"use_tunnel_reply" not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf

Nitin Bhardwaj nbhardwaj at merunetworks.com
Wed Jul 6 13:03:01 CEST 2011


On 06/07/2011 11:20 AM, Nitin Bhardwaj wrote:
>> On 07/05/2011 06:03 PM, Nitin Bhardwaj wrote:
>>
>>     Hello All,
>>
>>     I'm using FreeRADIUS 2.1.11 as a proxy for authenticating PEAP
>>     clients with RADIUS server not supporting EAP.
>>
>>     All is working well except that when I use
>>     "proxy_tunneled_request_as_eap = no" in eap.conf, FreeRADIUS is not
>>     passing back all the AVPs sent by RADIUS server in
>>     Access-Accept(MSCHAPv2) to the Client, only few ones.
>>
>> Be specific. Which ones?
>>
>> Better yet, show a debug of it not working.
>>
>>
>>     But when I set it as "proxy_tunneled_request_as_eap = yes",
>>     FreeRADIUS is relaying back all the AVPs received from the RADIUS
>>     server properly.
>>
>>
>>     eap.conf: ------------ eap { peap { copy_request_to_tunnel = yes
>>     use_tunneled_reply = yes proxy_tunneled_request_as_eap = no
>>     virtual_server = "proxy-inner-tunnel" } }
>>
>>     Hence, in spite of setting "use_tunneled_reply = yes", why isnt FR
>>     copying all attributes in Access-Accept back to client ? Is this 
>> some
>>     bug, fixed in 3.x ?
>>
>> 3.x is not released yet.
>>
>> I don't think there are any fixed related to this in "master" (to 
>> become 3.x) but there might be; please provide more details as above, 
>> so we can try to reproduce.
>
> Sorry, I was not clear enough earlier.
> This is an issue same as the one mentioned in this query:  
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-September/msg00509.html
>
> The RADIUS server is sending the following extra AVPs in Access-Accept 
> to FR:
>         Session-Timeout = 300
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Private-Group-Id:0 = "12"
>         Tunnel-Type:0 = VLAN
>
> But FR is eating them up while relaying the Access-Accept back to Client.
>
> The Access-Accept from RADIUS server is as follows:
> ----------------------------------
> rad_recv: Access-Accept packet from host 172.19.6.4 port 1812, id=61, 
> length=252
>         Proxy-State = 0x323036
>         Session-Timeout = 300
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Private-Group-Id:0 = "12"
>         Tunnel-Type:0 = VLAN
>         Framed-Protocol = PPP
>         Service-Type = Framed-User
>         Class = 
> 0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
>         MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab
>         MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63
>         MS-CHAP2-Success = 
> 0x09533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
>         MS-CHAP-Domain = "\tDEV"
> ----------------------------------
>
> But the relayed Access-Accept to client is:
> ----------------------------------
> Sending Access-Accept of id 208 to 172.18.10.13 port 48852
>         User-Name = "meru"
>         MS-MPPE-Recv-Key = 
> 0x6c6c3b63a0c60545b9838c0cc766db98987516f92c12bac6bb6694acd4defe16
>         MS-MPPE-Send-Key = 
> 0xbcb242cdac92ca3620e6a660d60e3838acbeddaef9b8766121730c7a4f2f0f79
>         EAP-Message = 0x030b0004
>         Message-Authenticator = 0x00000000000000000000000000000000
> ----------------------------------
>
> My settings are as follows:
> eap.conf:
> --------------
> eap {
>         tls{
>                 //Usual stuff <snip....>
>         }
>         peap {
>                   default_eap_type = mschapv2
>                   copy_request_to_tunnel = yes
>                   use_tunneled_reply = yes
>                   proxy_tunneled_request_as_eap = no
>                   virtual_server = "proxy-inner-tunnel"
>         }
>
>        mchapv2 {
>        }
> }
>
> sites-enabled/proxy-inner-tunnel:
> -----------------------------------------------
> server proxy-inner-tunnel {
>            authorize {
>                   update control {
>                 #  You should update this to be one of your realms.
>                 Proxy-To-Realm := "DEVLAB"
>                   }
>
>             authenticate {
>                 eap
>             }
>            post-proxy {
>                 eap
>             }
> }
>
> FR relays all packets properly back to Client when I use 
> "proxy_tunneled_request_as_eap = yes" in eap.conf. But I cannot do 
> that way because the RADIUS server doesn't understand EAP at all - I 
> need to send a plain MSCHAPv2 in the inner request. I thought using 
> "use_tunneled_reply = yes" should have caused FR to relay back all the 
> AVPs back to outer tunnel, but its not working.
>
> The full log is as follows:
> ------------------------------------------------
> [root at nitin-centos ~]# radiusd -X
> FreeRADIUS Version 2.1.11, for host i686-pc-linux-gnu, built on Jul  5 
> 2011 at 19:03:48
> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License v2.
> Starting - reading configuration files ...
> including configuration file /usr/local/etc/raddb/radiusd.conf
> including configuration file /usr/local/etc/raddb/proxy.conf
> including configuration file /usr/local/etc/raddb/clients.conf
> including files in directory /usr/local/etc/raddb/modules/
> including configuration file /usr/local/etc/raddb/modules/radutmp
> including configuration file /usr/local/etc/raddb/modules/smsotp
> including configuration file /usr/local/etc/raddb/modules/logintime
> including configuration file /usr/local/etc/raddb/modules/rediswho
> including configuration file /usr/local/etc/raddb/modules/etc_group
> including configuration file /usr/local/etc/raddb/modules/sradutmp
> including configuration file /usr/local/etc/raddb/modules/linelog
> including configuration file /usr/local/etc/raddb/modules/ntlm_auth
> including configuration file /usr/local/etc/raddb/modules/attr_rewrite
> including configuration file /usr/local/etc/raddb/modules/detail
> including configuration file /usr/local/etc/raddb/modules/detail.log
> including configuration file /usr/local/etc/raddb/modules/expr
> including configuration file /usr/local/etc/raddb/modules/wimax
> including configuration file /usr/local/etc/raddb/modules/acct_unique
> including configuration file /usr/local/etc/raddb/modules/mschap
> including configuration file 
> /usr/local/etc/raddb/modules/detail.example.com
> including configuration file /usr/local/etc/raddb/modules/replicate
> including configuration file /usr/local/etc/raddb/modules/soh
> including configuration file /usr/local/etc/raddb/modules/otp
> including configuration file /usr/local/etc/raddb/modules/preprocess
> including configuration file /usr/local/etc/raddb/modules/expiration
> including configuration file /usr/local/etc/raddb/modules/echo
> including configuration file /usr/local/etc/raddb/modules/krb5
> including configuration file /usr/local/etc/raddb/modules/mac2ip
> including configuration file /usr/local/etc/raddb/modules/mac2vlan
> including configuration file /usr/local/etc/raddb/modules/checkval
> including configuration file /usr/local/etc/raddb/modules/chap
> including configuration file /usr/local/etc/raddb/modules/redis
> including configuration file /usr/local/etc/raddb/modules/passwd
> including configuration file /usr/local/etc/raddb/modules/always
> including configuration file /usr/local/etc/raddb/modules/pam
> including configuration file /usr/local/etc/raddb/modules/policy
> including configuration file /usr/local/etc/raddb/modules/cui
> including configuration file /usr/local/etc/raddb/modules/digest
> including configuration file /usr/local/etc/raddb/modules/unix
> including configuration file /usr/local/etc/raddb/modules/realm
> including configuration file /usr/local/etc/raddb/modules/sql_log
> including configuration file /usr/local/etc/raddb/modules/opendirectory
> including configuration file /usr/local/etc/raddb/modules/dynamic_clients
> including configuration file /usr/local/etc/raddb/modules/exec
> including configuration file /usr/local/etc/raddb/modules/files
> including configuration file /usr/local/etc/raddb/modules/counter
> including configuration file /usr/local/etc/raddb/modules/pap
> including configuration file 
> /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
> including configuration file /usr/local/etc/raddb/modules/attr_filter
> including configuration file /usr/local/etc/raddb/modules/ippool
> including configuration file /usr/local/etc/raddb/modules/perl
> including configuration file /usr/local/etc/raddb/modules/smbpasswd
> including configuration file /usr/local/etc/raddb/modules/inner-eap
> including configuration file /usr/local/etc/raddb/modules/ldap
> including configuration file /usr/local/etc/raddb/eap.conf
> including configuration file /usr/local/etc/raddb/policy.conf
> including files in directory /usr/local/etc/raddb/sites-enabled/
> including configuration file /usr/local/etc/raddb/sites-enabled/default
> including configuration file 
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> including configuration file 
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
> including configuration file 
> /usr/local/etc/raddb/sites-enabled/control-socket
> main {
>         allow_core_dumps = no
> }
> including dictionary file /usr/local/etc/raddb/dictionary
> main {
>         name = "radiusd"
>         prefix = "/usr/local"
>         localstatedir = "/usr/local/var"
>         sbindir = "/usr/local/sbin"
>         logdir = "/usr/local/var/log/radius"
>         run_dir = "/usr/local/var/run/radiusd"
>         libdir = "/usr/local/lib"
>         radacctdir = "/usr/local/var/log/radius/radacct"
>         hostname_lookups = no
>         max_request_time = 30
>         cleanup_delay = 5
>         max_requests = 1024
>         pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
>         checkrad = "/usr/local/sbin/checkrad"
>         debug_level = 0
>         proxy_requests = yes
>  log {
>         stripped_names = no
>         auth = no
>         auth_badpass = no
>         auth_goodpass = no
>  }
>  security {
>         max_attributes = 200
>         reject_delay = 1
>         status_server = yes
>  }
> }
> radiusd: #### Loading Realms and Home Servers ####
>  proxy server {
>         retry_delay = 5
>         retry_count = 3
>         default_fallback = no
>         dead_time = 120
>         wake_all_if_all_dead = no
>  }
>  home_server localhost {
>         ipaddr = 127.0.0.1
>         port = 1812
>         type = "auth"
>         secret = "testing123"
>         response_window = 20
>         max_outstanding = 65536
>         require_message_authenticator = yes
>         zombie_period = 40
>         status_check = "status-server"
>         ping_interval = 30
>         check_interval = 30
>         num_answers_to_alive = 3
>         num_pings_to_alive = 3
>         revive_interval = 120
>         status_check_timeout = 4
>   coa {
>         irt = 2
>         mrt = 16
>         mrc = 5
>         mrd = 30
>   }
>  }
>  home_server_pool my_auth_failover {
>         type = fail-over
>         home_server = localhost
>  }
>  realm example.com {
>         auth_pool = my_auth_failover
>  }
>  realm LOCAL {
>  }
>  realm DEVLAB {
>         authhost = 172.19.6.4
>         secret = meru2002
>  }
> radiusd: #### Loading Clients ####
>  client localhost {
>         ipaddr = 127.0.0.1
>         require_message_authenticator = no
>         secret = "testing123"
>         nastype = "other"
>  }
>  client 172.18.10.13 {
>         require_message_authenticator = no
>         secret = "meru2002"
>         nastype = "other"
>  }
> radiusd: #### Instantiating modules ####
>  instantiate {
>  Module: Linked to module rlm_exec
>  Module: Instantiating module "exec" from file 
> /usr/local/etc/raddb/modules/exec
>   exec {
>         wait = no
>         input_pairs = "request"
>         shell_escape = yes
>   }
>  Module: Linked to module rlm_expr
>  Module: Instantiating module "expr" from file 
> /usr/local/etc/raddb/modules/expr
>  Module: Linked to module rlm_expiration
>  Module: Instantiating module "expiration" from file 
> /usr/local/etc/raddb/modules/expiration
>   expiration {
>         reply-message = "Password Has Expired  "
>   }
>  Module: Linked to module rlm_logintime
>  Module: Instantiating module "logintime" from file 
> /usr/local/etc/raddb/modules/logintime
>   logintime {
>         reply-message = "You are calling outside your allowed timespan  "
>         minimum-timeout = 60
>   }
>  }
> radiusd: #### Loading Virtual Servers ####
> server { # from file /usr/local/etc/raddb/radiusd.conf
>  modules {
>  Module: Checking authenticate {...} for more modules to load
>  Module: Linked to module rlm_pap
>  Module: Instantiating module "pap" from file 
> /usr/local/etc/raddb/modules/pap
>   pap {
>         encryption_scheme = "auto"
>         auto_header = no
>   }
>  Module: Linked to module rlm_chap
>  Module: Instantiating module "chap" from file 
> /usr/local/etc/raddb/modules/chap
>  Module: Linked to module rlm_mschap
>  Module: Instantiating module "mschap" from file 
> /usr/local/etc/raddb/modules/mschap
>   mschap {
>         use_mppe = yes
>         require_encryption = no
>         require_strong = no
>         with_ntdomain_hack = no
>         allow_retry = yes
>   }
>  Module: Linked to module rlm_digest
>  Module: Instantiating module "digest" from file 
> /usr/local/etc/raddb/modules/digest
>  Module: Linked to module rlm_unix
>  Module: Instantiating module "unix" from file 
> /usr/local/etc/raddb/modules/unix
>   unix {
>         radwtmp = "/usr/local/var/log/radius/radwtmp"
>   }
>  Module: Linked to module rlm_eap
>  Module: Instantiating module "eap" from file 
> /usr/local/etc/raddb/eap.conf
>   eap {
>         default_eap_type = "md5"
>         timer_expire = 60
>         ignore_unknown_eap_types = no
>         cisco_accounting_username_bug = no
>         max_sessions = 4096
>   }
>  Module: Linked to sub-module rlm_eap_md5
>  Module: Instantiating eap-md5
>  Module: Linked to sub-module rlm_eap_leap
>  Module: Instantiating eap-leap
>  Module: Linked to sub-module rlm_eap_gtc
>  Module: Instantiating eap-gtc
>    gtc {
>         challenge = "Password: "
>         auth_type = "PAP"
>    }
>  Module: Linked to sub-module rlm_eap_tls
>  Module: Instantiating eap-tls
>    tls {
>         rsa_key_exchange = no
>         dh_key_exchange = yes
>         rsa_key_length = 512
>         dh_key_length = 512
>         verify_depth = 0
>         CA_path = "/usr/local/etc/raddb/certs"
>         pem_file_type = yes
>         private_key_file = "/usr/local/etc/raddb/certs/server.pem"
>         certificate_file = "/usr/local/etc/raddb/certs/server.pem"
>         CA_file = "/usr/local/etc/raddb/certs/ca.pem"
>         private_key_password = "whatever"
>         dh_file = "/usr/local/etc/raddb/certs/dh"
>         random_file = "/usr/local/etc/raddb/certs/random"
>         fragment_size = 1024
>         include_length = yes
>         check_crl = no
>         cipher_list = "DEFAULT"
>         make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
>     cache {
>         enable = no
>         lifetime = 24
>         max_entries = 255
>     }
>     verify {
>     }
>     ocsp {
>         enable = no
>         override_cert_url = yes
>         url = "http://127.0.0.1/ocsp/"
>     }
>    }
>  Module: Linked to sub-module rlm_eap_ttls
>  Module: Instantiating eap-ttls
>    ttls {
>         default_eap_type = "md5"
>         copy_request_to_tunnel = no
>         use_tunneled_reply = no
>         virtual_server = "inner-tunnel"
>         include_length = yes
>    }
>  Module: Linked to sub-module rlm_eap_peap
>  Module: Instantiating eap-peap
>    peap {
>         default_eap_type = "mschapv2"
>         copy_request_to_tunnel = yes
>         use_tunneled_reply = yes
>         proxy_tunneled_request_as_eap = no
>         virtual_server = "proxy-inner-tunnel"
>         soh = no
>    }
>  Module: Linked to sub-module rlm_eap_mschapv2
>  Module: Instantiating eap-mschapv2
>    mschapv2 {
>         with_ntdomain_hack = no
>         send_error = no
>    }
>  Module: Checking authorize {...} for more modules to load
>  Module: Linked to module rlm_preprocess
>  Module: Instantiating module "preprocess" from file 
> /usr/local/etc/raddb/modules/preprocess
>   preprocess {
>         huntgroups = "/usr/local/etc/raddb/huntgroups"
>         hints = "/usr/local/etc/raddb/hints"
>         with_ascend_hack = no
>         ascend_channels_per_line = 23
>         with_ntdomain_hack = no
>         with_specialix_jetstream_hack = no
>         with_cisco_vsa_hack = no
>         with_alvarion_vsa_hack = no
>   }
>  Module: Linked to module rlm_realm
>  Module: Instantiating module "suffix" from file 
> /usr/local/etc/raddb/modules/realm
>   realm suffix {
>         format = "suffix"
>         delimiter = "@"
>         ignore_default = no
>         ignore_null = no
>   }
>  Module: Linked to module rlm_files
>  Module: Instantiating module "files" from file 
> /usr/local/etc/raddb/modules/files
>   files {
>         usersfile = "/usr/local/etc/raddb/users"
>         acctusersfile = "/usr/local/etc/raddb/acct_users"
>         preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
>         compat = "no"
>   }
>  Module: Checking preacct {...} for more modules to load
>  Module: Linked to module rlm_acct_unique
>  Module: Instantiating module "acct_unique" from file 
> /usr/local/etc/raddb/modules/acct_unique
>   acct_unique {
>         key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
> Client-IP-Address, NAS-Port"
>   }
>  Module: Checking accounting {...} for more modules to load
>  Module: Linked to module rlm_detail
>  Module: Instantiating module "detail" from file 
> /usr/local/etc/raddb/modules/detail
>   detail {
>         detailfile = 
> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>         header = "%t"
>         detailperm = 384
>         dirperm = 493
>         locking = no
>         log_packet_header = no
>   }
>  Module: Linked to module rlm_radutmp
>  Module: Instantiating module "radutmp" from file 
> /usr/local/etc/raddb/modules/radutmp
>   radutmp {
>         filename = "/usr/local/var/log/radius/radutmp"
>         username = "%{User-Name}"
>         case_sensitive = yes
>         check_with_nas = yes
>         perm = 384
>         callerid = yes
>   }
>  Module: Linked to module rlm_attr_filter
>  Module: Instantiating module "attr_filter.accounting_response" from 
> file /usr/local/etc/raddb/modules/attr_filter
>   attr_filter attr_filter.accounting_response {
>         attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
>         key = "%{User-Name}"
>   }
>  Module: Checking session {...} for more modules to load
>  Module: Checking post-proxy {...} for more modules to load
>  Module: Checking post-auth {...} for more modules to load
>  Module: Instantiating module "attr_filter.access_reject" from file 
> /usr/local/etc/raddb/modules/attr_filter
>   attr_filter attr_filter.access_reject {
>         attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
>         key = "%{User-Name}"
>   }
>  } # modules
> } # server
> server proxy-inner-tunnel { # from file 
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
>  modules {
>  Module: Checking authenticate {...} for more modules to load
>  Module: Checking authorize {...} for more modules to load
>  Module: Checking post-proxy {...} for more modules to load
>  } # modules
> } # server
> server inner-tunnel { # from file 
> /usr/local/etc/raddb/sites-enabled/inner-tunnel
>  modules {
>  Module: Checking authenticate {...} for more modules to load
>  Module: Checking authorize {...} for more modules to load
>  Module: Checking session {...} for more modules to load
>  Module: Checking post-proxy {...} for more modules to load
>  Module: Checking post-auth {...} for more modules to load
>  } # modules
> } # server
> radiusd: #### Opening IP addresses and Ports ####
> listen {
>         type = "auth"
>         ipaddr = *
>         port = 0
> }
> listen {
>         type = "acct"
>         ipaddr = *
>         port = 0
> }
> listen {
>         type = "control"
>  listen {
>         socket = "/usr/local/var/run/radiusd/radiusd.sock"
>  }
> }
> listen {
>         type = "auth"
>         ipaddr = 127.0.0.1
>         port = 18120
> }
>  ... adding new socket proxy address * port 44579
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on command file /usr/local/var/run/radiusd/radiusd.sock
> Listening on authentication address 127.0.0.1 port 18120 as server 
> inner-tunnel
> Listening on proxy address * port 1814
> Ready to process requests.
>
>
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852, 
> id=198, length=152
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         EAP-Message = 0x02010009016d657275
>         Message-Authenticator = 0x960d94c0685c6dd5ba509de67f73d37a
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 1 length 9
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type md5
> rlm_eap_md5: Issuing Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 198 to 172.18.10.13 port 48852
>         EAP-Message = 0x0102001604109fe03af8d36fe702cf4550cf1f8c0622
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xfde30c7afde108730ebe85102c777b46
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852, 
> id=199, length=167
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         EAP-Message = 0x020200060319
>         State = 0xfde30c7afde108730ebe85102c777b46
>         Message-Authenticator = 0x9f1b4526ff2f96a96aae56daf8c0c317
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 2 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP NAK
> [eap] EAP-NAK asked for EAP-Type/peap
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 199 to 172.18.10.13 port 48852
>         EAP-Message = 0x010300061920
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xfde30c7afce015730ebe85102c777b46
> Finished request 1.
> Going to the next request
> Waking up in 4.8 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852, 
> id=200, length=243
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         EAP-Message = 
> 0x0203005219800000004816030100430100003f03014c32bfcfbdd3039d0bcab75c921dd349c355de3f12bc41174c7fdd579d1e3c9200001800390038003300320016001300660035002f000a000500040100
>         State = 0xfde30c7afce015730ebe85102c777b46
>         Message-Authenticator = 0xcb652a53a53fcfdfa58375d9b220dd1f
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 3 length 82
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 72
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap]     (other): before/accept initialization
> [peap]     TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0043], ClientHello
> [peap]     TLS_accept: SSLv3 read client hello A
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
> [peap]     TLS_accept: SSLv3 write server hello A
> [peap] >>> TLS 1.0 Handshake [length 085e], Certificate
> [peap]     TLS_accept: SSLv3 write certificate A
> [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
> [peap]     TLS_accept: SSLv3 write key exchange A
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [peap]     TLS_accept: SSLv3 write server done A
> [peap]     TLS_accept: SSLv3 flush data
> [peap]     TLS_accept: Need to read more data: SSLv3 read client 
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 200 to 172.18.10.13 port 48852
>         EAP-Message = 
> 0x0104040019c000000aad160301002a0200002603014e13f11e0d4506fb9ff964758407af4d4a824f4f4b5ece856b606e06258e0c2800003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
>         EAP-Message = 
> 0x301e170d3131303730353133343634375a170d3132303730343133343634375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c62489fe8f25360bcf54e00e5504239ff4a63a0527f6a6a3056b6c5acee49a33fa8876b189c35a2995c50e04c5228612d1d4786d0ae26d91876ecc895ccb
>         EAP-Message = 
> 0x32872a0bbdd7c8b7c1a174e096e7b018f8f0bf7baf0ae841dd934974f5bcfff09a0183ced606e5862cb0c306cedc7d566f0433d59da9b782dbdd5200473b793b5f54672bc83e38ff345224996e3f80bc10162ebd81809ac1eb27c50cfd44d5a25268be450b5c3bc19d2a7213a0210f6a98d0a4b2bc9b8bdb7b13c20d93fe5e502d4a54483cdf5f0cea7dbd00f94247418293b57d04dfb3b950afb1d1a537b72e4e61f88cb4983152cf0e9aa6f6137a870a7dea3061c504af04f0f328cc63e1cff4550203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101007b97bb0db325b70a48
>         EAP-Message = 
> 0xa3020e155a9b286a8b9bcc15ae1bd01a59f947bb34d6ac55d476e54d8aae86184368e2d6050a2cc11d3bfd2f10330799cf718a5288efa67c70957413f721eada58a5241ed0638b9ce2c183d991857700090a54bc7aad25922184a1df1d632b344994c97ed658089f518ed19a8c19a806c1c17787a753c2c36be6f69d9a414498114cab4dcf2b71bfa17392586bcabfbd2769afd2a947d79ff582a6668dd3421dad3721fd8fd39c20232336a39da35d0f5a90ab49f992246413c4dd695ab1d341246454f08d62dfcdfd351c55c0b60e5be5ca56cd2418ff42733dcc8c58ce26e28af04e4d9cbaec3bdb6741e393d3c7a79613b5df9fe4390004ab308204
>         EAP-Message = 0xa73082038fa0030201020209
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xfde30c7affe715730ebe85102c777b46
> Finished request 2.
> Going to the next request
> Waking up in 4.7 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852, 
> id=201, length=167
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         EAP-Message = 0x020400061900
>         State = 0xfde30c7affe715730ebe85102c777b46
>         Message-Authenticator = 0xb44bb5aa230ad5e60d13eddafd1dbe7c
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 4 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 201 to 172.18.10.13 port 48852
>         EAP-Message = 
> 0x010503fc194000938269734f3cf5bf300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303730353133343634375a170d3132303730343133343634375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
>         EAP-Message = 
> 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a90f1b4e1a7a1f8b41485334f6fcb4be169ba9f5fe114d0b0a1bc70eef1462c110b6e20ce17292c98beb45757e3b9b936eacbd0125080b244f9d776f0f0406abcc2fd33fd75c72fa4fe73532404acc189f8b663bd94ffecb37ad0a83f0a510e92b35ad219ac275d4fae60a8cbe47d8
>         EAP-Message = 
> 0xf8eadd6536322afb14b2540c9345f8a02f099b3453a28a0392d140bd4764c75880bd5db3be5c3117438d9400bcfdca3be386526fb8f618411c1a2fbe56c52ddb0cbdfc118d0912bd1883228832306baaa83b8e8672a3ecefcdd3d9a745d1d4424cfef46993103704d12820497b57f3e94df7cb5d887cae556cdc46f992bf3f1d757d45cb94aed0d70dc4fc949256fa1c4b0203010001a381fb3081f8301d0603551d0e04160414f565b2f3ff7d52b7d92e678d3843de8ac3b371ee3081c80603551d230481c03081bd8014f565b2f3ff7d52b7d92e678d3843de8ac3b371eea18199a48196308193310b3009060355040613024652310f300d06035504
>         EAP-Message = 
> 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900938269734f3cf5bf300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009f7c151e0351bf12ef597651afcf6e5f732ebf175e33af8e2adbc6c8ff64078592e069b00a5e1fcece5d05331068acd01e78d0a65ea5eca85a41b7a948a4073a2e7baec6f88652eeec66a47c8d73f77f6fd2
>         EAP-Message = 0xe005f788e24cb66e
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xfde30c7afee615730ebe85102c777b46
> Finished request 3.
> Going to the next request
> Waking up in 4.6 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852, 
> id=202, length=167
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         EAP-Message = 0x020500061900
>         State = 0xfde30c7afee615730ebe85102c777b46
>         Message-Authenticator = 0xe812ebc412f80a25bd7498462aa6e62b
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 5 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 202 to 172.18.10.13 port 48852
>         EAP-Message = 
> 0x010602c719008ed1e209185a65d79ce3ef916051889d7bdaeb3525ffc5107d08ca060e538707279d6c7c4d00bd7e2cd644f85b28e438ef74ff013334cc24decd6b574a1df5f73441a4d7b07cf0e5ea79111f624a738780e8bc2564e305a43e8ad9df004a59d0e07b4f5a177c45ca420b747f76ad21feec38781f5164e77d33c6e27a51073ec20c671d919da22056a657f540198bea9e10816a61c4a3f7c8e4f210b734fabf9c012baca0786d160301020d0c0002090080bb53fc5d6c82b9ab4ed79feb313de75ac8e65c23fdb6bd4a6662e6b46bfd437f4f52e12048d2b6e3755cf5e2714aac141168d560132d2b4764c9e36e9ac301c108e84436571a
>         EAP-Message = 
> 0xf39b55d3596d9bc06850cc9c280dbf6d24f184fe467b90eefb82ae300805a960cd120caeb2b25d9cc64ec6a159c8bc689297e0f7e839ae89defb0001020080b9306e9f87fa00bb87ab9eaa2de2397c994a34a022fafc638aa95eb6e027a8b7ce8388e02d2059a8fcb2a166325998c894cef051b5a5fb688119391fc6ff5a9252191c6ffbdf22762b1b4f3bd5351bb1e94e04e9b71ac318acc8d993140cd8c54e50f583db0dd6c717123d98bb965470aea9eda8dda4bf76717d9f6db1dae8b60100ad862e37923fd73a6b93a8e135f62aa075a591f7ff6b5b147499e74a5895975e758ec48330cc84ea86cda010de172c7438d4fb7bf7f4bb1c28e82575
>         EAP-Message = 
> 0x3f7656fad6b6db3b6aabdf97a039bc944b257676000e58f16d041545e8fe965412ce2178d6a7ae69499986dfe99ff955bfb985a49e9d05107ad218622a99f5d29a5bfe8d3acfc5f156e04d700d611c1d5cb3e00e6ba986f8bf5b236c8741b5fa3293ddae6e0279c613fdd72d68af1f6ad512d9b858f59dae29a4b945235c89fe55ce40e14b58dc51c80f253c9a3e8ecfdf22fab4d162dbc87ebb06093cd02e3dd6bae646050ab8642ecf14213423f142f8ea4d35243dd51660446270dbdf7fd2ef48280b16030100040e000000
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xfde30c7af9e515730ebe85102c777b46
> Finished request 4.
> Going to the next request
> Waking up in 4.5 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852, 
> id=203, length=369
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         EAP-Message = 
> 0x020600d01980000000c616030100861000008200809a0c1bb68594ead0d108df37ab090c5ae82bbe69eee7b73f693f11bc68cd29f637eb8f4faf9a272f513c954cfcea094707e2af32c4e2b55d3a646126d249fd5fb7e1bd4e8288bf086aae28b808135864eb005218ea8d9a54481f4d43c7fb5368814aaac3a63100a32249d7e68f3b9dccf0d922c2d12c9c2b146232e496fe0bc81403010001011603010030840c77df284213f438f3551d62a3d4c9470e0ea6366e1b39d34f137f5c78d2891eb30875669d688fccf0e61e1da243c6
>         State = 0xfde30c7af9e515730ebe85102c777b46
>         Message-Authenticator = 0x88bb2bb9ca1a313aee2de681d281f0c3
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 6 length 208
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 198
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
> [peap]     TLS_accept: SSLv3 read client key exchange A
> [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] <<< TLS 1.0 Handshake [length 0010], Finished
> [peap]     TLS_accept: SSLv3 read finished A
> [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [peap]     TLS_accept: SSLv3 write change cipher spec A
> [peap] >>> TLS 1.0 Handshake [length 0010], Finished
> [peap]     TLS_accept: SSLv3 write finished A
> [peap]     TLS_accept: SSLv3 flush data
> [peap]     (other): SSL negotiation finished successfully
> SSL Connection Established
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 203 to 172.18.10.13 port 48852
>         EAP-Message = 
> 0x01070041190014030100010116030100303b23c31a29c705c25db0839a53e947b05d465fbd30c13653d3b8352bd088325b17a3151fd321e457c5d469e8ca818560
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xfde30c7af8e415730ebe85102c777b46
> Finished request 5.
> Going to the next request
> Waking up in 4.4 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852, 
> id=204, length=167
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         EAP-Message = 0x020700061900
>         State = 0xfde30c7af8e415730ebe85102c777b46
>         Message-Authenticator = 0xb1f44972992610c36bf8c5898b636d38
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 7 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake is finished
> [peap] eaptls_verify returned 3
> [peap] eaptls_process returned 3
> [peap] EAPTLS_SUCCESS
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state TUNNEL ESTABLISHED
> ++[eap] returns handled
> Sending Access-Challenge of id 204 to 172.18.10.13 port 48852
>         EAP-Message = 
> 0x0108002b190017030100206d1d6355f7e57d3754317857539e1a39325b6ecef30c90efef64a20af81c024f
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xfde30c7afbeb15730ebe85102c777b46
> Finished request 6.
> Going to the next request
> Waking up in 4.3 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852, 
> id=205, length=204
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         EAP-Message = 
> 0x0208002b19001703010020625a119fe356dba5d6f7cf76e4d054c2241fb52f16778532b4f8004d14d1d4a6
>         State = 0xfde30c7afbeb15730ebe85102c777b46
>         Message-Authenticator = 0x2c2cd6601cd01b1317d2dc7594348bc0
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 8 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state WAITING FOR INNER IDENTITY
> [peap] Identity - meru
> [peap] Got inner identity 'meru'
> [peap] Setting default EAP type for tunneled EAP session.
> [peap] Got tunneled request
>         EAP-Message = 0x02080009016d657275
> server  {
> [peap] Setting User-Name to meru
> Sending tunneled request
>         EAP-Message = 0x02080009016d657275
>         FreeRADIUS-Proxied-To = 127.0.0.1
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
> server proxy-inner-tunnel {
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group authorize {...}
> ++[control] returns notfound
> } # server proxy-inner-tunnel
> [peap] Got tunneled reply code 0
>   PEAP: Calling authenticate in order to initiate tunneled EAP session.
> # Executing group from file 
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
>     PEAP: Cancelling proxy to realm DEVLAB until the tunneled EAP 
> session has been established
> [peap] Got tunneled reply RADIUS code 11
>         EAP-Message = 
> 0x0109001e1a01090019105ba435e766423f0a72c901045f0a25886d657275
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xd4dbdf6bd4d2c5452b3f3ec10bc32a7c
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 205 to 172.18.10.13 port 48852
>         EAP-Message = 
> 0x0109003b1900170301003089452af1f3e64ab01e961a4b2dc9b0c13a90fc86e1da452b46c781c6c3aa4e465324742d29a8a5983bddf45bec669947
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xfde30c7afaea15730ebe85102c777b46
> Finished request 7.
> Going to the next request
> Waking up in 4.2 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852, 
> id=206, length=252
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         EAP-Message = 
> 0x0209005b19001703010050934ee8273bff98e2ce4cd7af01b43419b36b17024edcb9e1f3fb99cb52c22c03c0b565e7a69dbe1424a68753ec8c2f2a596ac4a666a04d1dc85112f833bda916d4fcec71ffe2ee65140c2e8d059be1b0
>         State = 0xfde30c7afaea15730ebe85102c777b46
>         Message-Authenticator = 0x891db7ed9a95c5ffd9b0b427cac19ead
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 9 length 91
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state phase2
> [peap] EAP type mschapv2
> [peap] Got tunneled request
>         EAP-Message = 
> 0x0209003f1a0209003a3189b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8006d657275
> server  {
> [peap] Setting User-Name to meru
> Sending tunneled request
>         EAP-Message = 
> 0x0209003f1a0209003a3189b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8006d657275
>         FreeRADIUS-Proxied-To = 127.0.0.1
>         User-Name = "meru"
>         State = 0xd4dbdf6bd4d2c5452b3f3ec10bc32a7c
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
> server proxy-inner-tunnel {
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group authorize {...}
> ++[control] returns notfound
> } # server proxy-inner-tunnel
> [peap] Got tunneled reply code 0
>   PEAP: Calling authenticate in order to initiate tunneled EAP session.
> # Executing group from file 
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [eap]   Not-EAP proxy set.  Not composing EAP
> ++[eap] returns handled
>   PEAP: Tunneled authentication will be proxied to DEVLAB
>   PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
> [eap]   Tunneled session will be proxied.  Not doing EAP.
> ++[eap] returns handled
>   WARNING: Empty pre-proxy section.  Using default return values.
> Sending Access-Request of id 61 to 172.19.6.4 port 1812
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         MS-CHAP-Challenge = 0x5ba435e766423f0a72c901045f0a2588
>         MS-CHAP2-Response = 
> 0x096589b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8
>         Proxy-State = 0x323036
> Proxying request 8 to home server 172.19.6.4 port 1812
> Sending Access-Request of id 61 to 172.19.6.4 port 1812
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         MS-CHAP-Challenge = 0x5ba435e766423f0a72c901045f0a2588
>         MS-CHAP2-Response = 
> 0x096589b9b07dd80ec546dc6e53d639c2964b00000000000000001e004f700b8f899e45e562bc9489b09059eed69663519cb8
>         Proxy-State = 0x323036
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Accept packet from host 172.19.6.4 port 1812, id=61, 
> length=252
>         Proxy-State = 0x323036
>         Session-Timeout = 300
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Private-Group-Id:0 = "12"
>         Tunnel-Type:0 = VLAN
>         Framed-Protocol = PPP
>         Service-Type = Framed-User
>         Class = 
> 0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
>         MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab
>         MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63
>         MS-CHAP2-Success = 
> 0x09533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
>         MS-CHAP-Domain = "\tDEV"
> # Executing section post-proxy from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group post-proxy {...}
> [eap] Doing post-proxy callback
> [eap] Passing reply from proxy back into the tunnel.
> server proxy-inner-tunnel {
> [eap] Passing reply back for EAP-MS-CHAP-V2
> # Executing section post-proxy from file 
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group post-proxy {...}
> [eap] Doing post-proxy callback
>   rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 
> 0x8c91600 2.
>   rlm_eap_mschapv2: Authentication succeeded.
> MSCHAP Success
> ++[eap] returns ok
>   WARNING: Empty post-auth section.  Using default return values.
> } # server proxy-inner-tunnel
> [eap] Final reply from tunneled session code 11
>         Proxy-State = 0x323036
>         Session-Timeout = 300
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Private-Group-Id:0 = "12"
>         Tunnel-Type:0 = VLAN
>         Framed-Protocol = PPP
>         Service-Type = Framed-User
>         Class = 
> 0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
>         MS-CHAP-Domain = "\tDEV"
>         EAP-Message = 
> 0x010a00331a0309002e533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c
> [eap] Got reply 11
> [eap] Got tunneled reply RADIUS code 11
>         Proxy-State = 0x323036
>         Session-Timeout = 300
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Private-Group-Id:0 = "12"
>         Tunnel-Type:0 = VLAN
>         Framed-Protocol = PPP
>         Service-Type = Framed-User
>         Class = 
> 0xc9200b0c0000013700011700fe8000000000000080c45c2695c095c501cc37ebc8773ae80000000000000375
>         MS-CHAP-Domain = "\tDEV"
>         EAP-Message = 
> 0x010a00331a0309002e533d45443743394537393743444439334244463930453946394243393236363844304543394330423537
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c
> [eap] Got tunneled Access-Challenge
> [eap] Saving tunneled attributes for later
> [eap] Reply was handled
> ++[eap] returns ok
> Sending Access-Challenge of id 206 to 172.18.10.13 port 48852
>         EAP-Message = 
> 0x010a005b1900170301005017c5dbce0bb69cfd09fd41a5773d61f811bcf2ce164c32346899a98a231010fef71b89c1aed9412bc615a0d2c86595e420e4bd7f3538b748e8825b5f7c275e51bab5a82ae5c4c15e303ccdbd9e909e1a
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xfde30c7af5e915730ebe85102c777b46
> Finished request 8.
> Going to the next request
> Waking up in 4.1 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852, 
> id=207, length=204
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         EAP-Message = 
> 0x020a002b1900170301002010d201aca04a28ed500660ad0ea279183cf64cf8c3a2e5946a86d43567c9b7f7
>         State = 0xfde30c7af5e915730ebe85102c777b46
>         Message-Authenticator = 0xab4fe0c669c7850b88ad0a2ede3087e2
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 10 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state phase2
> [peap] EAP type mschapv2
> [peap] Got tunneled request
>         EAP-Message = 0x020a00061a03
> server  {
> [peap] Setting User-Name to meru
> Sending tunneled request
>         EAP-Message = 0x020a00061a03
>         FreeRADIUS-Proxied-To = 127.0.0.1
>         User-Name = "meru"
>         State = 0xd4dbdf6bd5d1c5452b3f3ec10bc32a7c
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
> server proxy-inner-tunnel {
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group authorize {...}
> ++[control] returns notfound
> } # server proxy-inner-tunnel
> [peap] Got tunneled reply code 0
>   PEAP: Calling authenticate in order to initiate tunneled EAP session.
> # Executing group from file 
> /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [eap] Freeing handler
> ++[eap] returns ok
> [peap] Got tunneled reply RADIUS code 2
>         MS-MPPE-Send-Key = 0x5ae7592c6feef640cc81d0b52d667f63
>         MS-MPPE-Recv-Key = 0x7bc8d45a5aca15f9dabb55d02ecd8dab
>         EAP-Message = 0x030a0004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         User-Name = "meru"
> [peap] Tunneled authentication was successful.
> [peap] SUCCESS
> [peap] Saving tunneled attributes for later
> ++[eap] returns handled
> Sending Access-Challenge of id 207 to 172.18.10.13 port 48852
>         EAP-Message = 
> 0x010b002b19001703010020972594e10347244aac063470d19ff9c07f0b89472a6262ae06b555a8f266d39c
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xfde30c7af4e815730ebe85102c777b46
> Finished request 9.
> Going to the next request
> Waking up in 4.0 seconds.
> rad_recv: Access-Request packet from host 172.18.10.13 port 48852, 
> id=208, length=204
>         User-Name = "meru"
>         NAS-IP-Address = 172.18.10.13
>         NAS-Port = 2049
>         Called-Station-Id = "00-90-0B-0A-9A-90:Starnet"
>         Calling-Station-Id = "00-1A-73-9D-9D-02"
>         Framed-MTU = 1250
>         NAS-Port-Type = Wireless-802.11
>         Framed-Compression = None
>         Connect-Info = "CONNECT 802.11a"
>         Chargeable-User-Identity = "\\0"
>         EAP-Message = 
> 0x020b002b1900170301002079ae2531cb0c20ac94b1150652cc1a83e2ebe697fe10e6d64b4a03ffd8f8bae1
>         State = 0xfde30c7af4e815730ebe85102c777b46
>         Message-Authenticator = 0xc8d498ff15ea96988f74edada8e319c1
> # Executing section authorize from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "meru", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 11 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state send tlv success
> [peap] Received EAP-TLV response.
> [peap] Success
> [peap] Using saved attributes from the original Access-Accept
>         User-Name = "meru"
> [eap] Freeing handler
> ++[eap] returns ok
> # Executing section post-auth from file 
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 208 to 172.18.10.13 port 48852
>         User-Name = "meru"
>         MS-MPPE-Recv-Key = 
> 0x6c6c3b63a0c60545b9838c0cc766db98987516f92c12bac6bb6694acd4defe16
>         MS-MPPE-Send-Key = 
> 0xbcb242cdac92ca3620e6a660d60e3838acbeddaef9b8766121730c7a4f2f0f79
>         EAP-Message = 0x030b0004
>         Message-Authenticator = 0x00000000000000000000000000000000
> Finished request 10.
> Going to the next request
> Waking up in 3.9 seconds.
> Cleaning up request 0 ID 198 with timestamp +37
> Waking up in 0.1 seconds.
> Cleaning up request 1 ID 199 with timestamp +37
> Waking up in 0.1 seconds.
> Cleaning up request 2 ID 200 with timestamp +38
> Cleaning up request 3 ID 201 with timestamp +38
> Waking up in 0.1 seconds.
> Cleaning up request 4 ID 202 with timestamp +38
> Waking up in 0.1 seconds.
> Cleaning up request 5 ID 203 with timestamp +38
> Cleaning up request 6 ID 204 with timestamp +38
> Waking up in 0.1 seconds.
> Cleaning up request 7 ID 205 with timestamp +38
> Waking up in 0.1 seconds.
> Cleaning up request 8 ID 206 with timestamp +38
> Cleaning up request 9 ID 207 with timestamp +38
> Waking up in 0.1 seconds.
> Cleaning up request 10 ID 208 with timestamp +38
> Ready to process requests.
> -----------------------------------------------
>
> Please help.
>
> -- 
> Nitin.
>

Hi,

Found out that this works perfectly fine in freeradius 3.0.0 (master git 
branch).
Can anyone please suggest which patches I need to back-port to 2.1.11 to 
make this work in 2.1.x branch too ?

--
Thanks,
Nitin.



More information about the Freeradius-Users mailing list