Problem with iPods/iTouches
Gary Gatten
Ggatten at waddell.com
Wed Jan 12 22:27:50 CET 2011
What if the cert is trusted - does everything work OK? I'm assuming in your production config the devices will trust the cert, so why spend time troubleshooting a problem that may not exist in production mode?
________________________________
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Rob Yamry
Sent: Wednesday, January 12, 2011 2:10 PM
To: FreeRadius users mailing list
Subject: Problem with iPods/iTouches
We have a stangle problem going on with the Apple iTouches in the district here. This started since they were upgraded to iOS v.4.x....so it seems. What is happening is that the user will put in their credentials and get prompted to accept the certificate as it says its untrusted. The user clicks accept, all looks good and then it says it failed to connected. So they hit dismiss on that message, click join again, accept the certificate again and then they are accepted onto the network. But, sometimes they have to hit Dismiss/Join up to 15-20 times until it will accept it.
Right now I am working with a default install FreeRadius v2.1.8 for testing this, including default certificates. I was planning on slowly adding in my config to narrow it down, but the problem appears to be happening by default. I *thought* that setting the default_eap_type to peap was causing it, but I had it happen when it was set to md5 as well. Im working on a iPod Touch with iOS v4.2. Below is the debug output of a failed attempt, and the follow up attempt that put the user through.
*********************** FAILED ATTEMPT ***************************
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=277
User-Name = "ktest5"
NAS-IP-Address = 127.0.4.1
NAS-Port = 259
Framed-MTU = 1400
Called-Station-Id = "00:1f:45:7f:83:fa"
Calling-Station-Id = "58:b0:35:28:19:ad"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "KASD_TEST"
Service-Type = Framed-User
Vendor-4329-Attr-3 = 0x3035303030313031343330353233
3035
Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
Vendor-4329-Attr-4 = 0x4b4153445f54455354
Vendor-4329-Attr-5 = 0x4b4153445f54455354
Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
Vendor-4329-Attr-7 = 0x53747564656e7473
Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
EAP-Message = 0x0200000b016b7465737435
Message-Authenticator = 0x32cf9f891633152f0f139a53cb61f9ee
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ktest5", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc4b1fdf8c4b0e4f9163ffe27c4915746
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=420
Cleaning up request 0 ID 66 with timestamp +30
User-Name = "ktest5"
NAS-IP-Address = 127.0.4.1
NAS-Port = 259
Framed-MTU = 1400
Called-Station-Id = "00:1f:45:7f:83:fa"
Calling-Station-Id = "58:b0:35:28:19:ad"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "KASD_TEST"
Service-Type = Framed-User
Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
Vendor-4329-Attr-4 = 0x4b4153445f54455354
Vendor-4329-Attr-5 = 0x4b4153445f54455354
Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
Vendor-4329-Attr-7 = 0x53747564656e7473
Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
EAP-Message = 0x0201008819800000007e16030100790100007503014d2e0343e5f920d1f519dbfeac002febc3736014d9bee7e0c55fd8085b99b7af00003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100
State = 0xc4b1fdf8c4b0e4f9163ffe27c4915746
Message-Authenticator = 0xf4e7c59223ecd3e5741cc6cc48762e1f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ktest5", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 136
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 126
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0079], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
EAP-Message = 0x0102040019c00000089b160301002a0200002603014d2e0330bf07fe39f7236a619358e64fa3db011bcbda7c9b9584846f6e32102000002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3131303131323138353335325a170d3132303131323138353335325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e8460af12ab26451d71f5f5853ac201a8dee4f3c17d2f6c4725f4c9cc44fc6ae87c1b32d3e62fcd1964c8b1f81044272b76dbaa079cbd3dd727461dfd7a5
EAP-Message = 0x8b623cc4e0c8beccafbc499fc74e8d17e3c9fbd9aafbac061bfa1309372c83e95c8dd5da071d7d97fdd7660ab45c93db04d72184885f895897d840ac4934c11f51c81c4d2e83dccf646b499739781cdff243a48f064e209bef2d2bcde936c6104b63ee467f448d005c127b83bfa708aeed69f1467d3b280a4f1b151d153ce7216ea94c2e33fe400de92d84b823c5b32828959b9ea5b8afbc063ba5db0cabb0b602fdf90e60c354b8e788facfc654ff2310ea763297ea1aef098b4ddb5466abb528910203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100904c9828165a2de337
EAP-Message = 0x50191a87ef600b1584376573598f31e772c944faf6e61c383d477c201b0aa6cf8bcb49d8b416f2de1e84774a9423608aad94af078dad2b6b30979d1c6b58cd8eefa9cf827d27f7755f8030dbc7c9e230187f212a5d4400928da0cc2845a7b5048a3b7425818fb437ac9c33746b39aaf4aa49af51340496250c837496f449307860f6cae9bd224c557af44806b46ac837b12a149124e35da9bde2538d9f39c2c33fe33dc7df0d45c5bec5bda68294a994af2db4f7298cf47e680cbca4789791aa3048a17761e4c71ebbd9b82bd324af0dbe8ce26ae88ee8a5d16dbd6685dce7ecb7af820abf975c67bfd34797fbefa47a4eed95cca895860004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc4b1fdf8c5b3e4f9163ffe27c4915746
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 66 with timestamp +30
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=290
User-Name = "ktest5"
NAS-IP-Address = 127.0.4.1
NAS-Port = 259
Framed-MTU = 1400
Called-Station-Id = "00:1f:45:7f:83:fa"
Calling-Station-Id = "58:b0:35:28:19:ad"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "KASD_TEST"
Service-Type = Framed-User
Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
Vendor-4329-Attr-4 = 0x4b4153445f54455354
Vendor-4329-Attr-5 = 0x4b4153445f54455354
Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
Vendor-4329-Attr-7 = 0x53747564656e7473
Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
EAP-Message = 0x020200061900
State = 0xc4b1fdf8c5b3e4f9163ffe27c4915746
Message-Authenticator = 0xa5c69d05dee0560c68b7d67d25b2e0b1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ktest5", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
EAP-Message = 0x010303fc194000ae0fc87b0b841be2300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303131323138353335315a170d3132303131323138353335315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d73060bc3e4f3bacd8c526ff5efa081cbfd333963c0a90272e83d654b8d1a16a25c9e1358b347d3f91d49ed29d387fd6de5ba5fe18c43b48065e8f1bb9dcb22d1a8679925af0bdc049d32199ba543f1d40a7c6b3578892efcaea646bdde6442593b17cb4713fb4d6f0616a5db38d9b
EAP-Message = 0xfd1d6e9dd30b6e536ba717a75adaa7c87fd019e83bea06f5eacb6a09fa9954b60ccc92116455610a2674a03a4ecacee05ce914a72a27965d55471df19c8751fdb69fe66426bb236f7d57cfffe41822e7d8ddfc6c1c8f5b45e6010c896918c4f111626979b280ddf2219099024cb0efb17c9660df9fc642edc9874074cb83e93349b19a2c16409b7444545ee27b2a52bb9d0203010001a381fb3081f8301d0603551d0e04160414872c00a6ed850850f4e202b4d86a1d663b35fd8e3081c80603551d230481c03081bd8014872c00a6ed850850f4e202b4d86a1d663b35fd8ea18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ae0fc87b0b841be2300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a5c0c601e1cb4606aa986dc240b7488bb4afd8c0e81ba0361530d556ad117222cdcc5a57a13fe3eb073ca72dff40db0a58c8d835ec110485bd158ab6cd1d8583cd575710b49070b3794384d2cff45f22b81e
EAP-Message = 0x2dc327be959645c8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc4b1fdf8c6b2e4f9163ffe27c4915746
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=290
Cleaning up request 2 ID 66 with timestamp +39
User-Name = "ktest5"
NAS-IP-Address = 127.0.4.1
NAS-Port = 259
Framed-MTU = 1400
Called-Station-Id = "00:1f:45:7f:83:fa"
Calling-Station-Id = "58:b0:35:28:19:ad"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "KASD_TEST"
Service-Type = Framed-User
Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
Vendor-4329-Attr-4 = 0x4b4153445f54455354
Vendor-4329-Attr-5 = 0x4b4153445f54455354
Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
Vendor-4329-Attr-7 = 0x53747564656e7473
Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
EAP-Message = 0x020300061900
State = 0xc4b1fdf8c6b2e4f9163ffe27c4915746
Message-Authenticator = 0x834956d460493056f00e0117298d68d7
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ktest5", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
EAP-Message = 0x010400b51900387bb57f237040a0b009495fcb1c4460694c6214f871d93a5afddfcc7aa7727e9ce657d22551e936e9415eea3a0ce78a7ea4b121f711fc19e2b505b4fa004bcc2952effdc18d0cd1ec6fe10bf431e8a189a5cbefcaebd9beab4e75c2309b55de25a9e392112915ad1c7b866a902f091b366eb96e7aa6ab544889069e70fda7ad8a9ec9eb729a6db3aeeb3ca9965daf0d515783a89a0947b6004eaad452777ae3413772aa2f5f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc4b1fdf8c7b5e4f9163ffe27c4915746
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=622
Cleaning up request 3 ID 66 with timestamp +39
User-Name = "ktest5"
NAS-IP-Address = 127.0.4.1
NAS-Port = 259
Framed-MTU = 1400
Called-Station-Id = "00:1f:45:7f:83:fa"
Calling-Station-Id = "58:b0:35:28:19:ad"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "KASD_TEST"
Service-Type = Framed-User
Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
Vendor-4329-Attr-4 = 0x4b4153445f54455354
Vendor-4329-Attr-5 = 0x4b4153445f54455354
Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
Vendor-4329-Attr-7 = 0x53747564656e7473
Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
EAP-Message = 0x020401501980000001461603010106100001020100373aae08036c5c081766d84efb8b257d7a9840bd2d91f9fbb1bad0c23993b1becc777b0890f6c8eb6b9ad515a2a5436dd50ea6feaeb8d0e9d3b7142af44ef0a0d52004a50e4b3022e3c2752cbc9caff85cbbd8281543a4a2c1b8a9a9141dd4430cafb7375f8d1a299c321a10edf205010f828f80cb188855d7888ef33d2c14d9bbc52bb23e99e2570ec2be2e6896f918c61926fbfc21009af339abbf671c483c897e7f5a9614f7ffd003d126edeebb752e3af6f8dc63a10a314fb5d105124ce25332a68c7b6aee6bebcf5eb9aa3a3853cdb0ecef655a78107a86ce327d51d84fb858490131e5c8
EAP-Message = 0x4fdfa622a41c66fd40edceb1c3cc99f33a0591a75a1c419d681403010001011603010030183a1d1ce2e805a60d16d91940d4b659bc1ecda540c675ea25f530b5c3ebe4114d5553609074df1351384da76ab4f78a
State = 0xc4b1fdf8c7b5e4f9163ffe27c4915746
Message-Authenticator = 0xef9d2df3d5a31b39f3ddf68d687d6b5c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ktest5", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 252
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
EAP-Message = 0x0105004119001403010001011603010030c5ca03d2a20ef23d2e6375c8153c3e6c1afa2151b0232004998802bece4070cb14b8a1bffac3874c849f89a1f8450de2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc4b1fdf8c0b4e4f9163ffe27c4915746
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=277
Cleaning up request 4 ID 66 with timestamp +39
User-Name = "ktest5"
NAS-IP-Address = 127.0.4.1
NAS-Port = 259
Framed-MTU = 1400
Called-Station-Id = "00:1f:45:7f:83:fa"
Calling-Station-Id = "58:b0:35:28:19:ad"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "KASD_TEST"
Service-Type = Framed-User
Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
Vendor-4329-Attr-4 = 0x4b4153445f54455354
Vendor-4329-Attr-5 = 0x4b4153445f54455354
Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
Vendor-4329-Attr-7 = 0x53747564656e7473
Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
EAP-Message = 0x0206000b016b7465737435
Message-Authenticator = 0x7667edddd0b6ae7ddec276f6fc0d09fd
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ktest5", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
EAP-Message = 0x010700061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8791eff18796f6b55a0a76adc31036d5
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=420
Cleaning up request 5 ID 66 with timestamp +42
User-Name = "ktest5"
NAS-IP-Address = 127.0.4.1
NAS-Port = 259
Framed-MTU = 1400
Called-Station-Id = "00:1f:45:7f:83:fa"
Calling-Station-Id = "58:b0:35:28:19:ad"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "KASD_TEST"
Service-Type = Framed-User
Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
Vendor-4329-Attr-4 = 0x4b4153445f54455354
Vendor-4329-Attr-5 = 0x4b4153445f54455354
Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
Vendor-4329-Attr-7 = 0x53747564656e7473
Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
EAP-Message = 0x0207008819800000007e16030100790100007503014d2e034fe43eb22c54e9c30587e009b69a0a7712664fc62b7754d5321207a9e700003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100
State = 0x8791eff18796f6b55a0a76adc31036d5
Message-Authenticator = 0xdd954eaa01deac01b7a9d0973e934401
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ktest5", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 136
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 126
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0079], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
EAP-Message = 0x0108040019c00000089b160301002a0200002603014d2e033cabdd48cf6a4f062f86f5947a33952f7547e4871741c1b81a7c7ae51e00002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3131303131323138353335325a170d3132303131323138353335325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e8460af12ab26451d71f5f5853ac201a8dee4f3c17d2f6c4725f4c9cc44fc6ae87c1b32d3e62fcd1964c8b1f81044272b76dbaa079cbd3dd727461dfd7a5
EAP-Message = 0x8b623cc4e0c8beccafbc499fc74e8d17e3c9fbd9aafbac061bfa1309372c83e95c8dd5da071d7d97fdd7660ab45c93db04d72184885f895897d840ac4934c11f51c81c4d2e83dccf646b499739781cdff243a48f064e209bef2d2bcde936c6104b63ee467f448d005c127b83bfa708aeed69f1467d3b280a4f1b151d153ce7216ea94c2e33fe400de92d84b823c5b32828959b9ea5b8afbc063ba5db0cabb0b602fdf90e60c354b8e788facfc654ff2310ea763297ea1aef098b4ddb5466abb528910203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100904c9828165a2de337
EAP-Message = 0x50191a87ef600b1584376573598f31e772c944faf6e61c383d477c201b0aa6cf8bcb49d8b416f2de1e84774a9423608aad94af078dad2b6b30979d1c6b58cd8eefa9cf827d27f7755f8030dbc7c9e230187f212a5d4400928da0cc2845a7b5048a3b7425818fb437ac9c33746b39aaf4aa49af51340496250c837496f449307860f6cae9bd224c557af44806b46ac837b12a149124e35da9bde2538d9f39c2c33fe33dc7df0d45c5bec5bda68294a994af2db4f7298cf47e680cbca4789791aa3048a17761e4c71ebbd9b82bd324af0dbe8ce26ae88ee8a5d16dbd6685dce7ecb7af820abf975c67bfd34797fbefa47a4eed95cca895860004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8791eff18699f6b55a0a76adc31036d5
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=290
Cleaning up request 6 ID 66 with timestamp +42
User-Name = "ktest5"
NAS-IP-Address = 127.0.4.1
NAS-Port = 259
Framed-MTU = 1400
Called-Station-Id = "00:1f:45:7f:83:fa"
Calling-Station-Id = "58:b0:35:28:19:ad"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "KASD_TEST"
Service-Type = Framed-User
Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
Vendor-4329-Attr-4 = 0x4b4153445f54455354
Vendor-4329-Attr-5 = 0x4b4153445f54455354
Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
Vendor-4329-Attr-7 = 0x53747564656e7473
Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
EAP-Message = 0x020800061900
State = 0x8791eff18699f6b55a0a76adc31036d5
Message-Authenticator = 0x806cd522495a9dea0f1b63c2c7612616
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ktest5", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
EAP-Message = 0x010903fc194000ae0fc87b0b841be2300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303131323138353335315a170d3132303131323138353335315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d73060bc3e4f3bacd8c526ff5efa081cbfd333963c0a90272e83d654b8d1a16a25c9e1358b347d3f91d49ed29d387fd6de5ba5fe18c43b48065e8f1bb9dcb22d1a8679925af0bdc049d32199ba543f1d40a7c6b3578892efcaea646bdde6442593b17cb4713fb4d6f0616a5db38d9b
EAP-Message = 0xfd1d6e9dd30b6e536ba717a75adaa7c87fd019e83bea06f5eacb6a09fa9954b60ccc92116455610a2674a03a4ecacee05ce914a72a27965d55471df19c8751fdb69fe66426bb236f7d57cfffe41822e7d8ddfc6c1c8f5b45e6010c896918c4f111626979b280ddf2219099024cb0efb17c9660df9fc642edc9874074cb83e93349b19a2c16409b7444545ee27b2a52bb9d0203010001a381fb3081f8301d0603551d0e04160414872c00a6ed850850f4e202b4d86a1d663b35fd8e3081c80603551d230481c03081bd8014872c00a6ed850850f4e202b4d86a1d663b35fd8ea18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ae0fc87b0b841be2300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a5c0c601e1cb4606aa986dc240b7488bb4afd8c0e81ba0361530d556ad117222cdcc5a57a13fe3eb073ca72dff40db0a58c8d835ec110485bd158ab6cd1d8583cd575710b49070b3794384d2cff45f22b81e
EAP-Message = 0x2dc327be959645c8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8791eff18598f6b55a0a76adc31036d5
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=290
Cleaning up request 7 ID 66 with timestamp +43
User-Name = "ktest5"
NAS-IP-Address = 127.0.4.1
NAS-Port = 259
Framed-MTU = 1400
Called-Station-Id = "00:1f:45:7f:83:fa"
Calling-Station-Id = "58:b0:35:28:19:ad"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "KASD_TEST"
Service-Type = Framed-User
Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
Vendor-4329-Attr-4 = 0x4b4153445f54455354
Vendor-4329-Attr-5 = 0x4b4153445f54455354
Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
Vendor-4329-Attr-7 = 0x53747564656e7473
Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
EAP-Message = 0x020900061900
State = 0x8791eff18598f6b55a0a76adc31036d5
Message-Authenticator = 0xf2ec741c480f9339eaa13537cadc59e4
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ktest5", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
EAP-Message = 0x010a00b51900387bb57f237040a0b009495fcb1c4460694c6214f871d93a5afddfcc7aa7727e9ce657d22551e936e9415eea3a0ce78a7ea4b121f711fc19e2b505b4fa004bcc2952effdc18d0cd1ec6fe10bf431e8a189a5cbefcaebd9beab4e75c2309b55de25a9e392112915ad1c7b866a902f091b366eb96e7aa6ab544889069e70fda7ad8a9ec9eb729a6db3aeeb3ca9965daf0d515783a89a0947b6004eaad452777ae3413772aa2f5f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8791eff1849bf6b55a0a76adc31036d5
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 8 ID 66 with timestamp +43
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=277
User-Name = "ktest5"
NAS-IP-Address = 127.0.4.1
NAS-Port = 259
Framed-MTU = 1400
Called-Station-Id = "00:1f:45:7f:83:fa"
Calling-Station-Id = "58:b0:35:28:19:ad"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "KASD_TEST"
Service-Type = Framed-User
Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
Vendor-4329-Attr-4 = 0x4b4153445f54455354
Vendor-4329-Attr-5 = 0x4b4153445f54455354
Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
Vendor-4329-Attr-7 = 0x53747564656e7473
Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
EAP-Message = 0x0201000b016b7465737435
Message-Authenticator = 0xacd1f25254d19ef7ef878a3a79e240be
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ktest5", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x119bd5731199cc528cc4c05b9703cffa
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=420
Cleaning up request 9 ID 66 with timestamp +48
User-Name = "ktest5"
NAS-IP-Address = 127.0.4.1
NAS-Port = 259
Framed-MTU = 1400
Called-Station-Id = "00:1f:45:7f:83:fa"
Calling-Station-Id = "58:b0:35:28:19:ad"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "KASD_TEST"
Service-Type = Framed-User
Vendor-4329-Attr-3 = 0x30353030303130313433303532333035
Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039
Vendor-4329-Attr-4 = 0x4b4153445f54455354
Vendor-4329-Attr-5 = 0x4b4153445f54455354
Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661
Vendor-4329-Attr-7 = 0x53747564656e7473
Vendor-4329-Attr-8 = 0x4b41534453747564656e7473
EAP-Message = 0x0202008819800000007e16030100790100007503014d2e0355d881daaa7bc48ab53b8cbf1877d5045d28d27e8bc56439c8160f2d2e00003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100
State = 0x119bd5731199cc528cc4c05b9703cffa
Message-Authenticator = 0x502685c6634bcf13076884276d720178
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ktest5", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 136
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 126
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0079], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 66 to 10.1.1.1 port 38428
EAP-Message = 0x0103040019c00000089b160301002a0200002603014d2e0342163fcd54d6877c34fe6b48bf4ada483c9daaeb893988fd2bdc1ee46300002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3131303131323138353335325a170d3132303131323138353335325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e8460af12ab26451d71f5f5853ac201a8dee4f3c17d2f6c4725f4c9cc44fc6ae87c1b32d3e62fcd1964c8b1f81044272b76dbaa079cbd3dd727461dfd7a5
EAP-Message = 0x8b623cc4e0c8beccafbc499fc74e8d17e3c9fbd9aafbac061bfa1309372c83e95c8dd5da071d7d97fdd7660ab45c93db04d72184885f895897d840ac4934c11f51c81c4d2e83dccf646b499739781cdff243a48f064e209bef2d2bcde936c6104b63ee467f448d005c127b83bfa708aeed69f1467d3b280a4f1b151d153ce7216ea94c2e33fe400de92d84b823c5b32828959b9ea5b8afbc063ba5db0cabb0b602fdf90e60c354b8e788facfc654ff2310ea763297ea1aef098b4ddb5466abb528910203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100904c9828165a2de337
EAP-Message = 0x50191a87ef600b1584376573598f31e772c944faf6e61c383d477c201b0aa6cf8bcb49d8b416f2de1e84774a9423608aad94af078dad2b6b30979d1c6b58cd8eefa9cf827d27f7755f8030dbc7c9e230187f212a5d4400928da0cc2845a7b5048a3b7425818fb437ac9c33746b39aaf4aa49af51340496250c837496f449307860f6cae9bd224c557af44806b46ac837b12a149124e35da9bde2538d9f39c2c33fe33dc7df0d45c5bec5bda68294a994af2db4f7298cf47e680cbca4789791aa3048a17761e4c71ebbd9b82bd324af0dbe8ce26ae88ee8a5d16dbd6685dce7ecb7af820abf975c67bfd34797fbefa47a4eed95cca895860004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x119bd5731098cc528cc4c05b9703cffa
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 10 ID 66 with timestamp +48
Ready to process requests.
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110112/013681f7/attachment.html>
More information about the Freeradius-Users
mailing list