Wired 802.1X + FreeRADIUS + LDAP issue
Ryan Garland
sheffy at gmail.com
Tue Dec 13 03:30:05 CET 2011
On Sat, Dec 10, 2011 at 1:54 AM, Alan DeKok <aland at deployingradius.com> wrote:
>
> Ryan Garland wrote:
> > We have also tried creating the certs with the bootstrap program and
> > modifying eap.conf accordingly, to no avail.
> >
> > For reference, eapol_test also fails in the same manner when running
> > locally on the FreeRADIUS box.
>
> Uh... then all bets are off. If eapol_test doesn't work, then you
> broke the FR configuration. FR && eapol_test work together. I do this
> pretty much every day.
>
> Post the output from eapol_test. It should produce *many* messages
> describing exactly what is going wrong, and why.
Thanks for the response, Alan.
It turns out part of my issue was certificate related. This has been
resolved, but eapol_test continues to fail for a different reason.
However, I am having trouble determining a fix.
Attached is the eapol_test configuration, debug output, FreeRADIUS
configuration & debug output.
It appears that the relevant portion of the FreeRADIUS debug output is:
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user ryan
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
I am having an even more difficult time deciphering the eapol_test
debug output - I just see the EAP failure from the radius server.
I have also tried commenting out 'virtual_server = "inner-tunnel"' in
the ttls section of eap.conf to force it to use default (as the
documentation inside the "default" virtual server would seem to imply
I should do) and I get the same result. I may be mis-reading it,
however.
Do you see something glaringly wrong? I appreciate any insight you can provide.
-RG
-------------- next part --------------
root at ldap3:/etc/freeradius# cat eapol_test.conf.ttls_md5
network={
eap=TTLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="ryan"
password="garyrocks"
ca_cert="/usr/share/doc/freeradius/examples/certs/ca.pem"
phase2="auth=MD5"
}
----- eapol_test debug -----
root at ldap3:/etc/freeradius# eapol_test -c eapol_test.conf.ttls_md5 -a127.0.0.1 -p1812 -stesting123 -r1
Reading configuration file 'eapol_test.conf.ttls_md5'
Line: 1 - start of a new network block
eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00
eapol_flags=0 (0x0)
key_mgmt: 0x8
identity - hexdump_ascii(len=4):
72 79 61 6e ryan
password - hexdump_ascii(len=8):
33 78 6d 73 39 77 6a 32 garyrocks
ca_cert - hexdump_ascii(len=47):
2f 75 73 72 2f 73 68 61 72 65 2f 64 6f 63 2f 66 /usr/share/doc/f
72 65 65 72 61 64 69 75 73 2f 65 78 61 6d 70 6c reeradius/exampl
65 73 2f 63 65 72 74 73 2f 63 61 2e 70 65 6d es/certs/ca.pem
phase2 - hexdump_ascii(len=8):
61 75 74 68 3d 4d 44 35 auth=MD5
Priority group 0
id=0 ssid=''
Authentication server 127.0.0.1:1812
RADIUS local address: 127.0.0.1:13796
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=4):
72 79 61 6e ryan
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=9)
TX EAP -> RADIUS - hexdump(len=9): 02 00 00 09 01 72 79 61 6e
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=4): 72 79 61 6e
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=116
Attribute 1 (User-Name) length=6
Value: 'ryan'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=11
Value: 02 00 00 09 01 72 79 61 6e
Attribute 80 (Message-Authenticator) length=18
Value: 78 7a a7 6a 6e 06 01 9e a5 9a d0 99 da c0 53 72
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 64 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=64
Attribute 79 (EAP-Message) length=8
Value: 01 01 00 06 15 20
Attribute 80 (Message-Authenticator) length=18
Value: a4 8c 75 9e de dc 09 1c 1a 24 4f 82 69 94 6d a0
Attribute 24 (State) length=18
Value: 55 0f 0d 13 55 0e 18 f5 a9 06 ff a2 a2 a1 77 a4
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=1 len=6) from RADIUS server: EAP-Request-TTLS (21)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
EAP: Initialize selected EAP method: vendor 0 method 21 (TTLS)
EAP-TTLS: Phase2 type: EAP
TLS: Phase2 EAP types - hexdump(len=40): 00 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-TTLS: Start (server ver=0, own ver=0)
TLS: using phase1 config options
TLS: Trusted root certificate(s) loaded
EAP-TTLS: Start
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect initialization
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client hello A
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server hello A
SSL: SSL_connect - want more data
SSL: 95 bytes pending from ssl_out
SSL: 95 bytes left to be sent out (of total 95 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=101)
TX EAP -> RADIUS - hexdump(len=101): 02 01 00 65 15 00 16 03 01 00 5a 01 00 00 56 03 01 4e e6 ae 33 b0 08 bb 8a 13 2e 8b bd c6 aa c4 e8 1e a9 ca 1b eb 27 59 af 11 68 da f0 94 a1 6f ef 00 00 28 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 02 01 00 00 04 00 23 00 00
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=226
Attribute 1 (User-Name) length=6
Value: 'ryan'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=103
Value: 02 01 00 65 15 00 16 03 01 00 5a 01 00 00 56 03 01 4e e6 ae 33 b0 08 bb 8a 13 2e 8b bd c6 aa c4 e8 1e a9 ca 1b eb 27 59 af 11 68 da f0 94 a1 6f ef 00 00 28 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 02 01 00 00 04 00 23 00 00
Attribute 24 (State) length=18
Value: 55 0f 0d 13 55 0e 18 f5 a9 06 ff a2 a2 a1 77 a4
Attribute 80 (Message-Authenticator) length=18
Value: 9f e0 9b 95 e0 5f ba e7 72 3c 5e ff 4d 2f d6 23
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 1090 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=1 length=1090
Attribute 79 (EAP-Message) length=255
Value: 01 02 04 00 15 c0 00 00 05 f6 16 03 01 00 31 02 00 00 2d 03 01 4e e6 ae 33 b2 f4 7e 03 e1 df 84 a6 22 95 4a 14 c7 ee a4 90 9a a2 c0 5c 8c 73 d9 91 38 6e ac 1d 00 00 39 01 00 05 ff 01 00 01 00 16 03 01 03 a0 0b 00 03 9c 00 03 99 00 03 96 30 82 03 92 30 82 02 7a a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 8d 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 0b 30 09 06 03 55 04 08 13 02 43 41 31 16 30 14 06 03 55 04 07 13 0d 53 61 6e 20 46 72 61 6e 63 69 73 63 6f 31 12 30 10 06 03 55 04 0a 13 09 6a 75 73 74 69 6e 2e 74 76 31 1e 30 1c 06 09 2a 86 48 86 f7 0d 01 09 01 16 0f 69 6e 66 72 61 40 6a 75 73 74 69 6e 2e 74 76 31 25 30 23 06 03 55 04 03 13 1c 52 61 64 69 75 73 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74
Attribute 79 (EAP-Message) length=255
Value: 79 30 1e 17 0d 31 31 31 32 31 33 30 30 35 32 30 37 5a 17 0d 31 32 31 32 31 32 30 30 35 32 30 37 5a 30 72 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 0b 30 09 06 03 55 04 08 13 02 43 41 31 12 30 10 06 03 55 04 0a 13 09 6a 75 73 74 69 6e 2e 74 76 31 22 30 20 06 03 55 04 03 13 19 52 61 64 69 75 73 20 53 65 72 76 65 72 20 43 65 72 74 69 66 69 63 61 74 65 31 1e 30 1c 06 09 2a 86 48 86 f7 0d 01 09 01 16 0f 69 6e 66 72 61 40 6a 75 73 74 69 6e 2e 74 76 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 e7 a1 59 7a 48 af 97 be 6d 5d bf a9 7d 88 d0 cb 49 1c f8 e8 75 c6 32 61 18 17 bb 9b 7f 72 03 4d 41 d2 5a 07 5b 8c 35 12 bb 27 39 44 8e 72 ce e9 7b 77 0c 05 83 f9 50 36 a0 91 15 52 b6 63 05 ec 53 ed f0 51 f0 4f 48
Attribute 79 (EAP-Message) length=255
Value: 7f 11 50 d2 f0 c1 db 67 cf c2 cb 3a 27 81 2e 4a 86 9a 16 33 9f d4 42 d0 67 32 5f f2 43 07 23 73 af 18 5b 83 e1 cb d5 3f b6 bf 6e 07 f1 db 84 6e f6 c5 db d0 32 b8 58 f4 f0 09 a4 36 b0 28 6b d1 d4 ed 33 14 90 94 f8 d9 07 56 42 15 2d a5 cd d2 69 a2 0d 75 3d 5c a0 f1 09 dd 74 37 78 2e 8a 91 5f 64 6f 82 2e 7c 3d c1 07 24 e5 94 be 84 e3 1a fa 42 88 9c 95 df f2 8c 9c d6 8f 63 c7 5d 0e fd cf c0 f7 4c 44 c8 c3 86 36 bf 61 52 cd 60 16 31 52 e3 05 b5 c3 02 cf d7 13 f4 92 73 94 21 0f 84 2b 26 ff 98 80 4c 8e 57 91 3d 28 80 cb 4d a6 b4 6b c8 fb b6 8a 1b a5 67 17 02 03 01 00 01 a3 17 30 15 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 82 01 01 00 68 e1 c1 ca bb e3 73 f9 a7 89 0d 3a 1d 05 a8 76 9a 99
Attribute 79 (EAP-Message) length=255
Value: 66 c2 ab 96 26 a3 39 1c c4 a5 9d b1 c8 02 b9 7d 60 f8 4b 7b 10 04 7b d2 ec 31 aa 79 a6 59 28 be 23 a2 3d 36 4d 19 e8 5e 84 8c ce 9c 57 76 a0 cb 9a b3 5c 7a 10 50 ea 0f 01 dc 4e dd c7 2b d9 e6 19 8f 77 6f 63 b7 ec 10 03 9f e4 3a 19 bd 0d d3 84 0b 48 84 22 b4 f0 c1 da ef 81 ea ee 2e db 80 d9 36 c8 91 96 d6 14 e2 e9 93 77 c6 40 2e 44 b5 28 99 52 c5 18 52 44 6c bd f2 40 16 3c 0c 8f 44 6f 51 60 6f cb 9e f6 2f 71 30 35 72 04 ae ff 65 16 3d 69 5b 8a e6 67 c3 69 ff 95 30 0d e8 3c 97 eb 39 16 ce d7 af d2 2d ea db 19 59 a5 21 2b 1d ba a3 32 dd 65 a8 8c 21 1d 2c c2 41 9d 26 e4 a6 5e 62 f5 d5 f0 47 5d bd ab 22 b8 49 0b 14 1b ac db e0 8a 45 d9 71 50 70 1c 38 cf 9e a6 fd 29 e8 4b 05 65 c7 ca e1 8d b4 db 85 9f 73 92 3b 16 03 01 02 0d 0c 00 02 09 00 80 fb ae 81 c9
Attribute 79 (EAP-Message) length=14
Value: 8e 42 8c fa f7 b9 61 7d b1 4b 5b 10
Attribute 80 (Message-Authenticator) length=18
Value: 8c e3 03 10 6d 19 0b 0a 12 f1 b3 0b f7 df b7 f1
Attribute 24 (State) length=18
Value: 55 0f 0d 13 54 0d 18 f5 a9 06 ff a2 a2 a1 77 a4
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=2 len=1024) from RADIUS server: EAP-Request-TTLS (21)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=2 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=1024) - Flags 0xc0
SSL: TLS Message Length: 1526
SSL: Need 512 bytes more input data
SSL: Building ACK (type=21 id=2 ver=0)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 02 00 06 15 00
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=2 length=131
Attribute 1 (User-Name) length=6
Value: 'ryan'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 02 02 00 06 15 00
Attribute 24 (State) length=18
Value: 55 0f 0d 13 54 0d 18 f5 a9 06 ff a2 a2 a1 77 a4
Attribute 80 (Message-Authenticator) length=18
Value: 1f a6 cb d3 7a 02 b7 8b 74 d1 fd 07 24 84 71 39
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 584 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=2 length=584
Attribute 79 (EAP-Message) length=255
Value: 01 03 02 0a 15 80 00 00 05 f6 74 cd 84 d8 a0 9f 61 f9 63 c6 94 db fe ff 8e 21 3d 4e 50 41 24 80 1b a9 d9 08 66 bb 70 cc a0 60 28 52 34 39 04 ae 50 dc 6b 84 7a c5 ea 31 79 65 42 9b 8d 8d fa 71 4a f4 0b af 99 bc e5 28 4a 01 9b 43 69 44 03 ea 06 61 a3 1c 10 1a 74 22 df cc 04 df ea f1 58 1f 81 5f 50 56 79 d0 bb 0f c0 b2 5b e7 b0 d7 b5 66 9b 15 64 1f 2b b7 ec 34 61 0b 00 01 02 00 80 9c 6a d2 3d 58 69 6e 08 cc 0b ca 83 02 2b c5 a8 95 58 60 e9 3d 3e ab f1 b8 df f3 7a b3 96 25 2e a9 96 fe eb b5 d2 6b 1d da 68 be 5d 2b 1a 5d f0 17 2c 48 a1 6f 61 68 6e 78 26 00 b7 b7 75 38 fc 79 27 0b 64 7b f7 be f2 05 8c 6c 4c 3e 64 90 ac 30 68 54 7c 06 66 07 a6 49 bb c5 ca fd b0 88 de d6 08 c2 ec 11 68 d6 48 4c 67 85 d6 23 2a 92 19 cd 77 d9 ca 21 d3 b7 e4 ba c9 d2 8d da 16
Attribute 79 (EAP-Message) length=255
Value: 31 d9 01 00 36 d0 15 69 9e 29 91 08 22 ac 16 a7 2b 54 18 c1 cd fe ef ee e3 88 f9 86 c7 34 6b 24 a8 b4 df 3f 71 0e 65 f9 ac de 2e 89 8c a7 83 78 f8 7e 30 39 fb 62 33 03 42 39 fb 53 d7 e1 2c c5 77 b9 53 0b fb c5 1a 81 bf 82 f4 ee 5c 1e 17 c6 5e 02 ed ab d4 2f 24 74 f5 32 14 a1 f2 e5 c2 00 4b 6a 4d 89 78 ea 5f d3 06 1f 08 bd 7e 0b 8e f1 a7 73 75 98 f2 27 de 59 97 00 15 20 87 c6 cb f7 68 df 7c 97 d3 48 79 75 c9 88 23 85 51 2b d1 37 d5 72 34 15 a3 be 2d f8 ed 88 d8 f0 c3 51 38 f2 cd ec d4 f7 7c 40 56 46 b1 79 d0 7a 81 81 79 14 a9 9d 4d fb fd 95 a5 7f 60 e7 94 07 8f 6c 15 14 5d cf 07 07 81 92 af 4a 15 5d 3c a1 54 0b 79 e6 5a a9 93 c3 d5 55 3c 6e 3d f5 2b f8 ab 84 b8 56 2f b0 79 8c d3 8f 45 ce 7a 29 8f f8 09 06 2a 70 68 fd 69 eb 48 4b e9 00 d1 17 2e b5 37
Attribute 79 (EAP-Message) length=18
Value: dc bf 0f ff 5b 41 be 16 03 01 00 04 0e 00 00 00
Attribute 80 (Message-Authenticator) length=18
Value: 13 d7 75 11 53 8f c1 64 95 4c 16 e1 bc 61 23 5b
Attribute 24 (State) length=18
Value: 55 0f 0d 13 57 0c 18 f5 a9 06 ff a2 a2 a1 77 a4
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=3 len=522) from RADIUS server: EAP-Request-TTLS (21)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=3 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=522) - Flags 0x80
SSL: TLS Message Length: 1526
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server hello A
TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1 buf='/C=US/ST=CA/L=San Francisco/O=domain.com/emailAddress=infra at domain.com/CN=Radius Certificate Authority'
CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/ST=CA/L=San Francisco/O=domain.com/emailAddress=infra at domain.com/CN=Radius Certificate Authority'
TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0 buf='/C=US/ST=CA/O=domain.com/CN=Radius Server Certificate/emailAddress=infra at domain.com'
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=CA/O=domain.com/CN=Radius Server Certificate/emailAddress=infra at domain.com'
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server certificate A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server key exchange A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server done A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client key exchange A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write change cipher spec A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write finished A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 flush data
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read finished A
SSL: SSL_connect - want more data
SSL: 198 bytes pending from ssl_out
SSL: 198 bytes left to be sent out (of total 198 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=204)
TX EAP -> RADIUS - hexdump(len=204): 02 03 00 cc 15 00 16 03 01 00 86 10 00 00 82 00 80 a3 f1 17 f6 6f 99 55 f3 c8 14 fb 68 2a 41 35 05 6b 4b 91 9f 87 21 f1 4f 03 06 f0 2f 97 0e 42 8f 67 76 40 ef 47 25 4f a6 75 c7 a5 ab 4f ab 74 14 ab 44 69 b3 62 e9 ac e3 06 02 d6 d6 ea 54 34 d7 38 d8 5f 66 45 9b 83 d2 4f 61 9f 4e 58 26 97 ea 01 bf ed 16 b0 53 72 30 41 ad ed 1a 88 c3 06 6b 92 d7 73 0d 4d e5 d7 c6 12 e9 09 45 25 44 13 ad 19 9a 64 1f 1a 18 fe 89 0d 26 c1 a7 5c c6 84 81 14 03 01 00 01 01 16 03 01 00 30 de dc a9 0f 9a ef 97 af 9f bd 4e 22 2d d4 fd 8a df d8 ef 21 79 f9 07 ed db ba d6 90 f3 44 75 22 2f 5e a0 66 23 2e 25 1d 1a f4 32 2e bd 13 3b c0
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=3 length=329
Attribute 1 (User-Name) length=6
Value: 'ryan'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=206
Value: 02 03 00 cc 15 00 16 03 01 00 86 10 00 00 82 00 80 a3 f1 17 f6 6f 99 55 f3 c8 14 fb 68 2a 41 35 05 6b 4b 91 9f 87 21 f1 4f 03 06 f0 2f 97 0e 42 8f 67 76 40 ef 47 25 4f a6 75 c7 a5 ab 4f ab 74 14 ab 44 69 b3 62 e9 ac e3 06 02 d6 d6 ea 54 34 d7 38 d8 5f 66 45 9b 83 d2 4f 61 9f 4e 58 26 97 ea 01 bf ed 16 b0 53 72 30 41 ad ed 1a 88 c3 06 6b 92 d7 73 0d 4d e5 d7 c6 12 e9 09 45 25 44 13 ad 19 9a 64 1f 1a 18 fe 89 0d 26 c1 a7 5c c6 84 81 14 03 01 00 01 01 16 03 01 00 30 de dc a9 0f 9a ef 97 af 9f bd 4e 22 2d d4 fd 8a df d8 ef 21 79 f9 07 ed db ba d6 90 f3 44 75 22 2f 5e a0 66 23 2e 25 1d 1a f4 32 2e bd 13 3b c0
Attribute 24 (State) length=18
Value: 55 0f 0d 13 57 0c 18 f5 a9 06 ff a2 a2 a1 77 a4
Attribute 80 (Message-Authenticator) length=18
Value: a0 e8 68 c8 c1 e3 5f ec 32 56 84 82 b1 f7 52 22
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 127 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=3 length=127
Attribute 79 (EAP-Message) length=71
Value: 01 04 00 45 15 80 00 00 00 3b 14 03 01 00 01 01 16 03 01 00 30 ca d4 7a f4 5d 16 48 ca fe e4 a5 0c 20 41 49 2a 6f a6 72 a4 50 91 f9 90 1e 0a fe 14 be f4 3c 2c 65 26 e5 d2 65 19 7f f9 ac 7b 45 ea b3 7b ac 6c
Attribute 80 (Message-Authenticator) length=18
Value: aa 19 9f b4 50 ad e6 ea 9b 25 bd c8 82 af 64 c4
Attribute 24 (State) length=18
Value: 55 0f 0d 13 56 0b 18 f5 a9 06 ff a2 a2 a1 77 a4
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=4 len=69) from RADIUS server: EAP-Request-TTLS (21)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=4 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=69) - Flags 0x80
SSL: TLS Message Length: 59
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read finished A
SSL: (where=0x20 ret=0x1)
SSL: (where=0x1002 ret=0x1)
SSL: 0 bytes pending from ssl_out
SSL: No Application Data included
SSL: No data to be sent out
EAP-TTLS: TLS done, proceed to Phase 2
EAP-TTLS: Derived key - hexdump(len=64): cf 0d f5 e7 ba 89 3e fc 68 89 75 26 51 73 ae 8e 33 62 e8 e9 b6 1b d7 f9 01 45 00 0c ea 48 f0 20 ee 8c 9b fe f4 bb da d2 aa e6 3a 63 ac a8 71 5c d8 10 7f 6d 7e 4a ba 42 cd 74 05 4c 47 e5 ad 4d
EAP-TTLS: received 0 bytes encrypted data for Phase 2
EAP-TTLS: empty data in beginning of Phase 2 - use fake EAP-Request Identity
EAP-TTLS: Phase 2 EAP Request: type=1
EAP: using real identity - hexdump_ascii(len=4):
72 79 61 6e ryan
EAP-TTLS: AVP encapsulate EAP Response - hexdump(len=9): 02 00 00 09 01 72 79 61 6e
EAP-TTLS: Encrypting Phase 2 data - hexdump(len=20): 00 00 00 4f 40 00 00 11 02 00 00 09 01 72 79 61 6e 00 00 00
SSL: 90 bytes left to be sent out (of total 90 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=96)
TX EAP -> RADIUS - hexdump(len=96): 02 04 00 60 15 00 17 03 01 00 20 87 6b 87 f3 59 58 50 ed 30 3e 84 f7 84 9c 48 cd 6f be d5 2d bc 46 80 81 95 5c d0 83 ce a8 cd 90 17 03 01 00 30 37 64 4e 57 e8 2e d0 44 57 7f 79 f7 a9 20 08 3c a9 88 ed 1d 04 58 34 b1 0e a7 23 db 14 3d 21 bc 66 1b d3 d7 7c 6f 07 29 06 fa ac 3b 04 67 ad e4
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=4 length=221
Attribute 1 (User-Name) length=6
Value: 'ryan'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=98
Value: 02 04 00 60 15 00 17 03 01 00 20 87 6b 87 f3 59 58 50 ed 30 3e 84 f7 84 9c 48 cd 6f be d5 2d bc 46 80 81 95 5c d0 83 ce a8 cd 90 17 03 01 00 30 37 64 4e 57 e8 2e d0 44 57 7f 79 f7 a9 20 08 3c a9 88 ed 1d 04 58 34 b1 0e a7 23 db 14 3d 21 bc 66 1b d3 d7 7c 6f 07 29 06 fa ac 3b 04 67 ad e4
Attribute 24 (State) length=18
Value: 55 0f 0d 13 56 0b 18 f5 a9 06 ff a2 a2 a1 77 a4
Attribute 80 (Message-Authenticator) length=18
Value: 2f 11 35 3c ec 1c f5 ba 0f 97 63 74 2f fb d0 99
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 137 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=4 length=137
Attribute 79 (EAP-Message) length=81
Value: 01 05 00 4f 15 80 00 00 00 45 17 03 01 00 40 a5 53 d5 14 47 b5 61 cd 42 f9 8c 5a bf a0 08 b3 ef 48 23 d6 6b e1 72 d4 7b ab f7 8d 1c 13 7b 33 50 0e 9b fd 89 63 c9 4e e1 5e ce 73 ec 5b 31 d0 85 26 ad c9 43 87 5f 5b 0b cf f1 2c 28 10 e2 02
Attribute 80 (Message-Authenticator) length=18
Value: cd 98 12 b1 3d 7f 37 62 89 e2 c5 28 e4 05 7d 8e
Attribute 24 (State) length=18
Value: 55 0f 0d 13 51 0a 18 f5 a9 06 ff a2 a2 a1 77 a4
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=5 len=79) from RADIUS server: EAP-Request-TTLS (21)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=5 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=79) - Flags 0x80
SSL: TLS Message Length: 69
EAP-TTLS: received 69 bytes encrypted data for Phase 2
EAP-TTLS: Decrypted Phase 2 AVPs - hexdump(len=32): 00 00 00 4f 40 00 00 1e 01 01 00 16 04 10 80 22 1c f0 38 3b 79 33 4b d6 c2 a7 38 eb e2 fe 00 00
EAP-TTLS: AVP: code=79 flags=0x40 length=30
EAP-TTLS: AVP data - hexdump(len=22): 01 01 00 16 04 10 80 22 1c f0 38 3b 79 33 4b d6 c2 a7 38 eb e2 fe
EAP-TTLS: AVP - EAP Message
EAP-TTLS: Phase 2 EAP - hexdump(len=22): 01 01 00 16 04 10 80 22 1c f0 38 3b 79 33 4b d6 c2 a7 38 eb e2 fe
EAP-TTLS: received Phase 2: code=1 identifier=1 length=22
EAP-TTLS: Phase 2 EAP Request: type=4
EAP-TTLS: Selected Phase 2 EAP vendor 0 method 4
EAP-MD5: Challenge - hexdump(len=16): 80 22 1c f0 38 3b 79 33 4b d6 c2 a7 38 eb e2 fe
EAP-MD5: Generating Challenge Response
EAP-MD5: Response - hexdump(len=16): 9c b0 f3 55 a4 3f 1a 16 f7 7b e3 14 43 81 c6 16
EAP-TTLS: AVP encapsulate EAP Response - hexdump(len=22): 02 01 00 16 04 10 9c b0 f3 55 a4 3f 1a 16 f7 7b e3 14 43 81 c6 16
EAP-TTLS: Encrypting Phase 2 data - hexdump(len=32): 00 00 00 4f 40 00 00 1e 02 01 00 16 04 10 9c b0 f3 55 a4 3f 1a 16 f7 7b e3 14 43 81 c6 16 00 00
SSL: 106 bytes left to be sent out (of total 106 bytes)
EAP-TTLS: Authentication completed successfully
EAP: method process -> ignore=FALSE methodState=DONE decision=COND_SUCC
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=112)
TX EAP -> RADIUS - hexdump(len=112): 02 05 00 70 15 00 17 03 01 00 20 aa 42 c2 77 d5 49 9b c2 ef 44 9a fa 36 34 24 7d 20 3a ea 69 90 44 95 08 bc 1f 51 8a 19 9b bc d0 17 03 01 00 40 fb cd be 99 5a e8 a6 e0 08 34 5d ac 3d 43 0a 60 04 c5 6a 10 59 43 d4 5a 33 1d d7 15 87 26 fe 45 65 cc 66 62 59 fd 89 0a 40 15 03 7e d1 32 47 e7 58 c1 da dd b0 7c 1e 62 d5 dd 32 a9 50 53 a9 2e
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=5 length=237
Attribute 1 (User-Name) length=6
Value: 'ryan'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=114
Value: 02 05 00 70 15 00 17 03 01 00 20 aa 42 c2 77 d5 49 9b c2 ef 44 9a fa 36 34 24 7d 20 3a ea 69 90 44 95 08 bc 1f 51 8a 19 9b bc d0 17 03 01 00 40 fb cd be 99 5a e8 a6 e0 08 34 5d ac 3d 43 0a 60 04 c5 6a 10 59 43 d4 5a 33 1d d7 15 87 26 fe 45 65 cc 66 62 59 fd 89 0a 40 15 03 7e d1 32 47 e7 58 c1 da dd b0 7c 1e 62 d5 dd 32 a9 50 53 a9 2e
Attribute 24 (State) length=18
Value: 55 0f 0d 13 51 0a 18 f5 a9 06 ff a2 a2 a1 77 a4
Attribute 80 (Message-Authenticator) length=18
Value: 66 30 eb 87 6b 5d 4c 73 9f 9f f9 a3 14 ed 9a 7b
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 44 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=5 length=44
Attribute 79 (EAP-Message) length=6
Value: 04 05 00 04
Attribute 80 (Message-Authenticator) length=18
Value: 04 6e fb 39 e6 7f 09 b7 8b cd 73 71 d5 8e 53 4a
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 1.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=5 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
EAPOL: EAP key not available
EAPOL: EAP key not available
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0 mismatch: 2
FAILURE
----- FreeRADIUS debug -----
root at ldap3:/etc/freeradius# freeradius -X
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Oct 7 2011 at 10:59:41
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/mschap.dpkg-dist
including configuration file /etc/freeradius/modules/ldap.dpkg-dist
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.9.252.177/32 {
require_message_authenticator = no
secret = "testing123"
shortname = "oldradius"
nastype = "other"
}
client 10.0.1.1/32 {
require_message_authenticator = no
secret = "testing123"
shortname = "host-sfo01-or01"
nastype = "other"
}
client 10.1.6.105/32 {
require_message_authenticator = no
secret = "testing123"
shortname = "ldap3-local"
}
client 10.0.1.10/32 {
require_message_authenticator = no
secret = "testing123"
shortname = "host-sfo01-aruba"
nastype = "other"
}
client 10.0.1.94/32 {
require_message_authenticator = no
secret = "testing123"
shortname = "garydesktop"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = ldap
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = no
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
allow_retry = yes
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
ldap {
server = "ldap.domain.com"
port = 1389
password = ""
identity = ""
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=domain,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x15a4ab0
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/share/doc/freeradius/examples/certs/server.key"
certificate_file = "/usr/share/doc/freeradius/examples/certs/server.pem"
private_key_password = "whatever"
dh_file = "/usr/share/doc/freeradius/examples/certs/dh"
random_file = "/usr/share/doc/freeradius/examples/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 59758
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 13796, id=0, length=116
User-Name = "ryan"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02000009017279616e
Message-Authenticator = 0x787aa76a6e06019ea59ad099dac05372
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ryan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for ryan
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> ryan
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ryan)
[ldap] expand: dc=domain,dc=com -> dc=domain,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap.domain.com:1389, authentication 0
[ldap] bind as / to ldap.domain.com:1389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=domain,dc=com, with filter (uid=ryan)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user ryan authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 13796
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x550f0d13550e18f5a906ffa2a2a177a4
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 13796, id=1, length=226
User-Name = "ryan"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100651500160301005a0100005603014ee6ae33b008bb8a132e8bbdc6aac4e81ea9ca1beb2759af1168daf094a16fef00002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000
State = 0x550f0d13550e18f5a906ffa2a2a177a4
Message-Authenticator = 0x9fe09b95e05fbae7723c5eff4d2fd623
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ryan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 101
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 005a], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 03a0], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 13796
EAP-Message = 0x0102040015c0000005f616030100310200002d03014ee6ae33b2f47e03e1df84a622954a14c7eea4909aa2c05c8c73d991386eac1d000039010005ff0100010016030103a00b00039c000399000396308203923082027aa003020102020101300d06092a864886f70d010104050030818d310b3009060355040613025553310b3009060355040813024341311630140603550407130d53616e204672616e636973636f31123010060355040a13096a757374696e2e7476311e301c06092a864886f70d010901160f696e667261406a757374696e2e7476312530230603550403131c52616469757320436572746966696361746520417574686f726974
EAP-Message = 0x79301e170d3131313231333030353230375a170d3132313231323030353230375a3072310b3009060355040613025553310b300906035504081302434131123010060355040a13096a757374696e2e7476312230200603550403131952616469757320536572766572204365727469666963617465311e301c06092a864886f70d010901160f696e667261406a757374696e2e747630820122300d06092a864886f70d01010105000382010f003082010a0282010100e7a1597a48af97be6d5dbfa97d88d0cb491cf8e875c632611817bb9b7f72034d41d25a075b8c3512bb2739448e72cee97b770c0583f95036a0911552b66305ec53edf051f04f48
EAP-Message = 0x7f1150d2f0c1db67cfc2cb3a27812e4a869a16339fd442d067325ff243072373af185b83e1cbd53fb6bf6e07f1db846ef6c5dbd032b858f4f009a436b0286bd1d4ed33149094f8d9075642152da5cdd269a20d753d5ca0f109dd7437782e8a915f646f822e7c3dc10724e594be84e31afa42889c95dff28c9cd68f63c75d0efdcfc0f74c44c8c38636bf6152cd60163152e305b5c302cfd713f4927394210f842b26ff98804c8e57913d2880cb4da6b46bc8fbb68a1ba567170203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010068e1c1cabbe373f9a7890d3a1d05a8769a99
EAP-Message = 0x66c2ab9626a3391cc4a59db1c802b97d60f84b7b10047bd2ec31aa79a65928be23a23d364d19e85e848cce9c5776a0cb9ab35c7a1050ea0f01dc4eddc72bd9e6198f776f63b7ec10039fe43a19bd0dd3840b488422b4f0c1daef81eaee2edb80d936c89196d614e2e99377c6402e44b5289952c51852446cbdf240163c0c8f446f51606fcb9ef62f7130357204aeff65163d695b8ae667c369ff95300de83c97eb3916ced7afd22deadb1959a5212b1dbaa332dd65a88c211d2cc2419d26e4a65e62f5d5f0475dbdab22b8490b141bacdbe08a45d97150701c38cf9ea6fd29e84b0565c7cae18db4db859f73923b160301020d0c0002090080fbae81c9
EAP-Message = 0x8e428cfaf7b9617db14b5b10
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x550f0d13540d18f5a906ffa2a2a177a4
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 13796, id=2, length=131
User-Name = "ryan"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200061500
State = 0x550f0d13540d18f5a906ffa2a2a177a4
Message-Authenticator = 0x1fa6cbd37a02b78b74d1fd0724847139
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ryan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 13796
EAP-Message = 0x0103020a1580000005f674cd84d8a09f61f963c694dbfeff8e213d4e504124801ba9d90866bb70cca0602852343904ae50dc6b847ac5ea317965429b8d8dfa714af40baf99bce5284a019b43694403ea0661a31c101a7422dfcc04dfeaf1581f815f505679d0bb0fc0b25be7b0d7b5669b15641f2bb7ec34610b00010200809c6ad23d58696e08cc0bca83022bc5a8955860e93d3eabf1b8dff37ab396252ea996feebb5d26b1dda68be5d2b1a5df0172c48a16f61686e782600b7b77538fc79270b647bf7bef2058c6c4c3e6490ac3068547c066607a649bbc5cafdb088ded608c2ec1168d6484c6785d6232a9219cd77d9ca21d3b7e4bac9d28dda16
EAP-Message = 0x31d9010036d015699e29910822ac16a72b5418c1cdfeefeee388f986c7346b24a8b4df3f710e65f9acde2e898ca78378f87e3039fb6233034239fb53d7e12cc577b9530bfbc51a81bf82f4ee5c1e17c65e02edabd42f2474f53214a1f2e5c2004b6a4d8978ea5fd3061f08bd7e0b8ef1a7737598f227de599700152087c6cbf768df7c97d3487975c9882385512bd137d5723415a3be2df8ed88d8f0c35138f2cdecd4f77c405646b179d07a81817914a99d4dfbfd95a57f60e794078f6c15145dcf07078192af4a155d3ca1540b79e65aa993c3d5553c6e3df52bf8ab84b8562fb0798cd38f45ce7a298ff809062a7068fd69eb484be900d1172eb537
EAP-Message = 0xdcbf0fff5b41be16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x550f0d13570c18f5a906ffa2a2a177a4
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 13796, id=3, length=329
User-Name = "ryan"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300cc15001603010086100000820080a3f117f66f9955f3c814fb682a4135056b4b919f8721f14f0306f02f970e428f677640ef47254fa675c7a5ab4fab7414ab4469b362e9ace30602d6d6ea5434d738d85f66459b83d24f619f4e582697ea01bfed16b053723041aded1a88c3066b92d7730d4de5d7c612e90945254413ad199a641f1a18fe890d26c1a75cc684811403010001011603010030dedca90f9aef97af9fbd4e222dd4fd8adfd8ef2179f907eddbbad690f34475222f5ea066232e251d1af4322ebd133bc0
State = 0x550f0d13570c18f5a906ffa2a2a177a4
Message-Authenticator = 0xa0e868c8c1e35fec32568482b1f75222
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ryan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 13796
EAP-Message = 0x0104004515800000003b1403010001011603010030cad47af45d1648cafee4a50c2041492a6fa672a45091f9901e0afe14bef43c2c6526e5d265197ff9ac7b45eab37bac6c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x550f0d13560b18f5a906ffa2a2a177a4
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 13796, id=4, length=221
User-Name = "ryan"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0204006015001703010020876b87f3595850ed303e84f7849c48cd6fbed52dbc468081955cd083cea8cd90170301003037644e57e82ed044577f79f7a920083ca988ed1d045834b10ea723db143d21bc661bd3d77c6f072906faac3b0467ade4
State = 0x550f0d13560b18f5a906ffa2a2a177a4
Message-Authenticator = 0x2f11353cec1cf5ba0f9763742ffbd099
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ryan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x02000009017279616e
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Got tunneled identity of ryan
[ttls] Setting default EAP type for tunneled EAP session.
[ttls] Sending tunneled request
EAP-Message = 0x02000009017279616e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ryan"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ryan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 0 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for ryan
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> ryan
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ryan)
[ldap] expand: dc=domain,dc=com -> dc=domain,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=domain,dc=com, with filter (uid=ryan)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user ryan authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[ttls] Got tunneled reply code 11
EAP-Message = 0x01010016041080221cf0383b79334bd6c2a738ebe2fe
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xae90db2cae91df78230a4ce23b8222c8
[ttls] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 13796
EAP-Message = 0x0105004f1580000000451703010040a553d51447b561cd42f98c5abfa008b3ef4823d66be172d47babf78d1c137b33500e9bfd8963c94ee15ece73ec5b31d08526adc943875f5b0bcff12c2810e202
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x550f0d13510a18f5a906ffa2a2a177a4
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 13796, id=5, length=237
User-Name = "ryan"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0205007015001703010020aa42c277d5499bc2ef449afa3634247d203aea6990449508bc1f518a199bbcd01703010040fbcdbe995ae8a6e008345dac3d430a6004c56a105943d45a331dd7158726fe4565cc666259fd890a4015037ed13247e758c1daddb07c1e62d5dd32a95053a92e
State = 0x550f0d13510a18f5a906ffa2a2a177a4
Message-Authenticator = 0x6630eb876b5d4c739f9ff9a314ed9a7b
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ryan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x0201001604109cb0f355a43f1a16f77be3144381c616
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x0201001604109cb0f355a43f1a16f77be3144381c616
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ryan"
State = 0xae90db2cae91df78230a4ce23b8222c8
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ryan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 1 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for ryan
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> ryan
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=ryan)
[ldap] expand: dc=domain,dc=com -> dc=domain,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=domain,dc=com, with filter (uid=ryan)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user ryan authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user ryan
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> ryan
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 5 to 127.0.0.1 port 13796
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +315
Cleaning up request 1 ID 1 with timestamp +315
Cleaning up request 2 ID 2 with timestamp +315
Cleaning up request 3 ID 3 with timestamp +315
Cleaning up request 4 ID 4 with timestamp +315
Waking up in 1.0 seconds.
Cleaning up request 5 ID 5 with timestamp +315
Ready to process requests.
More information about the Freeradius-Users
mailing list