"use_tunnel_reply" not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
Nitin Bhardwaj
nbhardwaj at merunetworks.com
Wed Jul 6 13:03:01 CEST 2011
On 06/07/2011 11:20 AM, Nitin Bhardwaj wrote:
>> On 07/05/2011 06:03 PM, Nitin Bhardwaj wrote:
>>
>> Hello All,
>>
>> I'm using FreeRADIUS 2.1.11 as a proxy for authenticating PEAP
>> clients with RADIUS server not supporting EAP.
>>
>> All is working well except that when I use
>> "proxy_tunneled_request_as_eap = no" in eap.conf, FreeRADIUS is not
>> passing back all the AVPs sent by RADIUS server in
>> Access-Accept(MSCHAPv2) to the Client, only few ones.
>>
>> Be specific. Which ones?
>>
>> Better yet, show a debug of it not working.
>>
>>
>> But when I set it as "proxy_tunneled_request_as_eap = yes",
>> FreeRADIUS is relaying back all the AVPs received from the RADIUS
>> server properly.
>>
>>
>> eap.conf: ------------ eap { peap { copy_request_to_tunnel = yes
>> use_tunneled_reply = yes proxy_tunneled_request_as_eap = no
>> virtual_server = "proxy-inner-tunnel" } }
>>
>> Hence, in spite of setting "use_tunneled_reply = yes", why isnt FR
>> copying all attributes in Access-Accept back to client ? Is this
>> some
>> bug, fixed in 3.x ?
>>
>> 3.x is not released yet.
>>
>> I don't think there are any fixed related to this in "master" (to
>> become 3.x) but there might be; please provide more details as above,
>> so we can try to reproduce.
>
> Sorry, I was not clear enough earlier.
> This is an issue same as the one mentioned in this query:
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-September/msg00509.html
>
> The RADIUS server is sending the following extra AVPs in Access-Accept
> to FR:
> Session-Timeout = 300
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "12"
> Tunnel-Type:0 = VLAN
>
> But FR is eating them up while relaying the Access-Accept back to Client.
>
> The Access-Accept from RADIUS server is as follows:
> ----------------------------------
> rad_recv: Access-Accept packet from host 172.19.6.4 port 1812, id=61,
> length=252
> Proxy-State = 0x323036
> Session-Timeout = 300
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "12"
> Tunnel-Type:0 = VLAN
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Class =
> 0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
> MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab
> MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63
> MS-CHAP2-Success =
> 0x09533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
> MS-CHAP-Domain = "\tDEV"
> ----------------------------------
>
> But the relayed Access-Accept to client is:
> ----------------------------------
> Sending Access-Accept of id 208 to 172.18.10.13 port 48852
> User-Name = "meru"
> MS-MPPE-Recv-Key =
> 0x6c6c3b63a0c60545b9838c0cc766db98987516f92c12bac6bb6694acd4defe16
> MS-MPPE-Send-Key =
> 0xbcb242cdac92ca3620e6a660d60e3838acbeddaef9b8766121730c7a4f2f0f79
> EAP-Message = 0x030b0004
> Message-Authenticator = 0x00000000000000000000000000000000
> ----------------------------------
>
> My settings are as follows:
> eap.conf:
> --------------
> eap {
> tls{
> //Usual stuff <snip....>
> }
> peap {
> default_eap_type = mschapv2
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> proxy_tunneled_request_as_eap = no
> virtual_server = "proxy-inner-tunnel"
> }
>
> mchapv2 {
> }
> }
>
> sites-enabled/proxy-inner-tunnel:
> -----------------------------------------------
> server proxy-inner-tunnel {
> authorize {
> update control {
> # You should update this to be one of your realms.
> Proxy-To-Realm := "DEVLAB"
> }
>
> authenticate {
> eap
> }
> post-proxy {
> eap
> }
> }
>
> FR relays all packets properly back to Client when I use
> "proxy_tunneled_request_as_eap = yes" in eap.conf. But I cannot do
> that way because the RADIUS server doesn't understand EAP at all - I
> need to send a plain MSCHAPv2 in the inner request. I thought using
> "use_tunneled_reply = yes" should have caused FR to relay back all the
> AVPs back to outer tunnel, but its not working.
>
> The full log is as follows:
> ------------------------------------------------
> [root at nitin-centos ~]# radiusd -X
> FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jul 5
> 2011 at 19:03:48
> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License v2.
> Starting - reading configuration files ...
> including configuration file /usr/local/etc/raddb/radiusd.conf
> including configuration file /usr/local/etc/raddb/proxy.conf
> including configuration file /usr/local/etc/raddb/clients.conf
> including files in directory /usr/local/etc/raddb/modules/
> including configuration file /usr/local/etc/raddb/modules/radutmp
> including configuration file /usr/local/etc/raddb/modules/smsotp
> including configuration file /usr/local/etc/raddb/modules/logintime
> including configuration file /usr/local/etc/raddb/modules/rediswho
> including configuration file /usr/local/etc/raddb/modules/etc_group
> including configuration file /usr/local/etc/raddb/modules/sradutmp
> including configuration file /usr/local/etc/raddb/modules/linelog
> including configuration file /usr/local/etc/raddb/modules/ntlm_auth
> including configuration file /usr/local/etc/raddb/modules/attr_rewrite
> including configuration file /usr/local/etc/raddb/modules/detail
> including configuration file /usr/local/etc/raddb/modules/detail.log
> including configuration file /usr/local/etc/raddb/modules/expr
> including configuration file /usr/local/etc/raddb/modules/wimax
> including configuration file /usr/local/etc/raddb/modules/acct_unique
> including configuration file /usr/local/etc/raddb/modules/mschap
> including configuration file
> /usr/local/etc/raddb/modules/detail.example.com
> including configuration file /usr/local/etc/raddb/modules/replicate
> including configuration file /usr/local/etc/raddb/modules/soh
> including configuration file /usr/local/etc/raddb/modules/otp
> including configuration file /usr/local/etc/raddb/modules/preprocess
> including configuration file /usr/local/etc/raddb/modules/expiration
> including configuration file /usr/local/etc/raddb/modules/echo
> including configuration file /usr/local/etc/raddb/modules/krb5
> including configuration file /usr/local/etc/raddb/modules/mac2ip
> including configuration file /usr/local/etc/raddb/modules/mac2vlan
> including configuration file /usr/local/etc/raddb/modules/checkval
> including configuration file /usr/local/etc/raddb/modules/chap
> including configuration file /usr/local/etc/raddb/modules/redis
> including configuration file /usr/local/etc/raddb/modules/passwd
> including configuration file /usr/local/etc/raddb/modules/always
> including configuration file /usr/local/etc/raddb/modules/pam
> including configuration file /usr/local/etc/raddb/modules/policy
> including configuration file /usr/local/etc/raddb/modules/cui
> including configuration file /usr/local/etc/raddb/modules/digest
> including configuration file /usr/local/etc/raddb/modules/unix
> including configuration file /usr/local/etc/raddb/modules/realm
> including configuration file /usr/local/etc/raddb/modules/sql_log
> including configuration file /usr/local/etc/raddb/modules/opendirectory
> including configuration file /usr/local/etc/raddb/modules/dynamic_clients
> including configuration file /usr/local/etc/raddb/modules/exec
> including configuration file /usr/local/etc/raddb/modules/files
> including configuration file /usr/local/etc/raddb/modules/counter
> including configuration file /usr/local/etc/raddb/modules/pap
> including configuration file
> /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
> including configuration file /usr/local/etc/raddb/modules/attr_filter
> including configuration file /usr/local/etc/raddb/modules/ippool
> including configuration file /usr/local/etc/raddb/modules/perl
> including configuration file /usr/local/etc/raddb/modules/smbpasswd
> including configuration file /usr/local/etc/raddb/modules/inner-eap
> including configuration file /usr/local/etc/raddb/modules/ldap
> including configuration file /usr/local/etc/raddb/eap.conf
> including configuration file /usr/local/etc/raddb/policy.conf
> including files in directory /usr/local/etc/raddb/sites-enabled/
> including configuration file /usr/local/etc/raddb/sites-enabled/default
> including configuration file
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> including configuration file
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> including configuration file
> /usr/local/etc/raddb/sites-enabled/control-socket
> main {
> allow_core_dumps = no
> }
> including dictionary file /usr/local/etc/raddb/dictionary
> main {
> name = "radiusd"
> prefix = "/usr/local"
> localstatedir = "/usr/local/var"
> sbindir = "/usr/local/sbin"
> logdir = "/usr/local/var/log/radius"
> run_dir = "/usr/local/var/run/radiusd"
> libdir = "/usr/local/lib"
> radacctdir = "/usr/local/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/local/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> }
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = "testing123"
> response_window = 20
> max_outstanding = 65536
> require_message_authenticator = yes
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> num_answers_to_alive = 3
> num_pings_to_alive = 3
> revive_interval = 120
> status_check_timeout = 4
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> realm DEVLAB {
> authhost = 172.19.6.4
> secret = meru2002
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = "testing123"
> nastype = "other"
> }
> client 172.18.10.13 {
> require_message_authenticator = no
> secret = "meru2002"
> nastype = "other"
> }
> radiusd: #### Instantiating modules ####
> instantiate {
> Module: Linked to module rlm_exec
> Module: Instantiating module "exec" from file
> /usr/local/etc/raddb/modules/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> }
> Module: Linked to module rlm_expr
> Module: Instantiating module "expr" from file
> /usr/local/etc/raddb/modules/expr
> Module: Linked to module rlm_expiration
> Module: Instantiating module "expiration" from file
> /usr/local/etc/raddb/modules/expiration
> expiration {
> reply-message = "Password Has Expired "
> }
> Module: Linked to module rlm_logintime
> Module: Instantiating module "logintime" from file
> /usr/local/etc/raddb/modules/logintime
> logintime {
> reply-message = "You are calling outside your allowed timespan "
> minimum-timeout = 60
> }
> }
> radiusd: #### Loading Virtual Servers ####
> server { # from file /usr/local/etc/raddb/radiusd.conf
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Linked to module rlm_pap
> Module: Instantiating module "pap" from file
> /usr/local/etc/raddb/modules/pap
> pap {
> encryption_scheme = "auto"
> auto_header = no
> }
> Module: Linked to module rlm_chap
> Module: Instantiating module "chap" from file
> /usr/local/etc/raddb/modules/chap
> Module: Linked to module rlm_mschap
> Module: Instantiating module "mschap" from file
> /usr/local/etc/raddb/modules/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = no
> allow_retry = yes
> }
> Module: Linked to module rlm_digest
> Module: Instantiating module "digest" from file
> /usr/local/etc/raddb/modules/digest
> Module: Linked to module rlm_unix
> Module: Instantiating module "unix" from file
> /usr/local/etc/raddb/modules/unix
> unix {
> radwtmp = "/usr/local/var/log/radius/radwtmp"
> }
> Module: Linked to module rlm_eap
> Module: Instantiating module "eap" from file
> /usr/local/etc/raddb/eap.conf
> eap {
> default_eap_type = "md5"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 4096
> }
> Module: Linked to sub-module rlm_eap_md5
> Module: Instantiating eap-md5
> Module: Linked to sub-module rlm_eap_leap
> Module: Instantiating eap-leap
> Module: Linked to sub-module rlm_eap_gtc
> Module: Instantiating eap-gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> Module: Linked to sub-module rlm_eap_tls
> Module: Instantiating eap-tls
> tls {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> CA_path = "/usr/local/etc/raddb/certs"
> pem_file_type = yes
> private_key_file = "/usr/local/etc/raddb/certs/server.pem"
> certificate_file = "/usr/local/etc/raddb/certs/server.pem"
> CA_file = "/usr/local/etc/raddb/certs/ca.pem"
> private_key_password = "whatever"
> dh_file = "/usr/local/etc/raddb/certs/dh"
> random_file = "/usr/local/etc/raddb/certs/random"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
> cache {
> enable = no
> lifetime = 24
> max_entries = 255
> }
> verify {
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> }
> }
> Module: Linked to sub-module rlm_eap_ttls
> Module: Instantiating eap-ttls
> ttls {
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> include_length = yes
> }
> Module: Linked to sub-module rlm_eap_peap
> Module: Instantiating eap-peap
> peap {
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> proxy_tunneled_request_as_eap = no
> virtual_server = "proxy-inner-tunnel"
> soh = no
> }
> Module: Linked to sub-module rlm_eap_mschapv2
> Module: Instantiating eap-mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> Module: Checking authorize {...} for more modules to load
> Module: Linked to module rlm_preprocess
> Module: Instantiating module "preprocess" from file
> /usr/local/etc/raddb/modules/preprocess
> preprocess {
> huntgroups = "/usr/local/etc/raddb/huntgroups"
> hints = "/usr/local/etc/raddb/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> Module: Linked to module rlm_realm
> Module: Instantiating module "suffix" from file
> /usr/local/etc/raddb/modules/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> Module: Linked to module rlm_files
> Module: Instantiating module "files" from file
> /usr/local/etc/raddb/modules/files
> files {
> usersfile = "/usr/local/etc/raddb/users"
> acctusersfile = "/usr/local/etc/raddb/acct_users"
> preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
> compat = "no"
> }
> Module: Checking preacct {...} for more modules to load
> Module: Linked to module rlm_acct_unique
> Module: Instantiating module "acct_unique" from file
> /usr/local/etc/raddb/modules/acct_unique
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> }
> Module: Checking accounting {...} for more modules to load
> Module: Linked to module rlm_detail
> Module: Instantiating module "detail" from file
> /usr/local/etc/raddb/modules/detail
> detail {
> detailfile =
> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> detailperm = 384
> dirperm = 493
> locking = no
> log_packet_header = no
> }
> Module: Linked to module rlm_radutmp
> Module: Instantiating module "radutmp" from file
> /usr/local/etc/raddb/modules/radutmp
> radutmp {
> filename = "/usr/local/var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> perm = 384
> callerid = yes
> }
> Module: Linked to module rlm_attr_filter
> Module: Instantiating module "attr_filter.accounting_response" from
> file /usr/local/etc/raddb/modules/attr_filter
> attr_filter attr_filter.accounting_response {
> attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
> key = "%{User-Name}"
> }
> Module: Checking session {...} for more modules to load
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> Module: Instantiating module "attr_filter.access_reject" from file
> /usr/local/etc/raddb/modules/attr_filter
> attr_filter attr_filter.access_reject {
> attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
> key = "%{User-Name}"
> }
> } # modules
> } # server
> server proxy-inner-tunnel { # from file
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Checking authorize {...} for more modules to load
> Module: Checking post-proxy {...} for more modules to load
> } # modules
> } # server
> server inner-tunnel { # from file
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Checking authorize {...} for more modules to load
> Module: Checking session {...} for more modules to load
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> } # modules
> } # server
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = *
> port = 0
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 0
> }
> listen {
> type = "control"
> listen {
> socket = "/usr/local/var/run/radiusd/radiusd.sock"
> }
> }
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> ... adding new socket proxy address * port 44579
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on command file /usr/local/var/run/radiusd/radiusd.sock
> Listening on authentication address 127.0.0.1 port 18120 as server
> inner-tunnel
> Listening on proxy address * port 1814
> Ready to process requests.
>
>
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
> id=198, length=152
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> EAP-Message = 0x02010009016d657275
> Message-Authenticator = 0x960d94c0685c6dd5ba509de67f73d37a
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 1 length 9
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type md5
> rlm_eap_md5: Issuing Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 198 to 172.18.10.13 port 48852
> EAP-Message = 0x0102001604109fe03af8d36fe702cf4550cf1f8c0622
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfde30c7afde108730ebe85102c777b46
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
> id=199, length=167
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> EAP-Message = 0x020200060319
> State = 0xfde30c7afde108730ebe85102c777b46
> Message-Authenticator = 0x9f1b4526ff2f96a96aae56daf8c0c317
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 2 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP NAK
> [eap] EAP-NAK asked for EAP-Type/peap
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 199 to 172.18.10.13 port 48852
> EAP-Message = 0x010300061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfde30c7afce015730ebe85102c777b46
> Finished request 1.
> Going to the next request
> Waking up in 4.8 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
> id=200, length=243
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> EAP-Message =
> 0x0203005219800000004816030100430100003f03014c32bfcfbdd3039d0bcab75c921dd349c355de3f12bc41174c7fdd579d1e3c9200001800390038003300320016001300660035002f000a000500040100
> State = 0xfde30c7afce015730ebe85102c777b46
> Message-Authenticator = 0xcb652a53a53fcfdfa58375d9b220dd1f
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 3 length 82
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 72
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] (other): before/accept initialization
> [peap] TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0043], ClientHello
> [peap] TLS_accept: SSLv3 read client hello A
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
> [peap] TLS_accept: SSLv3 write server hello A
> [peap] >>> TLS 1.0 Handshake [length 085e], Certificate
> [peap] TLS_accept: SSLv3 write certificate A
> [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
> [peap] TLS_accept: SSLv3 write key exchange A
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [peap] TLS_accept: SSLv3 write server done A
> [peap] TLS_accept: SSLv3 flush data
> [peap] TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 200 to 172.18.10.13 port 48852
> EAP-Message =
> 0x0104040019c000000aad160301002a0200002603014e13f11e0d4506fb9ff964758407af4d4a824f4f4b5ece856b606e06258e0c2800003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
> EAP-Message =
> 0x301e170d3131303730353133343634375a170d3132303730343133343634375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c62489fe8f25360bcf54e00e5504239ff4a63a0527f6a6a3056b6c5acee49a33fa8876b189c35a2995c50e04c5228612d1d4786d0ae26d91876ecc895ccb
> EAP-Message =
> 0x32872a0bbdd7c8b7c1a174e096e7b018f8f0bf7baf0ae841dd934974f5bcfff09a0183ced606e5862cb0c306cedc7d566f0433d59da9b782dbdd5200473b793b5f54672bc83e38ff345224996e3f80bc10162ebd81809ac1eb27c50cfd44d5a25268be450b5c3bc19d2a7213a0210f6a98d0a4b2bc9b8bdb7b13c20d93fe5e502d4a54483cdf5f0cea7dbd00f94247418293b57d04dfb3b950afb1d1a537b72e4e61f88cb4983152cf0e9aa6f6137a870a7dea3061c504af04f0f328cc63e1cff4550203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101007b97bb0db325b70a48
> EAP-Message =
> 0xa3020e155a9b286a8b9bcc15ae1bd01a59f947bb34d6ac55d476e54d8aae86184368e2d6050a2cc11d3bfd2f10330799cf718a5288efa67c70957413f721eada58a5241ed0638b9ce2c183d991857700090a54bc7aad25922184a1df1d632b344994c97ed658089f518ed19a8c19a806c1c17787a753c2c36be6f69d9a414498114cab4dcf2b71bfa17392586bcabfbd2769afd2a947d79ff582a6668dd3421dad3721fd8fd39c20232336a39da35d0f5a90ab49f992246413c4dd695ab1d341246454f08d62dfcdfd351c55c0b60e5be5ca56cd2418ff42733dcc8c58ce26e28af04e4d9cbaec3bdb6741e393d3c7a79613b5df9fe4390004ab308204
> EAP-Message = 0xa73082038fa0030201020209
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfde30c7affe715730ebe85102c777b46
> Finished request 2.
> Going to the next request
> Waking up in 4.7 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
> id=201, length=167
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> EAP-Message = 0x020400061900
> State = 0xfde30c7affe715730ebe85102c777b46
> Message-Authenticator = 0xb44bb5aa230ad5e60d13eddafd1dbe7c
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 4 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 201 to 172.18.10.13 port 48852
> EAP-Message =
> 0x010503fc194000938269734f3cf5bf300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303730353133343634375a170d3132303730343133343634375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
> EAP-Message =
> 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a90f1b4e1a7a1f8b41485334f6fcb4be169ba9f5fe114d0b0a1bc70eef1462c110b6e20ce17292c98beb45757e3b9b936eacbd0125080b244f9d776f0f0406abcc2fd33fd75c72fa4fe73532404acc189f8b663bd94ffecb37ad0a83f0a510e92b35ad219ac275d4fae60a8cbe47d8
> EAP-Message =
> 0xf8eadd6536322afb14b2540c9345f8a02f099b3453a28a0392d140bd4764c75880bd5db3be5c3117438d9400bcfdca3be386526fb8f618411c1a2fbe56c52ddb0cbdfc118d0912bd1883228832306baaa83b8e8672a3ecefcdd3d9a745d1d4424cfef46993103704d12820497b57f3e94df7cb5d887cae556cdc46f992bf3f1d757d45cb94aed0d70dc4fc949256fa1c4b0203010001a381fb3081f8301d0603551d0e04160414f565b2f3ff7d52b7d92e678d3843de8ac3b371ee3081c80603551d230481c03081bd8014f565b2f3ff7d52b7d92e678d3843de8ac3b371eea18199a48196308193310b3009060355040613024652310f300d06035504
> EAP-Message =
> 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900938269734f3cf5bf300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009f7c151e0351bf12ef597651afcf6e5f732ebf175e33af8e2adbc6c8ff64078592e069b00a5e1fcece5d05331068acd01e78d0a65ea5eca85a41b7a948a4073a2e7baec6f88652eeec66a47c8d73f77f6fd2
> EAP-Message = 0xe005f788e24cb66e
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfde30c7afee615730ebe85102c777b46
> Finished request 3.
> Going to the next request
> Waking up in 4.6 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
> id=202, length=167
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> EAP-Message = 0x020500061900
> State = 0xfde30c7afee615730ebe85102c777b46
> Message-Authenticator = 0xe812ebc412f80a25bd7498462aa6e62b
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 5 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 202 to 172.18.10.13 port 48852
> EAP-Message =
> 0x010602c719008ed1e209185a65d79ce3ef916051889d7bdaeb3525ffc5107d08ca060e538707279d6c7c4d00bd7e2cd644f85b28e438ef74ff013334cc24decd6b574a1df5f73441a4d7b07cf0e5ea79111f624a738780e8bc2564e305a43e8ad9df004a59d0e07b4f5a177c45ca420b747f76ad21feec38781f5164e77d33c6e27a51073ec20c671d919da22056a657f540198bea9e10816a61c4a3f7c8e4f210b734fabf9c012baca0786d160301020d0c0002090080bb53fc5d6c82b9ab4ed79feb313de75ac8e65c23fdb6bd4a6662e6b46bfd437f4f52e12048d2b6e3755cf5e2714aac141168d560132d2b4764c9e36e9ac301c108e84436571a
> EAP-Message =
> 0xf39b55d3596d9bc06850cc9c280dbf6d24f184fe467b90eefb82ae300805a960cd120caeb2b25d9cc64ec6a159c8bc689297e0f7e839ae89defb0001020080b9306e9f87fa00bb87ab9eaa2de2397c994a34a022fafc638aa95eb6e027a8b7ce8388e02d2059a8fcb2a166325998c894cef051b5a5fb688119391fc6ff5a9252191c6ffbdf22762b1b4f3bd5351bb1e94e04e9b71ac318acc8d993140cd8c54e50f583db0dd6c717123d98bb965470aea9eda8dda4bf76717d9f6db1dae8b60100ad862e37923fd73a6b93a8e135f62aa075a591f7ff6b5b147499e74a5895975e758ec48330cc84ea86cda010de172c7438d4fb7bf7f4bb1c28e82575
> EAP-Message =
> 0x3f7656fad6b6db3b6aabdf97a039bc944b257676000e58f16d041545e8fe965412ce2178d6a7ae69499986dfe99ff955bfb985a49e9d05107ad218622a99f5d29a5bfe8d3acfc5f156e04d700d611c1d5cb3e00e6ba986f8bf5b236c8741b5fa3293ddae6e0279c613fdd72d68af1f6ad512d9b858f59dae29a4b945235c89fe55ce40e14b58dc51c80f253c9a3e8ecfdf22fab4d162dbc87ebb06093cd02e3dd6bae646050ab8642ecf14213423f142f8ea4d35243dd51660446270dbdf7fd2ef48280b16030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfde30c7af9e515730ebe85102c777b46
> Finished request 4.
> Going to the next request
> Waking up in 4.5 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
> id=203, length=369
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> EAP-Message =
> 0x020600d01980000000c616030100861000008200809a0c1bb68594ead0d108df37ab090c5ae82bbe69eee7b73f693f11bc68cd29f637eb8f4faf9a272f513c954cfcea094707e2af32c4e2b55d3a646126d249fd5fb7e1bd4e8288bf086aae28b808135864eb005218ea8d9a54481f4d43c7fb5368814aaac3a63100a32249d7e68f3b9dccf0d922c2d12c9c2b146232e496fe0bc81403010001011603010030840c77df284213f438f3551d62a3d4c9470e0ea6366e1b39d34f137f5c78d2891eb30875669d688fccf0e61e1da243c6
> State = 0xfde30c7af9e515730ebe85102c777b46
> Message-Authenticator = 0x88bb2bb9ca1a313aee2de681d281f0c3
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 6 length 208
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 198
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
> [peap] TLS_accept: SSLv3 read client key exchange A
> [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] <<< TLS 1.0 Handshake [length 0010], Finished
> [peap] TLS_accept: SSLv3 read finished A
> [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] TLS_accept: SSLv3 write change cipher spec A
> [peap] >>> TLS 1.0 Handshake [length 0010], Finished
> [peap] TLS_accept: SSLv3 write finished A
> [peap] TLS_accept: SSLv3 flush data
> [peap] (other): SSL negotiation finished successfully
> SSL Connection Established
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 203 to 172.18.10.13 port 48852
> EAP-Message =
> 0x01070041190014030100010116030100303b23c31a29c705c25db0839a53e947b05d465fbd30c13653d3b8352bd088325b17a3151fd321e457c5d469e8ca818560
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfde30c7af8e415730ebe85102c777b46
> Finished request 5.
> Going to the next request
> Waking up in 4.4 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
> id=204, length=167
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> EAP-Message = 0x020700061900
> State = 0xfde30c7af8e415730ebe85102c777b46
> Message-Authenticator = 0xb1f44972992610c36bf8c5898b636d38
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 7 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake is finished
> [peap] eaptls_verify returned 3
> [peap] eaptls_process returned 3
> [peap] EAPTLS_SUCCESS
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state TUNNEL ESTABLISHED
> ++[eap] returns handled
> Sending Access-Challenge of id 204 to 172.18.10.13 port 48852
> EAP-Message =
> 0x0108002b190017030100206d1d6355f7e57d3754317857539e1a39325b6ecef30c90efef64a20af81c024f
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfde30c7afbeb15730ebe85102c777b46
> Finished request 6.
> Going to the next request
> Waking up in 4.3 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
> id=205, length=204
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> EAP-Message =
> 0x0208002b19001703010020625a119fe356dba5d6f7cf76e4d054c2241fb52f16778532b4f8004d14d1d4a6
> State = 0xfde30c7afbeb15730ebe85102c777b46
> Message-Authenticator = 0x2c2cd6601cd01b1317d2dc7594348bc0
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 8 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state WAITING FOR INNER IDENTITY
> [peap] Identity - meru
> [peap] Got inner identity 'meru'
> [peap] Setting default EAP type for tunneled EAP session.
> [peap] Got tunneled request
> EAP-Message = 0x02080009016d657275
> server {
> [peap] Setting User-Name to meru
> Sending tunneled request
> EAP-Message = 0x02080009016d657275
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> server proxy-inner-tunnel {
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group authorize {...}
> ++[control] returns notfound
> } # server proxy-inner-tunnel
> [peap] Got tunneled reply code 0
> PEAP: Calling authenticate in order to initiate tunneled EAP session.
> # Executing group from file
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> PEAP: Cancelling proxy to realm DEVLAB until the tunneled EAP
> session has been established
> [peap] Got tunneled reply RADIUS code 11
> EAP-Message =
> 0x0109001e1a01090019105ba435e766423f0a72c901045f0a25886d657275
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xd4dbdf6bd4d2c5452b3f3ec10bc32a7c
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 205 to 172.18.10.13 port 48852
> EAP-Message =
> 0x0109003b1900170301003089452af1f3e64ab01e961a4b2dc9b0c13a90fc86e1da452b46c781c6c3aa4e465324742d29a8a5983bddf45bec669947
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfde30c7afaea15730ebe85102c777b46
> Finished request 7.
> Going to the next request
> Waking up in 4.2 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
> id=206, length=252
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> EAP-Message =
> 0x0209005b19001703010050934ee8273bff98e2ce4cd7af01b43419b36b17024edcb9e1f3fb99cb52c22c03c0b565e7a69dbe1424a68753ec8c2f2a596ac4a666a04d1dc85112f833bda916d4fcec71ffe2ee65140c2e8d059be1b0
> State = 0xfde30c7afaea15730ebe85102c777b46
> Message-Authenticator = 0x891db7ed9a95c5ffd9b0b427cac19ead
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 9 length 91
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state phase2
> [peap] EAP type mschapv2
> [peap] Got tunneled request
> EAP-Message =
> 0x0209003f1a0209003a3189b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8006d657275
> server {
> [peap] Setting User-Name to meru
> Sending tunneled request
> EAP-Message =
> 0x0209003f1a0209003a3189b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8006d657275
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "meru"
> State = 0xd4dbdf6bd4d2c5452b3f3ec10bc32a7c
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> server proxy-inner-tunnel {
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group authorize {...}
> ++[control] returns notfound
> } # server proxy-inner-tunnel
> [peap] Got tunneled reply code 0
> PEAP: Calling authenticate in order to initiate tunneled EAP session.
> # Executing group from file
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [eap] Not-EAP proxy set. Not composing EAP
> ++[eap] returns handled
> PEAP: Tunneled authentication will be proxied to DEVLAB
> PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
> [eap] Tunneled session will be proxied. Not doing EAP.
> ++[eap] returns handled
> WARNING: Empty pre-proxy section. Using default return values.
> Sending Access-Request of id 61 to 172.19.6.4 port 1812
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> MS-CHAP-Challenge = 0x5ba435e766423f0a72c901045f0a2588
> MS-CHAP2-Response =
> 0x096589b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8
> Proxy-State = 0x323036
> Proxying request 8 to home server 172.19.6.4 port 1812
> Sending Access-Request of id 61 to 172.19.6.4 port 1812
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> MS-CHAP-Challenge = 0x5ba435e766423f0a72c901045f0a2588
> MS-CHAP2-Response =
> 0x096589b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8
> Proxy-State = 0x323036
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Accept packet from host 172.19.6.4 port 1812, id=61,
> length=252
> Proxy-State = 0x323036
> Session-Timeout = 300
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "12"
> Tunnel-Type:0 = VLAN
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Class =
> 0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
> MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab
> MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63
> MS-CHAP2-Success =
> 0x09533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
> MS-CHAP-Domain = "\tDEV"
> # Executing section post-proxy from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group post-proxy {...}
> [eap] Doing post-proxy callback
> [eap] Passing reply from proxy back into the tunnel.
> server proxy-inner-tunnel {
> [eap] Passing reply back for EAP-MS-CHAP-V2
> # Executing section post-proxy from file
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group post-proxy {...}
> [eap] Doing post-proxy callback
> rlm_eap_mschapv2: Passing reply from proxy back into the tunnel
> 0x8c91600 2.
> rlm_eap_mschapv2: Authentication succeeded.
> MSCHAP Success
> ++[eap] returns ok
> WARNING: Empty post-auth section. Using default return values.
> } # server proxy-inner-tunnel
> [eap] Final reply from tunneled session code 11
> Proxy-State = 0x323036
> Session-Timeout = 300
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "12"
> Tunnel-Type:0 = VLAN
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Class =
> 0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
> MS-CHAP-Domain = "\tDEV"
> EAP-Message =
> 0x010a00331a0309002e533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c
> [eap] Got reply 11
> [eap] Got tunneled reply RADIUS code 11
> Proxy-State = 0x323036
> Session-Timeout = 300
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "12"
> Tunnel-Type:0 = VLAN
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Class =
> 0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
> MS-CHAP-Domain = "\tDEV"
> EAP-Message =
> 0x010a00331a0309002e533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c
> [eap] Got tunneled Access-Challenge
> [eap] Saving tunneled attributes for later
> [eap] Reply was handled
> ++[eap] returns ok
> Sending Access-Challenge of id 206 to 172.18.10.13 port 48852
> EAP-Message =
> 0x010a005b1900170301005017c5dbce0bb69cfd09fd41a5773d61f811bcf2ce164c32346899a98a231010fef71b89c1aed9412bc615a0d2c86595e420e4bd7f3538b748e8825b5f7c275e51bab5a82ae5c4c15e303ccdbd9e909e1a
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfde30c7af5e915730ebe85102c777b46
> Finished request 8.
> Going to the next request
> Waking up in 4.1 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
> id=207, length=204
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> EAP-Message =
> 0x020a002b1900170301002010d201aca04a28ed500660ad0ea279183cf64cf8c3a2e5946a86d43567c9b7f7
> State = 0xfde30c7af5e915730ebe85102c777b46
> Message-Authenticator = 0xab4fe0c669c7850b88ad0a2ede3087e2
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 10 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state phase2
> [peap] EAP type mschapv2
> [peap] Got tunneled request
> EAP-Message = 0x020a00061a03
> server {
> [peap] Setting User-Name to meru
> Sending tunneled request
> EAP-Message = 0x020a00061a03
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "meru"
> State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> server proxy-inner-tunnel {
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group authorize {...}
> ++[control] returns notfound
> } # server proxy-inner-tunnel
> [peap] Got tunneled reply code 0
> PEAP: Calling authenticate in order to initiate tunneled EAP session.
> # Executing group from file
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [eap] Freeing handler
> ++[eap] returns ok
> [peap] Got tunneled reply RADIUS code 2
> MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63
> MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab
> EAP-Message = 0x030a0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "meru"
> [peap] Tunneled authentication was successful.
> [peap] SUCCESS
> [peap] Saving tunneled attributes for later
> ++[eap] returns handled
> Sending Access-Challenge of id 207 to 172.18.10.13 port 48852
> EAP-Message =
> 0x010b002b19001703010020972594e10347244aac063470d19ff9c07f0b89472a6262ae06b555a8f266d39c
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfde30c7af4e815730ebe85102c777b46
> Finished request 9.
> Going to the next request
> Waking up in 4.0 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852,
> id=208, length=204
> User-Name = "meru"
> NAS-IP-Address = 172.18.10.13
> NAS-Port = 2049
> Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
> Calling-Station-Id = "00-1A-73-9D-9D-02"
> Framed-MTU = 1250
> NAS-Port-Type = Wireless-802.11
> Framed-Compression = None
> Connect-Info = "CONNECT 802.11a"
> Chargeable-User-Identity = "\\0"
> EAP-Message =
> 0x020b002b1900170301002079ae2531cb0c20ac94b1150652cc1a83e2ebe697fe10e6d64b4a03ffd8f8bae1
> State = 0xfde30c7af4e815730ebe85102c777b46
> Message-Authenticator = 0xc8d498ff15ea96988f74edada8e319c1
> # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 11 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state send tlv success
> [peap] Received EAP-TLV response.
> [peap] Success
> [peap] Using saved attributes from the original Access-Accept
> User-Name = "meru"
> [eap] Freeing handler
> ++[eap] returns ok
> # Executing section post-auth from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 208 to 172.18.10.13 port 48852
> User-Name = "meru"
> MS-MPPE-Recv-Key =
> 0x6c6c3b63a0c60545b9838c0cc766db98987516f92c12bac6bb6694acd4defe16
> MS-MPPE-Send-Key =
> 0xbcb242cdac92ca3620e6a660d60e3838acbeddaef9b8766121730c7a4f2f0f79
> EAP-Message = 0x030b0004
> Message-Authenticator = 0x00000000000000000000000000000000
> Finished request 10.
> Going to the next request
> Waking up in 3.9 seconds.
> Cleaning up request 0 ID 198 with timestamp +37
> Waking up in 0.1 seconds.
> Cleaning up request 1 ID 199 with timestamp +37
> Waking up in 0.1 seconds.
> Cleaning up request 2 ID 200 with timestamp +38
> Cleaning up request 3 ID 201 with timestamp +38
> Waking up in 0.1 seconds.
> Cleaning up request 4 ID 202 with timestamp +38
> Waking up in 0.1 seconds.
> Cleaning up request 5 ID 203 with timestamp +38
> Cleaning up request 6 ID 204 with timestamp +38
> Waking up in 0.1 seconds.
> Cleaning up request 7 ID 205 with timestamp +38
> Waking up in 0.1 seconds.
> Cleaning up request 8 ID 206 with timestamp +38
> Cleaning up request 9 ID 207 with timestamp +38
> Waking up in 0.1 seconds.
> Cleaning up request 10 ID 208 with timestamp +38
> Ready to process requests.
> -----------------------------------------------
>
> Please help.
>
> --
> Nitin.
>
Hi,
Found out that this works perfectly fine in freeradius 3.0.0 (master git
branch).
Can anyone please suggest which patches I need to back-port to 2.1.11 to
make this work in 2.1.x branch too ?
--
Thanks,
Nitin.
More information about the Freeradius-Users
mailing list