eappeap_postproxy() - set fake->proxy_reply
Ken-ichirou MATSUZAWA
chamas at h4.dion.ne.jp
Wed Feb 16 13:42:31 CET 2011
Hello,
Could I explain in more detail? I want proxying PEAP, with
old server which can not deal with EAP. This worked on 2.0.4
but didn't work on 2.1.10. I can't understand what's wrong.
Compared those debug output, I noticed difference, after
''[eap] Passing reply back for EAP-MS-CHAP-V2''
mschap_postproxy() was called in 2.0.4, but not in 2.0.10.
thanks.
-------- configuration
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
name = freeradius
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
checkrad = ${sbindir}/checkrad
proxy_requests = yes
listen {
type = auth
ipaddr = *
port = 0
}
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
realm legacy {
authhost = 192.168.1.5:1645
secret = testing123
}
client 10.0.0.0/8 {
secret = testing456
shortname = priv10
nastype = other
}
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
eap {
default_eap_type = mschapv2
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = tetest123
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
}
server inner-tunnel {
authorize {
update control {
Proxy-To-Realm := legacy
}
}
authenticate {
eap
}
post-proxy {
eap
}
}
authorize {
eap {
ok = return
}
}
authenticate {
eap
}
post-proxy {
eap
}
-------- debug output
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Feb 16 2011 at 10:52:08
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
main {
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
realm legacy {
authhost = 192.168.1.5:1645
secret = testing123
}
radiusd: #### Loading Clients ####
client 10.0.0.0/8 {
require_message_authenticator = no
secret = "testing456"
shortname = "priv10"
nastype = "other"
}
radiusd: #### Instantiating modules ####
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/freeradius/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/radiusd.conf
eap {
default_eap_type = "mschapv2"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "tetest123"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=0, length=126
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0x91266a66dc1560f4b180f267046f49cb
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.1.2.3 port 53932
EAP-Message = 0x010100231a0101001e10fe76bcb9c6b236ae40e3adc55e66f46f616e6f6e796d6f7573
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc93753dfc93649d1dbf26d3ddaf88693
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=1, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0xc93753dfc93649d1dbf26d3ddaf88693
Message-Authenticator = 0xdeaac1d575e4baf3e91cb822c6b3dc2d
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.1.2.3 port 53932
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc93753dfc8354ad1dbf26d3ddaf88693
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=2, length=235
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0202006919800000005f160301005a0100005603014d5b0126eb0b34c231395606b2889596742fb84cc68a448175351ed334f887c100002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000
State = 0xc93753dfc8354ad1dbf26d3ddaf88693
Message-Authenticator = 0xef9b9bf03448e138a16225eb9800d247
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 2 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 06f0], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 10.1.2.3 port 53932
EAP-Message = 0x0103040019c00000094616030100310200002d03014d5b01261ae097d7b7ad205191e6391b387ab027f7c81d26cd53e97cc1462e32000039010005ff0100010016030106f00b0006ec0006e90003b6308203b23082031ba003020102020101300d06092a864886f70d010105050030819b310b3009060355040613024a50310f300d060355040813064e6167616e6f31133011060355040a130a4550534f4e2f5342544d31163014060355040b130d4e6574776f726b2041646d696e311a30180603550403131163612e7362746d2e6570736f6e2e6e65743132303006092a864886f70d01090116236d617473757a6177612e6b656e69636869726f40
EAP-Message = 0x6578632e6570736f6e2e636f2e6a70301e170d3130303732313030323235305a170d3138303732313030323235305a3081a0310b3009060355040613024a50310f300d060355040813064e6167616e6f31133011060355040a130a4550534f4e2f5342544d31163014060355040b130d4e6574776f726b2041646d696e311f301d06035504031316657069747564652e7362746d2e6570736f6e2e6e65743132303006092a864886f70d01090116236d617473757a6177612e6b656e69636869726f406578632e6570736f6e2e636f2e6a7030820122300d06092a864886f70d01010105000382010f003082010a0282010100b6fa8a6044b5d42e5d59
EAP-Message = 0x0fd3f162aadf1970cae3e4044f79a73b6167e78a34fbeeddd5c345f270ce53bb0755b27705683afc2b443a11c949ae57d4224753e5da91473b6d602cd1d222d5ea1dd6f6630c94963964c39812463c93db79f261a07855239fffec8441d686adaa3480529be7d95df55130d538072cf55f2a995435a96e5f7cb5fe4227e3fe3dfe866a4cac1d8ff384188ac4cb04f88310a966eb53cc6efcdfe5daf4f709956f26c0f72dc7729272add4fa3ca4ceee3de8f7b801f61869f03f9d3d7d739990dd8fa25f5b2b945c25de40eaf50943a67b7f1da86ddf6a1f962ea054732b731d537ac9ee87508e94bf25d5070dd5d3424d5e546f0061850203010001a37b
EAP-Message = 0x307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414e9873373dbc0100cca4b8dc5daf3f8cb1bd25a4f301f0603551d23041830168014ff2917752399ff77b0d9660a8b76b304e1b5e430300d06092a864886f70d0101050500038181006c79497d775f6fa7129a769381c8b45136270a6462af9bf340d9667d19274f32702299f51833350e7e82cd86711195b248d30251945558e4b914049da65ee6ddae7f9fc860c995f3c07850a809cde91864b4799701dba0a2605c0d2771d012db3e202dcae23274b4ee2e753a576b5a
EAP-Message = 0x35b397c3989cc525cf33cc0c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc93753dfcb344ad1dbf26d3ddaf88693
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=3, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061900
State = 0xc93753dfcb344ad1dbf26d3ddaf88693
Message-Authenticator = 0x19b455b774785afdcd942e93c3759284
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 10.1.2.3 port 53932
EAP-Message = 0x010403fc1940c07f0c9fce00032d3082032930820292a003020102020100300d06092a864886f70d010105050030819b310b3009060355040613024a50310f300d060355040813064e6167616e6f31133011060355040a130a4550534f4e2f5342544d31163014060355040b130d4e6574776f726b2041646d696e311a30180603550403131163612e7362746d2e6570736f6e2e6e65743132303006092a864886f70d01090116236d617473757a6177612e6b656e69636869726f406578632e6570736f6e2e636f2e6a70301e170d3130303732303039303230305a170d3133303731393039303230305a30819b310b3009060355040613024a50310f
EAP-Message = 0x300d060355040813064e6167616e6f31133011060355040a130a4550534f4e2f5342544d31163014060355040b130d4e6574776f726b2041646d696e311a30180603550403131163612e7362746d2e6570736f6e2e6e65743132303006092a864886f70d01090116236d617473757a6177612e6b656e69636869726f406578632e6570736f6e2e636f2e6a7030819f300d06092a864886f70d010101050003818d0030818902818100bd99ddea067ab5c99c910c310f73bccc10ef2456008d7151d366932202341ad6fd1dc136925489fef51e242401b22aa7a8aca7842b7eec55f765b9981440e0657ed5db9f8772906e2a0d41937475ad1ecd176909
EAP-Message = 0x051fa71db5139164ca9acbda56761308919dc2001252e5b1a827a5f24ac18604ca23b5c30bf6e4d139420a850203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414ff2917752399ff77b0d9660a8b76b304e1b5e430301f0603551d23041830168014ff2917752399ff77b0d9660a8b76b304e1b5e430300d06092a864886f70d01010505000381810018bd4f1763a2965ee8de2f4cde966cf09669508c2171dd08e088e5ee5e3967177af52216b926ee8cf5931019deda92d3b6353c99b731b6fb0f903e11
EAP-Message = 0x0af01f015b6df59297cded690adef79c2d523fdd1c08e08e8e4483dff64eb3b71d201db5567a2e1630c9f892b7baa3ed577317e60dc5883e22cab34a0c99164c252178b8160301020d0c0002090080a4c47d05e1daa33ff9a80d58172117ecf5ae49f018a000b0b71d781e7b883dcc6c03903321927a500d9cdc4602cd092b9a4a86ac99857e171422d238e3f3202c56a0f5bbe7b46263faf4c70f99a251e07b9b915cb8a7d5eed8836050176a430c53b8ce0f6be396ba7604cf073362ad829ccf6d4ad7b12e23bd4b6a492e039033000102008006c47e66c0fb2f82a6e2e534fca5f85c3b48c0f4fab817722a253128e7bf8e7b57ffbf4a510e0c622e
EAP-Message = 0x8afb26e9fe80edb5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc93753dfca334ad1dbf26d3ddaf88693
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=4, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0xc93753dfca334ad1dbf26d3ddaf88693
Message-Authenticator = 0xd39c3c8109213e51672010199a0870ac
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 10.1.2.3 port 53932
EAP-Message = 0x01050160190061c912c36b2165cf1a239301310855ad81b7b860d4110cb7a4be573dea8d517c924e457905742e9aa16e40abf5dfda77ac776d0f332fd9dcf5f8f292d8baf633a418e3d9a6e5b74625d6e7f2e23d3e0100737511255bd24cf728fceeb7ccfb4f7f4a26a0b082c76a9f4f3a6d53eff7966daf4d211bfda853740b3bfb6884183f72f4b0ac810d61c314284bf5020ad0dcfcf66ce68bd81c68dc0c0227e35ca16db15a6f8fd0b90cfbe78345eb8b66b6a2ed9d14ee5614c96eadfa155fd6d0c3f7e8e7044e29a35afee458bb603967c17a2d0f16e78f5f17594ee2f9f625fe3d97c2a08e6f5ac8484bcd934f9138fdf89b85016ee221f1fe
EAP-Message = 0x3364d4cf0903e62ae1f34421cf0681798655d2db77706eb086246040dd2ad28971747a80db9f92cc008ef36f5965585d14c590024a612ffd357d6852f94365a1d99019cfd6802be247a9bb188372b55987be699f1d290784e09816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc93753dfcd324ad1dbf26d3ddaf88693
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=5, length=338
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500d01980000000c616030100861000008200800981f81ae3cd35f3a3971747e253480d8ccfd725b293088467b2c223c8bf8efe60d1937a436e1437c93484d52c54bba8c4e708f90b159034005359ab2af17da5e934a0375b87408c9179b904ae61db47c9a134f4b0ce467c522c484d43eabb2e92d5444d941950caab012f29afd86cf4662da8be658c56ecb48db7912a88303c1403010001011603010030c257ac05008e9b2b659c79c4c17c6a0d4a0ad6aaac10af0662e5d8ba7bb225dd470ddaa06db836b439466ab80539b599
State = 0xc93753dfcd324ad1dbf26d3ddaf88693
Message-Authenticator = 0x3bb0fea544806206b3685b7cb195aa64
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 5 to 10.1.2.3 port 53932
EAP-Message = 0x01060041190014030100010116030100306fa84b71fad492af87f8a5e11025acca4d1b0d95e2c44cdd36dd7f40d4e101a2aa061d8bc3b6282e49e95d295b2f2d53
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc93753dfcc314ad1dbf26d3ddaf88693
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=6, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020600061900
State = 0xc93753dfcc314ad1dbf26d3ddaf88693
Message-Authenticator = 0xdc2f3864a660fa4113a3192cf7f105d8
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 6 to 10.1.2.3 port 53932
EAP-Message = 0x0107002b190017030100209d5d7425f026a1f645310b814af57e7e0900f663b20b163033316466c3adc4a3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc93753dfcf304ad1dbf26d3ddaf88693
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=7, length=226
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02070060190017030100207f737a9d48c1143a532fc83d0f5338fa6e8c1156490566a273890465a1f8b49a17030100307a3ecfc7e51e42647369ec31959395e0256306e8a66e9b9bbd3a151fb2cbf0b054f88118d7bde8c143d84e371173f25f
State = 0xc93753dfcf304ad1dbf26d3ddaf88693
Message-Authenticator = 0x0279ebc7ebc97234254458b36cf86753
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 7 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testuser1
[peap] Got inner identity 'testuser1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0207000c0139353732393037
server {
PEAP: Setting User-Name to testuser1
Sending tunneled request
EAP-Message = 0x0207000c0139353732393037
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser1"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
++[control] returns notfound
} # server inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
PEAP: Cancelling proxy to realm legacy until the tunneled EAP session has been established
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010800211a0108001c109daef7bb0892bcb96f4dfeccdf4a10be39353732393037
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x688571cd688d6b54446bcd4ca98084f6
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 10.1.2.3 port 53932
EAP-Message = 0x0108004b19001703010040ff16c45a2ce5393c0acb3826003af0124949f4a66127990679643164dfb9e6409dbfe408c25e347a101477f5891e9b3328dedbaeb5c92cc6262bcdadd59076b0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc93753dfce3f4ad1dbf26d3ddaf88693
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=8, length=258
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020800801900170301002062cf7f5b217fd63ad2fe213494f63a6ad86b7e445418beb080f7952df21a71d81703010050ef2bea5015abb6d99b198701b94c7c436100fe12e499ecd550270ffb544aacbf1a664e20bd55fe3d185747de90246b248d4da9efb6d30fd075720bf9c392a961b5d0118cd0e74677a185ec8d1af99bf2
State = 0xc93753dfce3f4ad1dbf26d3ddaf88693
Message-Authenticator = 0x4aaf30054d7a126cfc58a1fe4f8b78d2
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 8 length 128
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020800421a0208003d31828a2d7a21903addce73462073635e330000000000000000a7790a0fabf812d9ff5952be61bb960e426380e5cbaea5710039353732393037
server {
PEAP: Setting User-Name to testuser1
Sending tunneled request
EAP-Message = 0x020800421a0208003d31828a2d7a21903addce73462073635e330000000000000000a7790a0fabf812d9ff5952be61bb960e426380e5cbaea5710039353732393037
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser1"
State = 0x688571cd688d6b54446bcd4ca98084f6
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
++[control] returns notfound
} # server inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Not-EAP proxy set. Not composing EAP
++[eap] returns handled
PEAP: Tunneled authentication will be proxied to legacy
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap] Tunneled session will be proxied. Not doing EAP.
++[eap] returns handled
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 243 to 192.168.1.5 port 1645
User-Name = "testuser1"
MS-CHAP-Challenge = 0x9daef7bb0892bcb96f4dfeccdf4a10be
MS-CHAP2-Response = 0x0835828a2d7a21903addce73462073635e330000000000000000a7790a0fabf812d9ff5952be61bb960e426380e5cbaea571
Proxy-State = 0x38
Proxying request 8 to home server 192.168.1.5 port 1645
Sending Access-Request of id 243 to 192.168.1.5 port 1645
User-Name = "testuser1"
MS-CHAP-Challenge = 0x9daef7bb0892bcb96f4dfeccdf4a10be
MS-CHAP2-Response = 0x0835828a2d7a21903addce73462073635e330000000000000000a7790a0fabf812d9ff5952be61bb960e426380e5cbaea571
Proxy-State = 0x38
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 192.168.1.5 port 1645, id=243, length=122
MS-CHAP2-Success = 0x08533d38413537333944413130374135454330333631464545323132444239413845354142324133384331
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x38
Class = 0x434953434f4143533a30313432386463662f38353961333537622f39353732393037
# Executing section post-proxy from file /etc/freeradius/radiusd.conf
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
# Executing section post-proxy from file /etc/freeradius/radiusd.conf
+- entering group post-proxy {...}
++[eap] returns noop
WARNING: Empty post-auth section. Using default return values.
} # server inner-tunnel
[eap] Final reply from tunneled session code 2
MS-CHAP2-Success = 0x08533d38413537333944413130374135454330333631464545323132444239413845354142324133384331
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x38
Class = 0x434953434f4143533a30313432386463662f38353961333537622f39353732393037
[eap] Got reply 2
[eap] Got tunneled reply RADIUS code 2
MS-CHAP2-Success = 0x08533d38413537333944413130374135454330333631464545323132444239413845354142324133384331
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x38
Class = 0x434953434f4143533a30313432386463662f38353961333537622f39353732393037
[eap] Tunneled authentication was successful.
[eap] SUCCESS
[eap] Reply was handled
++[eap] returns ok
Found Auth-Type = EAP
Found Auth-Type = Accept
Warning: Found 2 auth-types on request for user 'anonymous'
Auth-Type = Accept, accepting the user
WARNING: Empty post-auth section. Using default return values.
Sending Access-Challenge of id 8 to 10.1.2.3 port 53932
EAP-Message = 0x0109003b19001703010030640e81acec93c51e59bba8ce414fb9bd6a1460257e048338092073395b6a7212c29694ceab37a8f51493b9d9dda31900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc93753dfc13e4ad1dbf26d3ddaf88693
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.1.2.3 port 53932, id=9, length=226
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0209006019001703010020b3bd77af125e8598b4d0fa4500fe192b9e3549d4bf505ecda2c577b4442b441f1703010030fac4e8e250747ad2eacfce0a984d1ac4f01a995522125078e1a5e26d9c623d0ac843b8849872911fc94a64f72c2b2355
State = 0xc93753dfc13e4ad1dbf26d3ddaf88693
Message-Authenticator = 0x44bc1230fec13f85ae315e404f550d88
# Executing section authorize from file /etc/freeradius/radiusd.conf
+- entering group authorize {...}
[eap] EAP packet type response id 9 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/radiusd.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Client rejected our response. The password is probably incorrect.
[peap] We sent a success, but received something weird in return.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 9 to 10.1.2.3 port 53932
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 0 ID 0 with timestamp +17
Cleaning up request 1 ID 1 with timestamp +17
Cleaning up request 2 ID 2 with timestamp +17
Cleaning up request 3 ID 3 with timestamp +17
Cleaning up request 4 ID 4 with timestamp +17
Cleaning up request 5 ID 5 with timestamp +17
Cleaning up request 6 ID 6 with timestamp +17
Cleaning up request 7 ID 7 with timestamp +17
Cleaning up request 8 ID 8 with timestamp +17
Waking up in 1.0 seconds.
Cleaning up request 9 ID 9 with timestamp +17
Ready to process requests.
More information about the Freeradius-Users
mailing list