Sending an attribute with the Access-Accept instead of Access-Challenge

Vivek Umasuthan visuthan at gmail.com
Wed Jan 12 17:33:52 CET 2011


Hi All,
I am testing 802.1x support on our platform and I'm having trouble
figuring out how to include some attributes with Access-Accept. I read
the 'users' file man page but could not get the answer.

So my user is as shown below in the users file

qatester        Cleartext-Password := "qatester"
                      Session-Timeout = 20,
                      Termination-Action = 1

Now the authorization works fine but the Session-Timeout attribute is
ncluded in  the Access-Challenge message as I understand. I want to
send it with the Access-Accept message. I have copied debug
information below.

############## Debug Infor Starts ##################

rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=66, length=106
        Calling-Station-Id = "00-1A-6B-66-DD-7E"
        NAS-Port = 1
        User-Name = "qatester"
        NAS-IP-Address = 192.168.0.159
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x0202000d017161746573746572
        Message-Authenticator = 0x29d87ac1ec4ca82352df5fe82cc5849e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry qatester at line 139
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 66 to 192.168.0.159 port 4999
        Session-Timeout = 20
        Termination-Action = RADIUS-Request
        EAP-Message = 0x0103001604109e9fffb0d5e6393e5ef410df900b8d2f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x68cd38bb68ce3cd51b0b4c1f6b1aa976
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=67, length=117
        Calling-Station-Id = "00-1A-6B-66-DD-7E"
        NAS-Port = 1
        User-Name = "qatester"
        NAS-IP-Address = 192.168.0.159
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x68cd38bb68ce3cd51b0b4c1f6b1aa976
        EAP-Message = 0x020300060319
        Message-Authenticator = 0x7a4fba042bc71fbee8de9b56077c2ca8
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry qatester at line 139
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 67 to 192.168.0.159 port 4999
        Session-Timeout = 20
        Termination-Action = RADIUS-Request
        EAP-Message = 0x010400061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x68cd38bb69c921d51b0b4c1f6b1aa976
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=68, length=233
        Calling-Station-Id = "00-1A-6B-66-DD-7E"
        NAS-Port = 1
        User-Name = "qatester"
        NAS-IP-Address = 192.168.0.159
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x68cd38bb69c921d51b0b4c1f6b1aa976
        EAP-Message =
0x0204007a198000000070160301006b0100006703014d2dbcb9a99cbfaf828b78feb5deaaf1ee341152fe91df965d169a89dee7048e000018002f00350005000ac013c014c009c00a003200380013000401000026ff010001000000000d000b0000087161746573746572000a0006000400170018000b00020100
        Message-Authenticator = 0xa246d84f9ddb81f240afcf2e322c88c9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 122
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 112
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006b], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 01c7], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 68 to 192.168.0.159 port 4999
        EAP-Message =
0x01050211190016030100310200002d03014d2dbc97022caaaf6f23f7d5d4e29a0f9294e529db827c96c177be0d019bd6c100002f000005ff0100010016030101c70b0001c30001c00001bd308201b930820122020900bad757ba2ede8781300d06092a864886f70d01010505003021311f301d06035504031316766976656b756d6173757468616e2e656e672e6c616e301e170d3130303931363137313930315a170d3230303931333137313930315a3021311f301d06035504031316766976656b756d6173757468616e2e656e672e6c616e30819f300d06092a864886f70d010101050003818d0030818902818100d854b0ba17df1998fca8e87872
        EAP-Message =
0xc937f5c12631f52874b71e65b035a7093b2039ca4b71e1692fc977d675d2b659cc9fa7a80c29c0defd5708afd9b2308d4088a7674eed45076bda8431628be016bda82783d9257d996e01287937e84110d1845029f8bd4a25d36ad2b9e4e9c2d37089512ce1d4b513d88d16f39879bbb955abfb0203010001300d06092a864886f70d01010505000381810050a6fbba9b6a9ed741a81d213d04f1d9dd2ad62d8653c48165019586c1a909e567d37c79300c82cc98945e4075dc8fb55c5cbf1aa2d2b50a8cb5f6b00c49704a9e7c72b9cbbb1bf5637a24450d0ff7a178b3eb679136a0af2374115cb12d8cbf40c7c982e6bc9e0538ca4a4f47c4eae0c2c6
        EAP-Message = 0x28fe6ccf30d72506f8a836ce1ffa16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x68cd38bb6ac821d51b0b4c1f6b1aa976
Finished request 2.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=69, length=319
        Calling-Station-Id = "00-1A-6B-66-DD-7E"
        NAS-Port = 1
        User-Name = "qatester"
        NAS-IP-Address = 192.168.0.159
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x68cd38bb6ac821d51b0b4c1f6b1aa976
        EAP-Message =
0x020500d01980000000c6160301008610000082008034f094933081749819a81c8fc561c2ef8a60263d6acf6360211b5ae43c840a0f74e7392817971a93c55bbf9e76443b1500fc80031616f4991ddd18dc6917b02e0a4e5ddfa781c99d7f46025694de47cf7f3df537b78ea541b395b749fbece93ea68e0ef09d913a59215b1a73e3d2917b3cd65d2e4fafa57084f19a33ad3cc9a6140301000101160301003004981ccf99aada36e602deaff108ab6754718d2795fbdb47cb4aef2a266e9129956f2f6816bdb11c99e69cdeb356f95f
        Message-Authenticator = 0x43bb361280528e5b0bb8ffeaa6066664
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 69 to 192.168.0.159 port 4999
        EAP-Message =
0x01060041190014030100010116030100307f0fc86e3f93a5310b3546c6dc6a9ff101bd3fac208a68e94852b0e862a0185c93e84bd423a01047b3a71b584c95e305
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x68cd38bb6bcb21d51b0b4c1f6b1aa976
Finished request 3.
Going to the next request
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=70, length=117
        Calling-Station-Id = "00-1A-6B-66-DD-7E"
        NAS-Port = 1
        User-Name = "qatester"
        NAS-IP-Address = 192.168.0.159
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x68cd38bb6bcb21d51b0b4c1f6b1aa976
        EAP-Message = 0x020600061900
        Message-Authenticator = 0x55a47ca2aa8532afc337360c4d4ea55b
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 70 to 192.168.0.159 port 4999
        EAP-Message =
0x0107002b190017030100205302a790bac2f45d29df768df9b13962d86effcc264c8bc1cca510c72513b6ec
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x68cd38bb6cca21d51b0b4c1f6b1aa976
Finished request 4.
Going to the next request
Waking up in 3.4 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=71, length=154
        Calling-Station-Id = "00-1A-6B-66-DD-7E"
        NAS-Port = 1
        User-Name = "qatester"
        NAS-IP-Address = 192.168.0.159
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x68cd38bb6cca21d51b0b4c1f6b1aa976
        EAP-Message =
0x0207002b190017030100209decffdfd6c00699e24cd793265f30028937c7c50808936f717fa81d148593ce
        Message-Authenticator = 0x257a80aa49d86acb1f3112cfa102da7e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - qatester
[peap] Got inner identity 'qatester'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
        EAP-Message = 0x0207000d017161746573746572
server  {
  PEAP: Setting User-Name to qatester
Sending tunneled request
        EAP-Message = 0x0207000d017161746573746572
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "qatester"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry qatester at line 139
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        Session-Timeout = 20
        Termination-Action = RADIUS-Request
        EAP-Message =
0x010800221a0108001d106ef613ff24d68155ebabf27c814008277161746573746572
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x45767b5d457e612613612e72d3be89f8
[peap] Got tunneled reply RADIUS code 11
        Session-Timeout = 20
        Termination-Action = RADIUS-Request
        EAP-Message =
0x010800221a0108001d106ef613ff24d68155ebabf27c814008277161746573746572
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x45767b5d457e612613612e72d3be89f8
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 71 to 192.168.0.159 port 4999
        EAP-Message =
0x0108004b19001703010040e22d2314e64447e30cfe5df1f66c8391a523f942bc14beec164f6793729ebfb63bcaa3b43194b5c505d3c0f33e7bd905c52a608bac1b1dd45550b8a8a56a308a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x68cd38bb6dc521d51b0b4c1f6b1aa976
Finished request 5.
Going to the next request
Waking up in 2.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=72, length=218
        Calling-Station-Id = "00-1A-6B-66-DD-7E"
        NAS-Port = 1
        User-Name = "qatester"
        NAS-IP-Address = 192.168.0.159
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x68cd38bb6dc521d51b0b4c1f6b1aa976
        EAP-Message =
0x0208006b19001703010060c71b73411e3216a7308b5d4572da3a1c384b630541eec6dd6988ca61eb2c379fe85e31dc56ac14c694e32d0ccbefe65ec892a307d2e45e30fd1f8164ac7289717daebc94eca9e36ac18e13febf45ef974774b1f08a7426a56c482d2deed5a966
        Message-Authenticator = 0xb2002fa406169f6f73889c6d9d1cec50
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x020800431a0208003e31744787c6cd670c93abf03715268692ca00000000000000000d103f579e41477a49f40c4793ce60099c480ff0a423c097007161746573746572
server  {
  PEAP: Setting User-Name to qatester
Sending tunneled request
        EAP-Message =
0x020800431a0208003e31744787c6cd670c93abf03715268692ca00000000000000000d103f579e41477a49f40c4793ce60099c480ff0a423c097007161746573746572
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "qatester"
        State = 0x45767b5d457e612613612e72d3be89f8
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry qatester at line 139
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: qatester
[mschap] Told to do MS-CHAPv2 for qatester with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        Session-Timeout = 20
        Termination-Action = RADIUS-Request
        EAP-Message =
0x010900331a0308002e533d42414242313046414244344530424136373936393141433033334636383132353043414142383734
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x45767b5d447f612613612e72d3be89f8
[peap] Got tunneled reply RADIUS code 11
        Session-Timeout = 20
        Termination-Action = RADIUS-Request
        EAP-Message =
0x010900331a0308002e533d42414242313046414244344530424136373936393141433033334636383132353043414142383734
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x45767b5d447f612613612e72d3be89f8
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 72 to 192.168.0.159 port 4999
        EAP-Message =
0x0109005b19001703010050f89f3653bfbac15816fac0abbf255ae7afe338b35de7b934b9ce3c84d4c67f24f4f8768a7433bb41fbcf164c5c4cd2511fdd798fee758f69a1a10b04740f5337155c3cb5a687e5ec73bd8aa936d941bd
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x68cd38bb6ec421d51b0b4c1f6b1aa976
Finished request 6.
Going to the next request
Waking up in 2.3 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=73, length=154
        Calling-Station-Id = "00-1A-6B-66-DD-7E"
        NAS-Port = 1
        User-Name = "qatester"
        NAS-IP-Address = 192.168.0.159
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x68cd38bb6ec421d51b0b4c1f6b1aa976
        EAP-Message =
0x0209002b190017030100202573df7fb9bf03b8ccab9c0809819fe243d5fa88d1bb02e8da133f894de24698
        Message-Authenticator = 0x40a32142c983f273e58599f32177233d
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020900061a03
server  {
  PEAP: Setting User-Name to qatester
Sending tunneled request
        EAP-Message = 0x020900061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "qatester"
        State = 0x45767b5d447f612613612e72d3be89f8
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry qatester at line 139
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
  WARNING: Empty post-auth section.  Using default return values.
# Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
        Session-Timeout = 20
        Termination-Action = RADIUS-Request
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0xba82eb99732d9db96c70b08d7bdafddc
        MS-MPPE-Recv-Key = 0xb4088afb08704fb8ca64720c6fcbc77c
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "qatester"
[peap] Got tunneled reply RADIUS code 2
        Session-Timeout = 20
        Termination-Action = RADIUS-Request
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0xba82eb99732d9db96c70b08d7bdafddc
        MS-MPPE-Recv-Key = 0xb4088afb08704fb8ca64720c6fcbc77c
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "qatester"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 73 to 192.168.0.159 port 4999
        EAP-Message =
0x010a002b190017030100208045b3ae000c06c0abbe9948be6d301bd29b591b723b0edcd2a2d6e9c49c2558
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x68cd38bb6fc721d51b0b4c1f6b1aa976
Finished request 7.
Going to the next request
Waking up in 1.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=74, length=154
        Calling-Station-Id = "00-1A-6B-66-DD-7E"
        NAS-Port = 1
        User-Name = "qatester"
        NAS-IP-Address = 192.168.0.159
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x68cd38bb6fc721d51b0b4c1f6b1aa976
        EAP-Message =
0x020a002b190017030100202a8bde6d671d1e7f8012e74ef38a2dccefc668364f730701c793ced2e0f3736a
        Message-Authenticator = 0x5101b1681c2454098b702a833e4cdc7e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 74 to 192.168.0.159 port 4999
        MS-MPPE-Recv-Key =
0x21bfe2d7387e3b7cbabb239220361ad29d9930221ad77fb58301d592f56b2fce
        MS-MPPE-Send-Key =
0x2a1c63b2a37cb6d46334461bf0bc561c90cf310e7f9d226e9b33b203975b274b
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "qatester"
Finished request 8.
Going to the next request
Waking up in 1.3 seconds.
Cleaning up request 0 ID 66 with timestamp +6
Cleaning up request 1 ID 67 with timestamp +6
Waking up in 0.5 seconds.
Cleaning up request 2 ID 68 with timestamp +7
Waking up in 0.5 seconds.
Cleaning up request 3 ID 69 with timestamp +7
Waking up in 0.4 seconds.
Cleaning up request 4 ID 70 with timestamp +8
Waking up in 0.5 seconds.
Cleaning up request 5 ID 71 with timestamp +8
Waking up in 0.5 seconds.
Cleaning up request 6 ID 72 with timestamp +9
Waking up in 0.5 seconds.
Cleaning up request 7 ID 73 with timestamp +9
Waking up in 0.5 seconds.
Cleaning up request 8 ID 74 with timestamp +10
Ready to process requests.

############# Debug info Ends ################

>From what I see above I do not think the Access-Accept message has the
Session timeout attribute. What am I doing wrong?

Thanks,
Vivek Umasuthan




More information about the Freeradius-Users mailing list