e9dacde2a97339e291c9d54
server  {
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
     (Attribute Called-Station-Id was not found)
? Evaluating (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> FALSE
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
-> FALSE
+++- entering else else {...}
++++[noop] returns noop
+++- else else returns noop
++- policy extract_ssid returns noop
[suffix] No '@' in User-Name = "POMORSU\rahs", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 72
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/default
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: rahs
[mschap] Told to do MS-CHAPv2 for rahs with NT-Password
[mschap]     expand: --domain=%{mschap:NT-Domain} -> --domain=POMORSU
[mschap]     expand: --username=%{mschap:User-Name} -> --username=rahs
[mschap]  mschap2: d6
[mschap] Creating challenge hash with username: rahs
[mschap]     expand: --challenge=%{mschap:Challenge:-00} -> 
--challenge=c834304f4e49dc11
[mschap]     expand: --nt-response=%{mschap:NT-Response:-00} -> 
--nt-response=51a42d5e5822c1170d326960eae781a91b746bf0486a7ffc
[mschap]     expand: --require-membership-of=POMORSU+%{AD-Group} -> 
--require-membership-of=POMORSU+
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject

07.12.2011 13:32, Fajar A. Nugraha пишет:
> On Wed, Dec 7, 2011 at 4:11 PM, Сергей Усов<usows at pomorsu.ru>  wrote:
>    
>> Hi
>>
>> I try to configure authentication via ntlm_auth to check the user group. All
>> authentication attempts are rejected
>>      
> What does the debug log say when the authentications are rejected?
>
>    


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4108 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111207/94b56f00/attachment.bin>


More information about the Freeradius-Users mailing list