"use_tunnel_reply" not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
Nitin Bhardwaj
nbhardwaj at merunetworks.com
Wed Jul 6 07:50:53 CEST 2011
> On 07/05/2011 06:03 PM, Nitin Bhardwaj wrote:
>
> Hello All,
>
> I'm using FreeRADIUS 2.1.11 as a proxy for authenticating PEAP
> clients with RADIUS server not supporting EAP.
>
> All is working well except that when I use
> "proxy_tunneled_request_as_eap = no" in eap.conf, FreeRADIUS is not
> passing back all the AVPs sent by RADIUS server in
> Access-Accept(MSCHAPv2) to the Client, only few ones.
>
> Be specific. Which ones?
>
> Better yet, show a debug of it not working.
>
>
> But when I set it as "proxy_tunneled_request_as_eap = yes",
> FreeRADIUS is relaying back all the AVPs received from the RADIUS
> server properly.
>
>
> eap.conf: ------------ eap { peap { copy_request_to_tunnel = yes
> use_tunneled_reply = yes proxy_tunneled_request_as_eap = no
> virtual_server = "proxy-inner-tunnel" } }
>
> Hence, in spite of setting "use_tunneled_reply = yes", why isnt FR
> copying all attributes in Access-Accept back to client ? Is this some
> bug, fixed in 3.x ?
>
> 3.x is not released yet.
>
> I don't think there are any fixed related to this in "master" (to
> become 3.x) but there might be; please provide more details as above,
> so we can try to reproduce.
Sorry, I was not clear enough earlier.
This is an issue same as the one mentioned in this query:
http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-September/msg00509.html
The RADIUS server is sending the following extra AVPs in Access-Accept
to FR:
Session-Timeout = 300
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
Tunnel-Type:0 = VLAN
But FR is eating them up while relaying the Access-Accept back to Client.
The Access-Accept from RADIUS server is as follows:
----------------------------------
rad_recv: Access-Accept packet from host 172.19.6.4 port 1812, id=61,
length=252
Proxy-State = 0x323036
Session-Timeout = 300
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
Tunnel-Type:0 = VLAN
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab
MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63
MS-CHAP2-Success =
0x09533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
MS-CHAP-Domain = "\tDEV"
----------------------------------
But the relayed Access-Accept to client is:
----------------------------------
Sending Access-Accept of id 208 to 172.18.10.13 port 48852
User-Name = "meru"
MS-MPPE-Recv-Key =
0x6c6c3b63a0c60545b9838c0cc766db98987516f92c12bac6bb6694acd4defe16
MS-MPPE-Send-Key =
0xbcb242cdac92ca3620e6a660d60e3838acbeddaef9b8766121730c7a4f2f0f79
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
----------------------------------
My settings are as follows:
eap.conf:
--------------
eap {
tls{
//Usual stuff <snip....>
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
mchapv2 {
}
}
sites-enabled/proxy-inner-tunnel:
-----------------------------------------------
server proxy-inner-tunnel {
authorize {
update control {
# You should update this to be one of your realms.
Proxy-To-Realm := "DEVLAB"
}
authenticate {
eap
}
post-proxy {
eap
}
}
FR relays all packets properly back to Client when I use
"proxy_tunneled_request_as_eap = yes" in eap.conf. But I cannot do that
way because the RADIUS server doesn't understand EAP at all - I need to
send a plain MSCHAPv2 in the inner request. I thought using
"use_tunneled_reply = yes" should have caused FR to relay back all the
AVPs back to outer tunnel, but its not working.
The full log is as follows:
------------------------------------------------
[root at nitin-centos ~]# radiusd -X
FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jul 5
2011 at 19:03:48
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm DEVLAB {
authhost = 172.19.6.4
secret = meru2002
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 172.18.10.13 {
require_message_authenticator = no
secret = "meru2002"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/usr/local/etc/raddb/modules/detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server proxy-inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
} # modules
} # server
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 44579
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=198, length=152
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message = 0x02010009016d657275
Message-Authenticator = 0x960d94c0685c6dd5ba509de67f73d37a
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 198 to 172.18.10.13 port 48852
EAP-Message = 0x0102001604109fe03af8d36fe702cf4550cf1f8c0622
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7afde108730ebe85102c777b46
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=199, length=167
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message = 0x020200060319
State = 0xfde30c7afde108730ebe85102c777b46
Message-Authenticator = 0x9f1b4526ff2f96a96aae56daf8c0c317
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 199 to 172.18.10.13 port 48852
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7afce015730ebe85102c777b46
Finished request 1.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=200, length=243
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message =
0x0203005219800000004816030100430100003f03014c32bfcfbdd3039d0bcab75c921dd349c355de3f12bc41174c7fdd579d1e3c9200001800390038003300320016001300660035002f000a000500040100
State = 0xfde30c7afce015730ebe85102c777b46
Message-Authenticator = 0xcb652a53a53fcfdfa58375d9b220dd1f
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 82
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 72
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0043], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 200 to 172.18.10.13 port 48852
EAP-Message =
0x0104040019c000000aad160301002a0200002603014e13f11e0d4506fb9ff964758407af4d4a824f4f4b5ece856b606e06258e0c2800003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3131303730353133343634375a170d3132303730343133343634375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c62489fe8f25360bcf54e00e5504239ff4a63a0527f6a6a3056b6c5acee49a33fa8876b189c35a2995c50e04c5228612d1d4786d0ae26d91876ecc895ccb
EAP-Message =
0x32872a0bbdd7c8b7c1a174e096e7b018f8f0bf7baf0ae841dd934974f5bcfff09a0183ced606e5862cb0c306cedc7d566f0433d59da9b782dbdd5200473b793b5f54672bc83e38ff345224996e3f80bc10162ebd81809ac1eb27c50cfd44d5a25268be450b5c3bc19d2a7213a0210f6a98d0a4b2bc9b8bdb7b13c20d93fe5e502d4a54483cdf5f0cea7dbd00f94247418293b57d04dfb3b950afb1d1a537b72e4e61f88cb4983152cf0e9aa6f6137a870a7dea3061c504af04f0f328cc63e1cff4550203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101007b97bb0db325b70a48
EAP-Message =
0xa3020e155a9b286a8b9bcc15ae1bd01a59f947bb34d6ac55d476e54d8aae86184368e2d6050a2cc11d3bfd2f10330799cf718a5288efa67c70957413f721eada58a5241ed0638b9ce2c183d991857700090a54bc7aad25922184a1df1d632b344994c97ed658089f518ed19a8c19a806c1c17787a753c2c36be6f69d9a414498114cab4dcf2b71bfa17392586bcabfbd2769afd2a947d79ff582a6668dd3421dad3721fd8fd39c20232336a39da35d0f5a90ab49f992246413c4dd695ab1d341246454f08d62dfcdfd351c55c0b60e5be5ca56cd2418ff42733dcc8c58ce26e28af04e4d9cbaec3bdb6741e393d3c7a79613b5df9fe4390004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7affe715730ebe85102c777b46
Finished request 2.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=201, length=167
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message = 0x020400061900
State = 0xfde30c7affe715730ebe85102c777b46
Message-Authenticator = 0xb44bb5aa230ad5e60d13eddafd1dbe7c
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 201 to 172.18.10.13 port 48852
EAP-Message =
0x010503fc194000938269734f3cf5bf300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303730353133343634375a170d3132303730343133343634375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message =
0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a90f1b4e1a7a1f8b41485334f6fcb4be169ba9f5fe114d0b0a1bc70eef1462c110b6e20ce17292c98beb45757e3b9b936eacbd0125080b244f9d776f0f0406abcc2fd33fd75c72fa4fe73532404acc189f8b663bd94ffecb37ad0a83f0a510e92b35ad219ac275d4fae60a8cbe47d8
EAP-Message =
0xf8eadd6536322afb14b2540c9345f8a02f099b3453a28a0392d140bd4764c75880bd5db3be5c3117438d9400bcfdca3be386526fb8f618411c1a2fbe56c52ddb0cbdfc118d0912bd1883228832306baaa83b8e8672a3ecefcdd3d9a745d1d4424cfef46993103704d12820497b57f3e94df7cb5d887cae556cdc46f992bf3f1d757d45cb94aed0d70dc4fc949256fa1c4b0203010001a381fb3081f8301d0603551d0e04160414f565b2f3ff7d52b7d92e678d3843de8ac3b371ee3081c80603551d230481c03081bd8014f565b2f3ff7d52b7d92e678d3843de8ac3b371eea18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message =
0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900938269734f3cf5bf300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009f7c151e0351bf12ef597651afcf6e5f732ebf175e33af8e2adbc6c8ff64078592e069b00a5e1fcece5d05331068acd01e78d0a65ea5eca85a41b7a948a4073a2e7baec6f88652eeec66a47c8d73f77f6fd2
EAP-Message = 0xe005f788e24cb66e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7afee615730ebe85102c777b46
Finished request 3.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=202, length=167
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message = 0x020500061900
State = 0xfde30c7afee615730ebe85102c777b46
Message-Authenticator = 0xe812ebc412f80a25bd7498462aa6e62b
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 202 to 172.18.10.13 port 48852
EAP-Message =
0x010602c719008ed1e209185a65d79ce3ef916051889d7bdaeb3525ffc5107d08ca060e538707279d6c7c4d00bd7e2cd644f85b28e438ef74ff013334cc24decd6b574a1df5f73441a4d7b07cf0e5ea79111f624a738780e8bc2564e305a43e8ad9df004a59d0e07b4f5a177c45ca420b747f76ad21feec38781f5164e77d33c6e27a51073ec20c671d919da22056a657f540198bea9e10816a61c4a3f7c8e4f210b734fabf9c012baca0786d160301020d0c0002090080bb53fc5d6c82b9ab4ed79feb313de75ac8e65c23fdb6bd4a6662e6b46bfd437f4f52e12048d2b6e3755cf5e2714aac141168d560132d2b4764c9e36e9ac301c108e84436571a
EAP-Message =
0xf39b55d3596d9bc06850cc9c280dbf6d24f184fe467b90eefb82ae300805a960cd120caeb2b25d9cc64ec6a159c8bc689297e0f7e839ae89defb0001020080b9306e9f87fa00bb87ab9eaa2de2397c994a34a022fafc638aa95eb6e027a8b7ce8388e02d2059a8fcb2a166325998c894cef051b5a5fb688119391fc6ff5a9252191c6ffbdf22762b1b4f3bd5351bb1e94e04e9b71ac318acc8d993140cd8c54e50f583db0dd6c717123d98bb965470aea9eda8dda4bf76717d9f6db1dae8b60100ad862e37923fd73a6b93a8e135f62aa075a591f7ff6b5b147499e74a5895975e758ec48330cc84ea86cda010de172c7438d4fb7bf7f4bb1c28e82575
EAP-Message =
0x3f7656fad6b6db3b6aabdf97a039bc944b257676000e58f16d041545e8fe965412ce2178d6a7ae69499986dfe99ff955bfb985a49e9d05107ad218622a99f5d29a5bfe8d3acfc5f156e04d700d611c1d5cb3e00e6ba986f8bf5b236c8741b5fa3293ddae6e0279c613fdd72d68af1f6ad512d9b858f59dae29a4b945235c89fe55ce40e14b58dc51c80f253c9a3e8ecfdf22fab4d162dbc87ebb06093cd02e3dd6bae646050ab8642ecf14213423f142f8ea4d35243dd51660446270dbdf7fd2ef48280b16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7af9e515730ebe85102c777b46
Finished request 4.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=203, length=369
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message =
0x020600d01980000000c616030100861000008200809a0c1bb68594ead0d108df37ab090c5ae82bbe69eee7b73f693f11bc68cd29f637eb8f4faf9a272f513c954cfcea094707e2af32c4e2b55d3a646126d249fd5fb7e1bd4e8288bf086aae28b808135864eb005218ea8d9a54481f4d43c7fb5368814aaac3a63100a32249d7e68f3b9dccf0d922c2d12c9c2b146232e496fe0bc81403010001011603010030840c77df284213f438f3551d62a3d4c9470e0ea6366e1b39d34f137f5c78d2891eb30875669d688fccf0e61e1da243c6
State = 0xfde30c7af9e515730ebe85102c777b46
Message-Authenticator = 0x88bb2bb9ca1a313aee2de681d281f0c3
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 203 to 172.18.10.13 port 48852
EAP-Message =
0x01070041190014030100010116030100303b23c31a29c705c25db0839a53e947b05d465fbd30c13653d3b8352bd088325b17a3151fd321e457c5d469e8ca818560
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7af8e415730ebe85102c777b46
Finished request 5.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=204, length=167
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message = 0x020700061900
State = 0xfde30c7af8e415730ebe85102c777b46
Message-Authenticator = 0xb1f44972992610c36bf8c5898b636d38
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 204 to 172.18.10.13 port 48852
EAP-Message =
0x0108002b190017030100206d1d6355f7e57d3754317857539e1a39325b6ecef30c90efef64a20af81c024f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7afbeb15730ebe85102c777b46
Finished request 6.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=205, length=204
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message =
0x0208002b19001703010020625a119fe356dba5d6f7cf76e4d054c2241fb52f16778532b4f8004d14d1d4a6
State = 0xfde30c7afbeb15730ebe85102c777b46
Message-Authenticator = 0x2c2cd6601cd01b1317d2dc7594348bc0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - meru
[peap] Got inner identity 'meru'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02080009016d657275
server {
[peap] Setting User-Name to meru
Sending tunneled request
EAP-Message = 0x02080009016d657275
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
server proxy-inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
PEAP: Cancelling proxy to realm DEVLAB until the tunneled EAP
session has been established
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x0109001e1a01090019105ba435e766423f0a72c901045f0a25886d657275
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd4dbdf6bd4d2c5452b3f3ec10bc32a7c
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 205 to 172.18.10.13 port 48852
EAP-Message =
0x0109003b1900170301003089452af1f3e64ab01e961a4b2dc9b0c13a90fc86e1da452b46c781c6c3aa4e465324742d29a8a5983bddf45bec669947
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7afaea15730ebe85102c777b46
Finished request 7.
Going to the next request
Waking up in 4.2 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=206, length=252
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message =
0x0209005b19001703010050934ee8273bff98e2ce4cd7af01b43419b36b17024edcb9e1f3fb99cb52c22c03c0b565e7a69dbe1424a68753ec8c2f2a596ac4a666a04d1dc85112f833bda916d4fcec71ffe2ee65140c2e8d059be1b0
State = 0xfde30c7afaea15730ebe85102c777b46
Message-Authenticator = 0x891db7ed9a95c5ffd9b0b427cac19ead
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x0209003f1a0209003a3189b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8006d657275
server {
[peap] Setting User-Name to meru
Sending tunneled request
EAP-Message =
0x0209003f1a0209003a3189b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8006d657275
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "meru"
State = 0xd4dbdf6bd4d2c5452b3f3ec10bc32a7c
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
server proxy-inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Not-EAP proxy set. Not composing EAP
++[eap] returns handled
PEAP: Tunneled authentication will be proxied to DEVLAB
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap] Tunneled session will be proxied. Not doing EAP.
++[eap] returns handled
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 61 to 172.19.6.4 port 1812
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
MS-CHAP-Challenge = 0x5ba435e766423f0a72c901045f0a2588
MS-CHAP2-Response =
0x096589b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8
Proxy-State = 0x323036
Proxying request 8 to home server 172.19.6.4 port 1812
Sending Access-Request of id 61 to 172.19.6.4 port 1812
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
MS-CHAP-Challenge = 0x5ba435e766423f0a72c901045f0a2588
MS-CHAP2-Response =
0x096589b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8
Proxy-State = 0x323036
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 172.19.6.4 port 1812, id=61,
length=252
Proxy-State = 0x323036
Session-Timeout = 300
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
Tunnel-Type:0 = VLAN
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab
MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63
MS-CHAP2-Success =
0x09533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
MS-CHAP-Domain = "\tDEV"
# Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server proxy-inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
# Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
rlm_eap_mschapv2: Passing reply from proxy back into the tunnel
0x8c91600 2.
rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
} # server proxy-inner-tunnel
[eap] Final reply from tunneled session code 11
Proxy-State = 0x323036
Session-Timeout = 300
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
Tunnel-Type:0 = VLAN
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
MS-CHAP-Domain = "\tDEV"
EAP-Message =
0x010a00331a0309002e533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c
[eap] Got reply 11
[eap] Got tunneled reply RADIUS code 11
Proxy-State = 0x323036
Session-Timeout = 300
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
Tunnel-Type:0 = VLAN
Framed-Protocol = PPP
Service-Type = Framed-User
Class =
0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
MS-CHAP-Domain = "\tDEV"
EAP-Message =
0x010a00331a0309002e533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c
[eap] Got tunneled Access-Challenge
[eap] Saving tunneled attributes for later
[eap] Reply was handled
++[eap] returns ok
Sending Access-Challenge of id 206 to 172.18.10.13 port 48852
EAP-Message =
0x010a005b1900170301005017c5dbce0bb69cfd09fd41a5773d61f811bcf2ce164c32346899a98a231010fef71b89c1aed9412bc615a0d2c86595e420e4bd7f3538b748e8825b5f7c275e51bab5a82ae5c4c15e303ccdbd9e909e1a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7af5e915730ebe85102c777b46
Finished request 8.
Going to the next request
Waking up in 4.1 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=207, length=204
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message =
0x020a002b1900170301002010d201aca04a28ed500660ad0ea279183cf64cf8c3a2e5946a86d43567c9b7f7
State = 0xfde30c7af5e915730ebe85102c777b46
Message-Authenticator = 0xab4fe0c669c7850b88ad0a2ede3087e2
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020a00061a03
server {
[peap] Setting User-Name to meru
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "meru"
State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
server proxy-inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authorize {...}
++[control] returns notfound
} # server proxy-inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from file
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63
MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "meru"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 207 to 172.18.10.13 port 48852
EAP-Message =
0x010b002b19001703010020972594e10347244aac063470d19ff9c07f0b89472a6262ae06b555a8f266d39c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfde30c7af4e815730ebe85102c777b46
Finished request 9.
Going to the next request
Waking up in 4.0 seconds.
rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
id=208, length=204
User-Name = "meru"
NAS-IP-Address = 172.18.10.13
NAS-Port = 2049
Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
Calling-Station-Id = "00-1A-73-9D-9D-02"
Framed-MTU = 1250
NAS-Port-Type = Wireless-802.11
Framed-Compression = None
Connect-Info = "CONNECT 802.11a"
Chargeable-User-Identity = "\\0"
EAP-Message =
0x020b002b1900170301002079ae2531cb0c20ac94b1150652cc1a83e2ebe697fe10e6d64b4a03ffd8f8bae1
State = 0xfde30c7af4e815730ebe85102c777b46
Message-Authenticator = 0xc8d498ff15ea96988f74edada8e319c1
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "meru", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
User-Name = "meru"
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 208 to 172.18.10.13 port 48852
User-Name = "meru"
MS-MPPE-Recv-Key =
0x6c6c3b63a0c60545b9838c0cc766db98987516f92c12bac6bb6694acd4defe16
MS-MPPE-Send-Key =
0xbcb242cdac92ca3620e6a660d60e3838acbeddaef9b8766121730c7a4f2f0f79
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
Going to the next request
Waking up in 3.9 seconds.
Cleaning up request 0 ID 198 with timestamp +37
Waking up in 0.1 seconds.
Cleaning up request 1 ID 199 with timestamp +37
Waking up in 0.1 seconds.
Cleaning up request 2 ID 200 with timestamp +38
Cleaning up request 3 ID 201 with timestamp +38
Waking up in 0.1 seconds.
Cleaning up request 4 ID 202 with timestamp +38
Waking up in 0.1 seconds.
Cleaning up request 5 ID 203 with timestamp +38
Cleaning up request 6 ID 204 with timestamp +38
Waking up in 0.1 seconds.
Cleaning up request 7 ID 205 with timestamp +38
Waking up in 0.1 seconds.
Cleaning up request 8 ID 206 with timestamp +38
Cleaning up request 9 ID 207 with timestamp +38
Waking up in 0.1 seconds.
Cleaning up request 10 ID 208 with timestamp +38
Ready to process requests.
-----------------------------------------------
Please help.
--
Nitin.
More information about the Freeradius-Users
mailing list