Problem with iPods/iTouches

Rob Yamry ryamry at kimberly.k12.wi.us
Wed Jan 12 21:10:21 CET 2011


We have a stangle problem going on with the Apple iTouches in the district
here.  This started since they were upgraded to iOS v.4.x....so it seems.
What is happening is that the user will put in their credentials and get
prompted to accept the certificate as it says its untrusted.  The user
clicks accept, all looks good and then it says it failed to connected.  So
they hit dismiss on that message, click join again, accept the certificate
again and then they are accepted onto the network.  But, sometimes they have
to hit Dismiss/Join up to 15-20 times until it will accept it.

Right now I am working with a default install FreeRadius v2.1.8 for testing
this, including default certificates.  I was planning on slowly adding in my
config to narrow it down, but the problem appears to be happening by
default.  I *thought* that setting the default_eap_type to peap was causing
it, but I had it happen when it was set to md5 as well.  Im working on a
iPod Touch with iOS v4.2.  Below is the debug output of a failed attempt,
and the follow up attempt that put the user through.

***********************  FAILED ATTEMPT ***************************

Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66,
length=277
        User-Name = "ktest5"
        NAS-IP-Address = 127.0.4.1
        NAS-Port = 259
        Framed-MTU = 1400
        Called-Station-Id = "00:1f:45:7f:83:fa"
        Calling-Station-Id = "58:b0:35:28:19:ad"
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "KASD_TEST"
        Service-Type = Framed-User
        Vendor-4329-Attr-3 = 0x3035303030313031343330353233
>
> 3035
>         Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
>         Vendor-4329-Attr-4 = 0x4b4153445f54455354
>         Vendor-4329-Attr-5 = 0x4b4153445f54455354
>         Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
>         Vendor-4329-Attr-7 = 0x53747564656e7473
>         Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
>         EAP-Message = 0x0200000b016b7465737435
>         Message-Authenticator = 0x32cf9f891633152f0f139a53cb61f9ee
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "ktest5", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 0 length 11
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
>         EAP-Message = 0x010100061920
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xc4b1fdf8c4b0e4f9163ffe27c4915746
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66,
> length=420
> Cleaning up request 0 ID 66 with timestamp +30
>         User-Name = "ktest5"
>         NAS-IP-Address = 127.0.4.1
>         NAS-Port = 259
>         Framed-MTU = 1400
>         Called-Station-Id = "00:1f:45:7f:83:fa"
>         Calling-Station-Id = "58:b0:35:28:19:ad"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "KASD_TEST"
>         Service-Type = Framed-User
>         Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
>         Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
>         Vendor-4329-Attr-4 = 0x4b4153445f54455354
>         Vendor-4329-Attr-5 = 0x4b4153445f54455354
>         Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
>         Vendor-4329-Attr-7 = 0x53747564656e7473
>         Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
>         EAP-Message =
> 0x0201008819800000007e16030100790100007503014d2e0343e5f920d1f519dbfeac002febc3736014d9bee7e0c55fd8085b99b7af00003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100
>         State = 0xc4b1fdf8c4b0e4f9163ffe27c4915746
>         Message-Authenticator = 0xf4e7c59223ecd3e5741cc6cc48762e1f
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "ktest5", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 1 length 136
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 126
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap]     (other): before/accept initialization
> [peap]     TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello
> [peap]     TLS_accept: SSLv3 read client hello A
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
> [peap]     TLS_accept: SSLv3 write server hello A
> [peap] >>> TLS 1.0 Handshake [length 085e], Certificate
> [peap]     TLS_accept: SSLv3 write certificate A
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [peap]     TLS_accept: SSLv3 write server done A
> [peap]     TLS_accept: SSLv3 flush data
> [peap]     TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
>         EAP-Message =
> 0x0102040019c00000089b160301002a0200002603014d2e0330bf07fe39f7236a619358e64fa3db011bcbda7c9b9584846f6e32102000002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
>         EAP-Message =
> 0x301e170d3131303131323138353335325a170d3132303131323138353335325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e8460af12ab26451d71f5f5853ac201a8dee4f3c17d2f6c4725f4c9cc44fc6ae87c1b32d3e62fcd1964c8b1f81044272b76dbaa079cbd3dd727461dfd7a5
>         EAP-Message =
> 0x8b623cc4e0c8beccafbc499fc74e8d17e3c9fbd9aafbac061bfa1309372c83e95c8dd5da071d7d97fdd7660ab45c93db04d72184885f895897d840ac4934c11f51c81c4d2e83dccf646b499739781cdff243a48f064e209bef2d2bcde936c6104b63ee467f448d005c127b83bfa708aeed69f1467d3b280a4f1b151d153ce7216ea94c2e33fe400de92d84b823c5b32828959b9ea5b8afbc063ba5db0cabb0b602fdf90e60c354b8e788facfc654ff2310ea763297ea1aef098b4ddb5466abb528910203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100904c9828165a2de337
>         EAP-Message =
> 0x50191a87ef600b1584376573598f31e772c944faf6e61c383d477c201b0aa6cf8bcb49d8b416f2de1e84774a9423608aad94af078dad2b6b30979d1c6b58cd8eefa9cf827d27f7755f8030dbc7c9e230187f212a5d4400928da0cc2845a7b5048a3b7425818fb437ac9c33746b39aaf4aa49af51340496250c837496f449307860f6cae9bd224c557af44806b46ac837b12a149124e35da9bde2538d9f39c2c33fe33dc7df0d45c5bec5bda68294a994af2db4f7298cf47e680cbca4789791aa3048a17761e4c71ebbd9b82bd324af0dbe8ce26ae88ee8a5d16dbd6685dce7ecb7af820abf975c67bfd34797fbefa47a4eed95cca895860004ab308204
>         EAP-Message = 0xa73082038fa0030201020209
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xc4b1fdf8c5b3e4f9163ffe27c4915746
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 1 ID 66 with timestamp +30
> Ready to process requests.
> rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66,
> length=290
>         User-Name = "ktest5"
>         NAS-IP-Address = 127.0.4.1
>         NAS-Port = 259
>         Framed-MTU = 1400
>         Called-Station-Id = "00:1f:45:7f:83:fa"
>         Calling-Station-Id = "58:b0:35:28:19:ad"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "KASD_TEST"
>         Service-Type = Framed-User
>         Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
>         Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
>         Vendor-4329-Attr-4 = 0x4b4153445f54455354
>         Vendor-4329-Attr-5 = 0x4b4153445f54455354
>         Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
>         Vendor-4329-Attr-7 = 0x53747564656e7473
>         Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
>         EAP-Message = 0x020200061900
>         State = 0xc4b1fdf8c5b3e4f9163ffe27c4915746
>         Message-Authenticator = 0xa5c69d05dee0560c68b7d67d25b2e0b1
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "ktest5", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 2 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
>         EAP-Message =
> 0x010303fc194000ae0fc87b0b841be2300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303131323138353335315a170d3132303131323138353335315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
>         EAP-Message =
> 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d73060bc3e4f3bacd8c526ff5efa081cbfd333963c0a90272e83d654b8d1a16a25c9e1358b347d3f91d49ed29d387fd6de5ba5fe18c43b48065e8f1bb9dcb22d1a8679925af0bdc049d32199ba543f1d40a7c6b3578892efcaea646bdde6442593b17cb4713fb4d6f0616a5db38d9b
>         EAP-Message =
> 0xfd1d6e9dd30b6e536ba717a75adaa7c87fd019e83bea06f5eacb6a09fa9954b60ccc92116455610a2674a03a4ecacee05ce914a72a27965d55471df19c8751fdb69fe66426bb236f7d57cfffe41822e7d8ddfc6c1c8f5b45e6010c896918c4f111626979b280ddf2219099024cb0efb17c9660df9fc642edc9874074cb83e93349b19a2c16409b7444545ee27b2a52bb9d0203010001a381fb3081f8301d0603551d0e04160414872c00a6ed850850f4e202b4d86a1d663b35fd8e3081c80603551d230481c03081bd8014872c00a6ed850850f4e202b4d86a1d663b35fd8ea18199a48196308193310b3009060355040613024652310f300d06035504
>         EAP-Message =
> 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ae0fc87b0b841be2300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a5c0c601e1cb4606aa986dc240b7488bb4afd8c0e81ba0361530d556ad117222cdcc5a57a13fe3eb073ca72dff40db0a58c8d835ec110485bd158ab6cd1d8583cd575710b49070b3794384d2cff45f22b81e
>         EAP-Message = 0x2dc327be959645c8
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xc4b1fdf8c6b2e4f9163ffe27c4915746
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66,
> length=290
> Cleaning up request 2 ID 66 with timestamp +39
>         User-Name = "ktest5"
>         NAS-IP-Address = 127.0.4.1
>         NAS-Port = 259
>         Framed-MTU = 1400
>         Called-Station-Id = "00:1f:45:7f:83:fa"
>         Calling-Station-Id = "58:b0:35:28:19:ad"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "KASD_TEST"
>         Service-Type = Framed-User
>         Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
>         Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
>         Vendor-4329-Attr-4 = 0x4b4153445f54455354
>         Vendor-4329-Attr-5 = 0x4b4153445f54455354
>         Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
>         Vendor-4329-Attr-7 = 0x53747564656e7473
>         Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
>         EAP-Message = 0x020300061900
>         State = 0xc4b1fdf8c6b2e4f9163ffe27c4915746
>         Message-Authenticator = 0x834956d460493056f00e0117298d68d7
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "ktest5", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 3 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
>         EAP-Message =
> 0x010400b51900387bb57f237040a0b009495fcb1c4460694c6214f871d93a5afddfcc7aa7727e9ce657d22551e936e9415eea3a0ce78a7ea4b121f711fc19e2b505b4fa004bcc2952effdc18d0cd1ec6fe10bf431e8a189a5cbefcaebd9beab4e75c2309b55de25a9e392112915ad1c7b866a902f091b366eb96e7aa6ab544889069e70fda7ad8a9ec9eb729a6db3aeeb3ca9965daf0d515783a89a0947b6004eaad452777ae3413772aa2f5f16030100040e000000
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xc4b1fdf8c7b5e4f9163ffe27c4915746
> Finished request 3.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66,
> length=622
> Cleaning up request 3 ID 66 with timestamp +39
>         User-Name = "ktest5"
>         NAS-IP-Address = 127.0.4.1
>         NAS-Port = 259
>         Framed-MTU = 1400
>         Called-Station-Id = "00:1f:45:7f:83:fa"
>         Calling-Station-Id = "58:b0:35:28:19:ad"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "KASD_TEST"
>         Service-Type = Framed-User
>         Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
>         Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
>         Vendor-4329-Attr-4 = 0x4b4153445f54455354
>         Vendor-4329-Attr-5 = 0x4b4153445f54455354
>         Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
>         Vendor-4329-Attr-7 = 0x53747564656e7473
>         Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
>         EAP-Message =
> 0x020401501980000001461603010106100001020100373aae08036c5c081766d84efb8b257d7a9840bd2d91f9fbb1bad0c23993b1becc777b0890f6c8eb6b9ad515a2a5436dd50ea6feaeb8d0e9d3b7142af44ef0a0d52004a50e4b3022e3c2752cbc9caff85cbbd8281543a4a2c1b8a9a9141dd4430cafb7375f8d1a299c321a10edf205010f828f80cb188855d7888ef33d2c14d9bbc52bb23e99e2570ec2be2e6896f918c61926fbfc21009af339abbf671c483c897e7f5a9614f7ffd003d126edeebb752e3af6f8dc63a10a314fb5d105124ce25332a68c7b6aee6bebcf5eb9aa3a3853cdb0ecef655a78107a86ce327d51d84fb858490131e5c8
>         EAP-Message =
> 0x4fdfa622a41c66fd40edceb1c3cc99f33a0591a75a1c419d681403010001011603010030183a1d1ce2e805a60d16d91940d4b659bc1ecda540c675ea25f530b5c3ebe4114d5553609074df1351384da76ab4f78a
>         State = 0xc4b1fdf8c7b5e4f9163ffe27c4915746
>         Message-Authenticator = 0xef9d2df3d5a31b39f3ddf68d687d6b5c
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "ktest5", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 4 length 252
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 326
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
> [peap]     TLS_accept: SSLv3 read client key exchange A
> [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] <<< TLS 1.0 Handshake [length 0010], Finished
> [peap]     TLS_accept: SSLv3 read finished A
> [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [peap]     TLS_accept: SSLv3 write change cipher spec A
> [peap] >>> TLS 1.0 Handshake [length 0010], Finished
> [peap]     TLS_accept: SSLv3 write finished A
> [peap]     TLS_accept: SSLv3 flush data
> [peap]     (other): SSL negotiation finished successfully
> SSL Connection Established
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
>         EAP-Message =
> 0x0105004119001403010001011603010030c5ca03d2a20ef23d2e6375c8153c3e6c1afa2151b0232004998802bece4070cb14b8a1bffac3874c849f89a1f8450de2
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xc4b1fdf8c0b4e4f9163ffe27c4915746
> Finished request 4.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66,
> length=277
> Cleaning up request 4 ID 66 with timestamp +39
>         User-Name = "ktest5"
>         NAS-IP-Address = 127.0.4.1
>         NAS-Port = 259
>         Framed-MTU = 1400
>         Called-Station-Id = "00:1f:45:7f:83:fa"
>         Calling-Station-Id = "58:b0:35:28:19:ad"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "KASD_TEST"
>         Service-Type = Framed-User
>         Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
>         Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
>         Vendor-4329-Attr-4 = 0x4b4153445f54455354
>         Vendor-4329-Attr-5 = 0x4b4153445f54455354
>         Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
>         Vendor-4329-Attr-7 = 0x53747564656e7473
>         Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
>         EAP-Message = 0x0206000b016b7465737435
>         Message-Authenticator = 0x7667edddd0b6ae7ddec276f6fc0d09fd
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "ktest5", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 6 length 11
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
>         EAP-Message = 0x010700061920
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x8791eff18796f6b55a0a76adc31036d5
> Finished request 5.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66,
> length=420
> Cleaning up request 5 ID 66 with timestamp +42
>         User-Name = "ktest5"
>         NAS-IP-Address = 127.0.4.1
>         NAS-Port = 259
>         Framed-MTU = 1400
>         Called-Station-Id = "00:1f:45:7f:83:fa"
>         Calling-Station-Id = "58:b0:35:28:19:ad"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "KASD_TEST"
>         Service-Type = Framed-User
>         Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
>         Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
>         Vendor-4329-Attr-4 = 0x4b4153445f54455354
>         Vendor-4329-Attr-5 = 0x4b4153445f54455354
>         Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
>         Vendor-4329-Attr-7 = 0x53747564656e7473
>         Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
>         EAP-Message =
> 0x0207008819800000007e16030100790100007503014d2e034fe43eb22c54e9c30587e009b69a0a7712664fc62b7754d5321207a9e700003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100
>         State = 0x8791eff18796f6b55a0a76adc31036d5
>         Message-Authenticator = 0xdd954eaa01deac01b7a9d0973e934401
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "ktest5", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 7 length 136
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 126
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap]     (other): before/accept initialization
> [peap]     TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello
> [peap]     TLS_accept: SSLv3 read client hello A
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
> [peap]     TLS_accept: SSLv3 write server hello A
> [peap] >>> TLS 1.0 Handshake [length 085e], Certificate
> [peap]     TLS_accept: SSLv3 write certificate A
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [peap]     TLS_accept: SSLv3 write server done A
> [peap]     TLS_accept: SSLv3 flush data
> [peap]     TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
>         EAP-Message =
> 0x0108040019c00000089b160301002a0200002603014d2e033cabdd48cf6a4f062f86f5947a33952f7547e4871741c1b81a7c7ae51e00002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
>         EAP-Message =
> 0x301e170d3131303131323138353335325a170d3132303131323138353335325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e8460af12ab26451d71f5f5853ac201a8dee4f3c17d2f6c4725f4c9cc44fc6ae87c1b32d3e62fcd1964c8b1f81044272b76dbaa079cbd3dd727461dfd7a5
>         EAP-Message =
> 0x8b623cc4e0c8beccafbc499fc74e8d17e3c9fbd9aafbac061bfa1309372c83e95c8dd5da071d7d97fdd7660ab45c93db04d72184885f895897d840ac4934c11f51c81c4d2e83dccf646b499739781cdff243a48f064e209bef2d2bcde936c6104b63ee467f448d005c127b83bfa708aeed69f1467d3b280a4f1b151d153ce7216ea94c2e33fe400de92d84b823c5b32828959b9ea5b8afbc063ba5db0cabb0b602fdf90e60c354b8e788facfc654ff2310ea763297ea1aef098b4ddb5466abb528910203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100904c9828165a2de337
>         EAP-Message =
> 0x50191a87ef600b1584376573598f31e772c944faf6e61c383d477c201b0aa6cf8bcb49d8b416f2de1e84774a9423608aad94af078dad2b6b30979d1c6b58cd8eefa9cf827d27f7755f8030dbc7c9e230187f212a5d4400928da0cc2845a7b5048a3b7425818fb437ac9c33746b39aaf4aa49af51340496250c837496f449307860f6cae9bd224c557af44806b46ac837b12a149124e35da9bde2538d9f39c2c33fe33dc7df0d45c5bec5bda68294a994af2db4f7298cf47e680cbca4789791aa3048a17761e4c71ebbd9b82bd324af0dbe8ce26ae88ee8a5d16dbd6685dce7ecb7af820abf975c67bfd34797fbefa47a4eed95cca895860004ab308204
>         EAP-Message = 0xa73082038fa0030201020209
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x8791eff18699f6b55a0a76adc31036d5
> Finished request 6.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66,
> length=290
> Cleaning up request 6 ID 66 with timestamp +42
>         User-Name = "ktest5"
>         NAS-IP-Address = 127.0.4.1
>         NAS-Port = 259
>         Framed-MTU = 1400
>         Called-Station-Id = "00:1f:45:7f:83:fa"
>         Calling-Station-Id = "58:b0:35:28:19:ad"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "KASD_TEST"
>         Service-Type = Framed-User
>         Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
>         Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
>         Vendor-4329-Attr-4 = 0x4b4153445f54455354
>         Vendor-4329-Attr-5 = 0x4b4153445f54455354
>         Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
>         Vendor-4329-Attr-7 = 0x53747564656e7473
>         Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
>         EAP-Message = 0x020800061900
>         State = 0x8791eff18699f6b55a0a76adc31036d5
>         Message-Authenticator = 0x806cd522495a9dea0f1b63c2c7612616
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "ktest5", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 8 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
>         EAP-Message =
> 0x010903fc194000ae0fc87b0b841be2300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303131323138353335315a170d3132303131323138353335315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
>         EAP-Message =
> 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d73060bc3e4f3bacd8c526ff5efa081cbfd333963c0a90272e83d654b8d1a16a25c9e1358b347d3f91d49ed29d387fd6de5ba5fe18c43b48065e8f1bb9dcb22d1a8679925af0bdc049d32199ba543f1d40a7c6b3578892efcaea646bdde6442593b17cb4713fb4d6f0616a5db38d9b
>         EAP-Message =
> 0xfd1d6e9dd30b6e536ba717a75adaa7c87fd019e83bea06f5eacb6a09fa9954b60ccc92116455610a2674a03a4ecacee05ce914a72a27965d55471df19c8751fdb69fe66426bb236f7d57cfffe41822e7d8ddfc6c1c8f5b45e6010c896918c4f111626979b280ddf2219099024cb0efb17c9660df9fc642edc9874074cb83e93349b19a2c16409b7444545ee27b2a52bb9d0203010001a381fb3081f8301d0603551d0e04160414872c00a6ed850850f4e202b4d86a1d663b35fd8e3081c80603551d230481c03081bd8014872c00a6ed850850f4e202b4d86a1d663b35fd8ea18199a48196308193310b3009060355040613024652310f300d06035504
>         EAP-Message =
> 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ae0fc87b0b841be2300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a5c0c601e1cb4606aa986dc240b7488bb4afd8c0e81ba0361530d556ad117222cdcc5a57a13fe3eb073ca72dff40db0a58c8d835ec110485bd158ab6cd1d8583cd575710b49070b3794384d2cff45f22b81e
>         EAP-Message = 0x2dc327be959645c8
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x8791eff18598f6b55a0a76adc31036d5
> Finished request 7.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66,
> length=290
> Cleaning up request 7 ID 66 with timestamp +43
>         User-Name = "ktest5"
>         NAS-IP-Address = 127.0.4.1
>         NAS-Port = 259
>         Framed-MTU = 1400
>         Called-Station-Id = "00:1f:45:7f:83:fa"
>         Calling-Station-Id = "58:b0:35:28:19:ad"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "KASD_TEST"
>         Service-Type = Framed-User
>         Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
>         Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
>         Vendor-4329-Attr-4 = 0x4b4153445f54455354
>         Vendor-4329-Attr-5 = 0x4b4153445f54455354
>         Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
>         Vendor-4329-Attr-7 = 0x53747564656e7473
>         Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
>         EAP-Message = 0x020900061900
>         State = 0x8791eff18598f6b55a0a76adc31036d5
>         Message-Authenticator = 0xf2ec741c480f9339eaa13537cadc59e4
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "ktest5", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 9 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
>         EAP-Message =
> 0x010a00b51900387bb57f237040a0b009495fcb1c4460694c6214f871d93a5afddfcc7aa7727e9ce657d22551e936e9415eea3a0ce78a7ea4b121f711fc19e2b505b4fa004bcc2952effdc18d0cd1ec6fe10bf431e8a189a5cbefcaebd9beab4e75c2309b55de25a9e392112915ad1c7b866a902f091b366eb96e7aa6ab544889069e70fda7ad8a9ec9eb729a6db3aeeb3ca9965daf0d515783a89a0947b6004eaad452777ae3413772aa2f5f16030100040e000000
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x8791eff1849bf6b55a0a76adc31036d5
> Finished request 8.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 8 ID 66 with timestamp +43
> Ready to process requests.
> rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66,
> length=277
>         User-Name = "ktest5"
>         NAS-IP-Address = 127.0.4.1
>         NAS-Port = 259
>         Framed-MTU = 1400
>         Called-Station-Id = "00:1f:45:7f:83:fa"
>         Calling-Station-Id = "58:b0:35:28:19:ad"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "KASD_TEST"
>         Service-Type = Framed-User
>         Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
>         Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
>         Vendor-4329-Attr-4 = 0x4b4153445f54455354
>         Vendor-4329-Attr-5 = 0x4b4153445f54455354
>         Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
>         Vendor-4329-Attr-7 = 0x53747564656e7473
>         Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
>         EAP-Message = 0x0201000b016b7465737435
>         Message-Authenticator = 0xacd1f25254d19ef7ef878a3a79e240be
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "ktest5", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 1 length 11
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
>         EAP-Message = 0x010200061920
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x119bd5731199cc528cc4c05b9703cffa
> Finished request 9.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66,
> length=420
> Cleaning up request 9 ID 66 with timestamp +48
>         User-Name = "ktest5"
>         NAS-IP-Address = 127.0.4.1
>         NAS-Port = 259
>         Framed-MTU = 1400
>         Called-Station-Id = "00:1f:45:7f:83:fa"
>         Calling-Station-Id = "58:b0:35:28:19:ad"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "KASD_TEST"
>         Service-Type = Framed-User
>         Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
>         Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
>         Vendor-4329-Attr-4 = 0x4b4153445f54455354
>         Vendor-4329-Attr-5 = 0x4b4153445f54455354
>         Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
>         Vendor-4329-Attr-7 = 0x53747564656e7473
>         Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
>         EAP-Message =
> 0x0202008819800000007e16030100790100007503014d2e0355d881daaa7bc48ab53b8cbf1877d5045d28d27e8bc56439c8160f2d2e00003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100
>         State = 0x119bd5731199cc528cc4c05b9703cffa
>         Message-Authenticator = 0x502685c6634bcf13076884276d720178
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "ktest5", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 2 length 136
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 126
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap]     (other): before/accept initialization
> [peap]     TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello
> [peap]     TLS_accept: SSLv3 read client hello A
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
> [peap]     TLS_accept: SSLv3 write server hello A
> [peap] >>> TLS 1.0 Handshake [length 085e], Certificate
> [peap]     TLS_accept: SSLv3 write certificate A
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [peap]     TLS_accept: SSLv3 write server done A
> [peap]     TLS_accept: SSLv3 flush data
> [peap]     TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
>         EAP-Message =
> 0x0103040019c00000089b160301002a0200002603014d2e0342163fcd54d6877c34fe6b48bf4ada483c9daaeb893988fd2bdc1ee46300002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
>         EAP-Message =
> 0x301e170d3131303131323138353335325a170d3132303131323138353335325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e8460af12ab26451d71f5f5853ac201a8dee4f3c17d2f6c4725f4c9cc44fc6ae87c1b32d3e62fcd1964c8b1f81044272b76dbaa079cbd3dd727461dfd7a5
>         EAP-Message =
> 0x8b623cc4e0c8beccafbc499fc74e8d17e3c9fbd9aafbac061bfa1309372c83e95c8dd5da071d7d97fdd7660ab45c93db04d72184885f895897d840ac4934c11f51c81c4d2e83dccf646b499739781cdff243a48f064e209bef2d2bcde936c6104b63ee467f448d005c127b83bfa708aeed69f1467d3b280a4f1b151d153ce7216ea94c2e33fe400de92d84b823c5b32828959b9ea5b8afbc063ba5db0cabb0b602fdf90e60c354b8e788facfc654ff2310ea763297ea1aef098b4ddb5466abb528910203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100904c9828165a2de337
>         EAP-Message =
> 0x50191a87ef600b1584376573598f31e772c944faf6e61c383d477c201b0aa6cf8bcb49d8b416f2de1e84774a9423608aad94af078dad2b6b30979d1c6b58cd8eefa9cf827d27f7755f8030dbc7c9e230187f212a5d4400928da0cc2845a7b5048a3b7425818fb437ac9c33746b39aaf4aa49af51340496250c837496f449307860f6cae9bd224c557af44806b46ac837b12a149124e35da9bde2538d9f39c2c33fe33dc7df0d45c5bec5bda68294a994af2db4f7298cf47e680cbca4789791aa3048a17761e4c71ebbd9b82bd324af0dbe8ce26ae88ee8a5d16dbd6685dce7ecb7af820abf975c67bfd34797fbefa47a4eed95cca895860004ab308204
>         EAP-Message = 0xa73082038fa0030201020209
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x119bd5731098cc528cc4c05b9703cffa
> Finished request 10.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 10 ID 66 with timestamp +48
> Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110112/8792012d/attachment.html>


More information about the Freeradius-Users mailing list