Simultaneous-Use and UserName sent from NAS
Ziggy Bopster
ziggybopster at gmail.com
Thu Jun 9 21:26:17 CEST 2011
Hello All,
I am want to enable Simultaneous-Use for our users. I have been stuck
for many many days trying to figure this out, any help is greatly
appreciated. This is my first time posting, so sorry if my netiquette
is not correct
I. Configuration of System:
FreeRADIUS Version 2.1.1, built on May 9 2010 at 12:09:29
Novell SUSE Linux Enterprise Server 11 SP1
Cisco Wireless AP's
Cisco Wireless Controller - Cisco 4400 Series
Authentication using Novell e-Directory LDAP
Protocol - EAP-PEAP MSCHAPV2
mysql 5.0.67 is installed and radius database is created with correct schema
II. Description:
I am using Free Radius to authenticate Wireless Users.
Users are authenticated to the SSID by entering in their LDAP
Username/Password (stored in Novell e-Directory)
The users are using the standard WPA2 client on Windows machines (with
the EAP-PEAP MSCHAPv2 Protocol)
In addition, I have enabled checkval module to Check for Valid MAC
Addresses & DialupAccess=TRUE
III. Problem:
In looking at the debug logs, randomly generated UserName
Accounting-Request packets are being sent from the NAS to the
FreeRADIUS, before and after the successful authentication of the
UserName (ziggy) using the EAP-PEAP-MSCHAPV2 protocol (during which
time the correct UserName is sent by NAS). When I issue the radwho
command or look at the RADACCT tables, I see the randomly generated
UserNames in both tables. But when I check in the radpostauth
table, I see the UserName (Ziggy) in it.
vm-32laars:/var/tmp # radwho
Login Name What TTY When From Location
8c58770ca7 8c58770ca708 shell S29 Wed 10:55 10.32.156.5
vm-32laars:/var/tmp # radwho
Login Name What TTY When From Location
d830628b05 d830628b050e shell S29 Wed 10:56 10.32.156.5
mysql> select * from radpostauth;
+----+-----------+---------+---------------+---------------------+
| id | username | pass | reply | authdate |
+----+-----------+---------+---------------+---------------------+
| 28 | ziggy | | Access-Accept | 2011-06-08 10:54:22 |
+----+-----------+---------+---------------+---------------------+
mysql> select * from radacct order by RadAcctID desc limit 1;
+-----------+----------------------------------+------------------+--------------+-----------+-------+--------------+-----------+----
---------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+------
-----------+------------------+-----------------+------------------+--------------------+-------------+----------------+-------------
----+----------------+---------------+----------------------+
| radacctid | acctsessionid | acctuniqueid |
username | groupname | realm | nasipaddress | nasportid | nas
porttype | acctstarttime | acctstoptime
| acctsessiontime | acctauthentic | connectinfo_start |
connectinfo_stop | accti nputoctets |
acctoutputoctets | calledstationid | callingstationid |
acctterminatecause | servicetype | framedprotocol | framedipaddr
ess | acctstartdelay | acctstopdelay |
xascendsessionsvrkey |
+-----------+----------------------------------+------------------+--------------+-----------+-------+--------------+-----------+----
---------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+------
-----------+------------------+-----------------+------------------+--------------------+-------------+----------------+-------------
----+----------------
+---------------+----------------------+
| 10247 | 4defbb0d/8c:7b:9d:9f:d4:16/12409 | 60370f84e1b169c1 |
8c7b9d9fd416 | | | 10.32.156.5 | 29 |
| 2011-06-08 10:55:51 | NULL
| 0 | Remote | |
| 0 | 0 |
10.32.156.5 | 0.0.0.0 | |
| | |
0 | 0 | |
| 10246 | 4defb9c7/8c:58:77:0c:a7:08/12392 | e19aebd88b0eafbf |
8c58770ca708 | | | 10.32.156.5 | 29 |
| 2011-06-08 10:50:24 | 2011-06-08 10:55:37
| 313 | Remote | |
| 21002 | 3206 |
10.32.156.5 | 0.0.0.0 | User-Request |
| | |
0 | 0 | NULL |
+-----------+----------------------------------+------------------+--------------+-----------+-------+--------------+-----------+----
---------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+------
-----------+------------------+-----------------+------------------+--------------------+-------------+----------------+-------------
----+----------------+---------------+----------------------+
IV. Questions:
1) Why is the NAS sending so many randomly generated numeric
"UserName" in the Accounting-Request?
2) How can I get the NAS to send the correct Username (Ziggy) instead
of the randomly generated numbers in the Accounting-Request packets to
update in SQL?
3) I'm confused, should I use radutmp or sql to get Simultaenous-Use
to work? If only sql, can I disable radutmp in configuration files?
4) What do I need to do to get Simultaneous-Use to work properly?
5) Should the default & inner-tunnel files that have the same
parameters match? (i.e. in authorize {sql} in the default file and the
authorize {sql} in the inner-tunnel file)
6) Why do I see so many packets for Ziggy trying to authenticate just
once.. It is not until about Line 1389 in the debug log (see below
ITEM# 6) that the tunnel actually get's established and the next
packet on Line 1453 has the Acct-Status-Type = Start? There is a
total of about 3174 lines for just one login attempt.
V: Configuration relating to Simulatenous-Use:
===================================================================
/etc/raddb/sites-enabled/default
===================================================================
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
ldap
sql
checkval
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
sql
attr_filter.accounting_response
}
session {
radutmp
sql
}
post-auth {
sql
ldap
exec
Post-Auth-Type REJECT {
ldap
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
===================================================================
/etc/raddb/sites-enabled/inner-tunnel
===================================================================
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
ldap
#sql
# checkval
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
session {
radutmp
sql
}
post-auth {
# sql
# sql_log
ldap
Post-Auth-Type REJECT {
attr_filter.access_reject
ldap
}
update outer.reply {
User-Name = "%{request:User-Name}"
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
===================================================================
/etc/raddb/sql.conf
===================================================================
sql {
database = "mysql"
driver = "rlm_sql_${database}"
server = "localhost"
login = "radius"
password = "password"
radius_db = "radius"
acct_table1 = "radacct"
acct_table2 = "radacct"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "radusergroup"
deletestalesessions = yes
sqltrace = no
sqltracefile = ${logdir}/sqltrace.sql
num_sql_socks = 5
connect_failure_retry_delay = 60
#readclients = yes
nas_table = "nas"
$INCLUDE sql/${database}/dialup.conf
}
===================================================================
/etc/raddb/sql/mysql/dialup.conf
===================================================================
#######################################################################
# Simultaneous Use Checking Queries
#######################################################################
# simul_count_query - query for the number of current connections
# - If this is not defined, no
simultaneouls use checking
# - will be performed by this module instance
# simul_verify_query - query to return details of current
connections for verification
# - Leave blank or commented out to
disable verification step
# - Note that the returned field order
should not be changed.
#######################################################################
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, \
nasipaddress, nasportid, framedipaddress, \
callingstationid, framedprotocol \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
===================================================================
/etc/raddb/eap.conf
===================================================================
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/serverkey.key
certificate_file = ${certdir}/servercert.cert
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
max_entries = 255
}
ttls {
default_eap_type=md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
====================================================
VI: Here is the DEBUG LOG (sorry there are so many lines)
====================================================
FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on May
9 2010 at 12:09:29
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.32.156.5/32 {
require_message_authenticator = no
secret = "code"
shortname = "cw32ce0a.wifi.nm.ci.la.ca.us"
nastype = "cisco"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_ldap
Module: Instantiating ldap
ldap {
server = "10.32.197.139"
port = 636
password = "Password"
identity = "cn=admin,o=RALDAP"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = yes
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
cacertfile = "/etc/raddb/certs/vm-RALDAP01_TRUSTED_ROOT.b64"
require_cert = "demand"
}
basedn = "ou=users,o=RALDAP"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "nspmPassword"
auto_header = no
access_attr = "dialupAccess"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 40
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0xb7961d90
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "radius"
password = "password"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = no
deletestalesessions = yes
num_sql_socks = 5
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
unix_timestamp('%S') -
unix_timestamp(acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
%{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL
AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct SET
framedipaddress = '%{Framed-IP-Address}',
acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}'
WHERE acctsessionid = '%{Acct-Session-Id}' AND username
= '%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid,
nasporttype, acctstarttime, acctsessiontime,
acctauthentic, connectinfo_start, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
servicetype, framedprotocol, framedipaddress,
acctstartdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND),
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
'0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0',
'%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET
acctstarttime = '%S', acctstartdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_start =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
'%{Acct-Session-Time}', acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_stop =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype, acctstarttime,
acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acctstopdelay)
VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND), '%S',
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32
| '%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = "SELECT COUNT(*)
FROM radacct WHERE username =
'%{SQL-User-Name}' AND acctstoptime IS
NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress,
callingstationid, framedprotocol
FROM radacct WHERE
username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius at localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_checkval
Module: Instantiating checkval
checkval {
item-name = "Calling-Station-Id"
check-name = "Calling-Station-Id"
data-type = "string"
notfound-reject = yes
}
rlm_checkval: Registered name Calling-Station-Id for attribute 31
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768,
id=93, length=153
User-Name = "9027e444744e"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 1
Acct-Session-Id = "4defba9b/90:27:e4:44:74:4e/12402"
Acct-Authentic = Remote
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
Acct-Status-Type = Start
Calling-Station-Id = "0.0.0.0"
Called-Station-Id = "10.32.156.5"
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.32.156.5,NAS-IP-Address = 10.32.156.5,Acct-Session-Id =
"4defba9b/90:27:e4:44:74:4e/12402",User-Name = "9027e444744e"'
[acct_unique] Acct-Unique-Session-ID = "b893f021ffab4937".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "9027e444744e", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] expand: %t -> Wed Jun 8 10:54:07 2011
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> 9027e444744e
++[radutmp] returns ok
[sql] expand: %{User-Name} -> 9027e444744e
[sql] sql_set_user escaped user --> '9027e444744e'
[sql] expand: %{Acct-Delay-Time} ->
[sql] expand: INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> 9027e444744e
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 93 to 10.32.156.5 port 32768
Finished request 1.
Cleaning up request 1 ID 93 with timestamp +2
Going to the next request
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768,
id=95, length=153
User-Name = "a467068f617f"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 1
Acct-Session-Id = "4defbaad/a4:67:06:8f:61:7f/12403"
Acct-Authentic = Remote
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
Acct-Status-Type = Start
Calling-Station-Id = "0.0.0.0"
Called-Station-Id = "10.32.156.5"
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.32.156.5,NAS-IP-Address = 10.32.156.5,Acct-Session-Id =
"4defbaad/a4:67:06:8f:61:7f/12403",User-Name = "a467068f617f"'
[acct_unique] Acct-Unique-Session-ID = "a96fb9b5775cab4f".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "a467068f617f", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] expand: %t -> Wed Jun 8 10:54:14 2011
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> a467068f617f
++[radutmp] returns ok
[sql] expand: %{User-Name} -> a467068f617f
[sql] sql_set_user escaped user --> 'a467068f617f'
[sql] expand: %{Acct-Delay-Time} ->
[sql] expand: INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> a467068f617f
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 95 to 10.32.156.5 port 32768
Finished request 2.
Cleaning up request 2 ID 95 with timestamp +9
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=249, length=184
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x0202000a017a69676779
Message-Authenticator = 0x2d7411a0a70277876c359c8b4d67b798
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[ldap] performing user authorization for ziggy
[ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy)
[ldap] expand: ou=users,o=RALDAP -> ou=users,o=RALDAP
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.32.197.139:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to
/etc/raddb/certs/vm-RALDAP01_TRUSTED_ROOT.b64
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=admin,o=RALDAP/novell to 10.32.197.139:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy)
[ldap] checking if remote access for ziggy is allowed by dialupAccess
[ldap] Added the eDirectory password ziggy in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9"
rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8"
[ldap] looking for reply items in directory...
[ldap] user ziggy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
[sql] expand: %{User-Name} -> ziggy
[sql] sql_set_user escaped user --> 'ziggy'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'ziggy' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= 'ziggy' ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
[sql] User ziggy not found
++[sql] returns notfound
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-22-fa-a1-ba-e8
rlm_checkval: Value Name: Calling-Station-Id, Value: 78-ca-39-b9-12-f9
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-22-fa-a1-ba-e8
++[checkval] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 249 to 10.32.156.5 port 32768
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e623a5da78451212e3283d83
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=250, length=311
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x0203007719800000006d16030100680100006403014defbab394ef0bf49e249034a8f7bd9769a69976d1734654ad86542a75ed2b32000018002f00350005000ac013c014c009c00a003200380013000401000023ff010001000000000a00080000057a69676779000a0006000400170018000b00020100
State = 0xe620bc83e623a5da78451212e3283d83
Message-Authenticator = 0x67139174caeb2bd6111e66658ae9da26
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 119
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 109
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0068], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 250 to 10.32.156.5 port 32768
EAP-Message = 0x0104040019c0000008a216030100310200002d03014defb74eca097d9d5f9de12b27867f05bb279f3b41b0d5f096742ed43b4205cd00002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
EAP-Message = 0x74686f72697479301e170d3130303632393139323834315a170d3131303632393139323834315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d6469eb536013124569539d3e8c186e90de7d9ef492251ea1d694337fb2d4fcd4492d29a54e25740af4fc9580a88a4bc2f9e8ddc72a088
EAP-Message = 0x4910b9ffc1b899aea0078060c00099336a3260cf793fc7df0a1dabea863a017762807644fb82c3ffe5a82547ef57766021e53c9c9b1a1cd7b47f559854dce22812f752bd20f7a7d9280f68ad65f2d30909dcb38ab41921433fcb696c63dbad3b49a5f32ee13ec68ffa1af9662b0dbec130c3469281874ad71857141c6a935803e2ae72fd48c5c65ebfbf39cba8c76a89f25a6785ed61a8c4826d6092cfe55fbb6fb2d29aec987ec551078ac689469c07d3ecb16f9e3b04bc6cfa004fbeb5c05a057f6938850ec18fbf0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101002059
EAP-Message = 0xe7ff00e87350fe0b3266f50fa368ebdb9c8124b1cc9e6e07db3d5f495a4ab344ebb45f50770ed6c1723a43533f924e12d79d0d4982a1ae3b03923b97d0f767452c6995a6a523157d250ba3b918e598e93b4b87501e1b022b6e130d8ffc762c5a3d4035d8cdb057ac0fd12bd06a976618d88fc46efafbc990aa9a295fcd8b70f6c48139fdff53c35e0fb38c4db1f10f56054082aa53ce9e7c9bc5d5cbaa9eaf705ad917edee420c59ad70f658994fe18469e213085ca638ead1e8bd72a9e721901034a57d33badbe54bb92476bab7d89ff4c87882bf4f8114c812afc320b1dd68b9683011d32a46b4f17192e56c92ef213f99f6c6b7464103ecea2b0171
EAP-Message = 0x020004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e724a5da78451212e3283d83
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=251, length=198
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x020400061900
State = 0xe620bc83e724a5da78451212e3283d83
Message-Authenticator = 0x05e641c1ed2dbfb0b9a0bc003ded62a0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 251 to 10.32.156.5 port 32768
EAP-Message = 0x010503fc1940a003020102020900ec81d7fdbd08b57f300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303632393139323834315a170d3130303732393139323834315a308193310b3009060355040613024652310f300d0603550408130652616469757331
EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c503568c9100eb4a533106a33bd1908feb4a8324db7e26fb401a9a01bd2f9834a7230b260e386dbecb5726d12d5a360d182bacc25cf8768a8c876598089c054cdf7fdd5b03241a2761a1ca0a970d820f0db8c79c16cc8c2704e0d07f1a9ab05060c7dc42cd01db61
EAP-Message = 0x6c5d107c8046cd2ef12e233bd35a4e2b477676934e34ac5813c75f4dc23301fece997d5aa08123c84b543cd45bc65fa9f1a3e8ef217d4b9f5d88e82eca7f1539946f4fd105b06d7211d2d65af67f266c9f1eb30248a56f2e26d0019a5c1ea497f4d0e7f547f8c61d2944de1551387b563e8481dbd7276fbaa0a6451ef65777c9cb3b6951f6efed6c5f696f08a03f2980779f90ff5dffdf7f0203010001a381fb3081f8301d0603551d0e0416041476cfd1a77faaafd0b29217ddec7f9888590af0f43081c80603551d230481c03081bd801476cfd1a77faaafd0b29217ddec7f9888590af0f4a18199a48196308193310b300906035504061302465231
EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ec81d7fdbd08b57f300c0603551d13040530030101ff300d06092a864886f70d010105050003820101005b833733cc74015c776e5318978ffde37ceae715464c1183b82463c95957bc61c72d783a923fe70884a01208a04749183f0afc1393284259b0e848605447a7723437701d8a495f9130c6fb
EAP-Message = 0xfd2a7aac200acb6a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e425a5da78451212e3283d83
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=252, length=198
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x020500061900
State = 0xe620bc83e425a5da78451212e3283d83
Message-Authenticator = 0x2bd996782a861ab5f0e4318920573ce9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 252 to 10.32.156.5 port 32768
EAP-Message = 0x010600bc1900f2ab17a522f98a0885febb4ff3cb657112b10067895f114462e116b84ff52e461aaa436d80c5cc1184d51c44b67c3c648257a0929a4f6c4d895b47930901d4fe1576ed3296df98e3d9edd900aa0a41a39653932d77f570c5599129b33d1bf32cabf0dffa0ab0c366c5fcdb6f3d65a12df7269b9bb211c9feb0284e064ff51a1eadb7105302f0f2e1a57195e4522c1f26739b2da61de91672163a418fe25d17caa3446a139fed55c8d98cf3b04416030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e526a5da78451212e3283d83
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=253, length=530
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x0206015019800000014616030101061000010201006a27393ec43fea150a039f85ea376f584f8dc0069188328100ef31e34922ea71afc7bad9dcd521344a965f0bc349ca5b3f3ad1d8a110d985f6b3b37a562d7bf6e30422b56b4024a56b0e0caf08657680edca70fd5cfca3cac7b2b64fc21e1df7497888ace8a91a26325fb8297010a5ad6675aa89dc6a226a37e010880c28d7b071e1c9bec2b0fc532e1128992e47add8591a7056a942d6e48e8b0233a9a3384e51a4107105854a10dd61d441881f66c6adb6d9bfefa5e6adea93b2e4c58cee49b85446252a7a1dd4e63360023373983eeec36e27c7001511b4ea598b61d1c0fee7c78f1a012825f1
EAP-Message = 0x6a0da33f23a3db2b18e6a04e0f1c5821902a7f3b6d0c25a71403010001011603010030a93820cff9e6253dac65d3a219b134eb2fc85813c46c9203fdb38dd047e41e5b182733893ca45f6f4aba93a4d969338c
State = 0xe620bc83e526a5da78451212e3283d83
Message-Authenticator = 0x5fadc4968a75cf5dffcdb32871abe493
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 253 to 10.32.156.5 port 32768
EAP-Message = 0x01070041190014030100010116030100303b450ec40b7584ae543440d814c44ae8e40f26ec51f917cb1bf1ca87ee319929d82566eb8c874843b7f2c270821b9a72
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e227a5da78451212e3283d83
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=254, length=198
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x020700061900
State = 0xe620bc83e227a5da78451212e3283d83
Message-Authenticator = 0x6711b49c21e05d9d0471f5cada5a673e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 254 to 10.32.156.5 port 32768
EAP-Message = 0x0108002b19001703010020d615b42fdceaf564c2458858918d9d99fa2a59075262b3b911249b9dbdaf854e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e328a5da78451212e3283d83
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=255, length=235
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x0208002b1900170301002080e7daa50845a9cfa553bd5a213b34c81a694936a8086e9c41e845c2ee13adbe
State = 0xe620bc83e328a5da78451212e3283d83
Message-Authenticator = 0xa23930f64ee0f25f0138d3be32faf555
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - ziggy
[peap] Got tunnled request
EAP-Message = 0x0208000a017a69676779
server (null) {
PEAP: Got tunneled identity of ziggy
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to ziggy
Sending tunneled request
EAP-Message = 0x0208000a017a69676779
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for ziggy
[ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy)
[ldap] expand: ou=users,o=RALDAP -> ou=users,o=RALDAP
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy)
[ldap] checking if remote access for ziggy is allowed by dialupAccess
[ldap] Added the eDirectory password ziggy in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9"
rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8"
[ldap] looking for reply items in directory...
[ldap] user ziggy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x0109001f1a0109001a107c3fb260e0ff5fca049a623efeb652427a69676779
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7f5c17f37f550df77f9cb88e74ec1077
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x0109001f1a0109001a107c3fb260e0ff5fca049a623efeb652427a69676779
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7f5c17f37f550df77f9cb88e74ec1077
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 255 to 10.32.156.5 port 32768
EAP-Message = 0x0109003b190017030100302ea4cc7d7bc8bdbbf752876a38a688a14fd819c650d6a76d55e9711dda0cdde12b238d04624ddc997de86bcd1d6a54a6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e029a5da78451212e3283d83
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=0, length=299
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x0209006b190017030100606c7749f02b0698602b4d8c7391ead7367cb14ddbeaa33c1c345483f86a7a61965498be6823c24a50d0ee61499687e9b278e72700e5fb2c48d76db4393365e13bb5624897e58a7160a8164ba77d0ad762ae4dd872fb91b201aea14cdb08b127ec
State = 0xe620bc83e029a5da78451212e3283d83
Message-Authenticator = 0x22d835d6fe511c9016fc9a2b9691f3cb
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x020900401a0209003b31ba23e5c1721898ca3954317553c86aba0000000000000000bd34249dc56ad087ff883aa9764c69f6d848f370f75db300007a69676779
server (null) {
PEAP: Setting User-Name to ziggy
Sending tunneled request
EAP-Message = 0x020900401a0209003b31ba23e5c1721898ca3954317553c86aba0000000000000000bd34249dc56ad087ff883aa9764c69f6d848f370f75db300007a69676779
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ziggy"
State = 0x7f5c17f37f550df77f9cb88e74ec1077
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for ziggy
[ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy)
[ldap] expand: ou=users,o=RALDAP -> ou=users,o=RALDAP
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy)
[ldap] checking if remote access for ziggy is allowed by dialupAccess
[ldap] Added the eDirectory password ziggy in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9"
rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8"
[ldap] looking for reply items in directory...
[ldap] user ziggy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for ziggy with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010a00331a0309002e533d35394543324543313042363837423735413339424133433941384445383036433041333933333741
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7f5c17f37e560df77f9cb88e74ec1077
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010a00331a0309002e533d35394543324543313042363837423735413339424133433941384445383036433041333933333741
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7f5c17f37e560df77f9cb88e74ec1077
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.32.156.5 port 32768
EAP-Message = 0x010a005b19001703010050c19cd32624e8cddabf0fa2387505602c4bc0164f92e8273d1849e420b04920d6d29e169b5f4fa18e031d3ac445c78f18bcb48b3c63a4cdd5f9dc9e4d07106ec30daedb164ac1fa19c911a240f1447684
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83e12aa5da78451212e3283d83
Finished request 10.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=1, length=235
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x020a002b1900170301002009cecc97373c0400e41ea22d3d29d81d3ff006fa9ecd4b3afca62b77fa8c953a
State = 0xe620bc83e12aa5da78451212e3283d83
Message-Authenticator = 0xc7631b4d93c923d6460500dd33b4566d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x020a00061a03
server (null) {
PEAP: Setting User-Name to ziggy
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ziggy"
State = 0x7f5c17f37e560df77f9cb88e74ec1077
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for ziggy
[ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=ziggy)
[ldap] expand: ou=users,o=RALDAP -> ou=users,o=RALDAP
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=RALDAP, with filter (cn=ziggy)
[ldap] checking if remote access for ziggy is allowed by dialupAccess
[ldap] Added the eDirectory password ziggy in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "78-ca-39-b9-12-f9"
rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
rlm_ldap: radiusCheckItem -> Calling-Station-Id == "00-22-fa-a1-ba-e8"
[ldap] looking for reply items in directory...
[ldap] user ziggy authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
+- entering group session {...}
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> ziggy
++[radutmp] returns ok
+- entering group post-auth {...}
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.32.197.139:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to
/etc/raddb/certs/vm-RALDAP01_TRUSTED_ROOT.b64
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=ziggy,ou=users,o=RALDAP/ziggy to 10.32.197.139:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "ziggy"
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "ziggy"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.32.156.5 port 32768
EAP-Message = 0x010b002b1900170301002049a52fa96dcb33d6f581b75f7657e1e6202fd2c7e22308df4d67c837775995ce
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe620bc83ee2ba5da78451212e3283d83
Finished request 11.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.32.156.5 port 32768,
id=2, length=235
User-Name = "ziggy"
Calling-Station-Id = "00-22-fa-a1-ba-e8"
Called-Station-Id = "00-19-07-59-e2-c0:SSID-DEPT-SECURE"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
EAP-Message = 0x020b002b19001703010020eea6cdab5fcb5553d5c76ec1ef19d42396ed439a838b0d35367cfdda86fef168
State = 0xe620bc83ee2ba5da78451212e3283d83
Message-Authenticator = 0xa6bc090d74217df806b10f83260e7a30
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ziggy", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> ziggy
[sql] sql_set_user escaped user --> 'ziggy'
[sql] expand: %{User-Password} ->
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'ziggy',
'', 'Access-Accept', '2011-06-08 10:54:22')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'ziggy',
'', 'Access-Accept', '2011-06-08
10:54:22')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[ldap] returns noop
++[exec] returns noop
Sending Access-Accept of id 2 to 10.32.156.5 port 32768
User-Name = "ziggy"
MS-MPPE-Recv-Key =
0x24ed6bc6b1501b91115a0aebb258aa071975a0c24c0b284bafbb36992de2da7c
MS-MPPE-Send-Key =
0xa0a91a481b11147334dc7c5019ac8aa906c8498bc9f165b56fdb1e495a65110c
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 12.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Accounting-Request packet from host 10.32.156.5 port 32768,
id=96, length=153
User-Name = "0018de9a2a1a"
NAS-Port = 29
NAS-IP-Address = 10.32.156.5
NAS-Identifier = "CW32CE0A"
Airespace-Wlan-Id = 1
Acct-Session-Id = "4defbab7/00:18:de:9a:2a:1a/12405"
Acct-Authentic = Remote
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "342"
Acct-Status-Type = Start
Calling-Station-Id = "0.0.0.0"
Called-Station-Id = "10.32.156.5"
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 29,Client-IP-Address =
10.32.156.5,NAS-IP-Address = 10.32.156.5,Acct-Session-Id =
"4defbab7/00:18:de:9a:2a:1a/12405",User-Name = "0018de9a2a1a"'
[acct_unique] Acct-Unique-Session-ID = "7fab12adbf4fb3ac".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "0018de9a2a1a", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.32.156.5/detail-20110608
[detail] expand: %t -> Wed Jun 8 10:54:25 2011
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> 0018de9a2a1a
++[radutmp] returns ok
[sql] expand: %{User-Name} -> 0018de9a2a1a
[sql] sql_set_user escaped user --> '0018de9a2a1a'
[sql] expand: %{Acct-Delay-Time} ->
[sql] expand: INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> 0018de9a2a1a
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 96 to 10.32.156.5 port 32768
Finished request 13.
Cleaning up request 13 ID 96 with timestamp +20
Going to the next request
Waking up in 2.1 seconds.
Cleaning up request 3 ID 249 with timestamp +17
Cleaning up request 4 ID 250 with timestamp +17
Cleaning up request 5 ID 251 with timestamp +17
Cleaning up request 6 ID 252 with timestamp +17
Cleaning up request 7 ID 253 with timestamp +17
Cleaning up request 8 ID 254 with timestamp +17
Cleaning up request 9 ID 255 with timestamp +17
Cleaning up request 10 ID 0 with timestamp +17
Cleaning up request 11 ID 1 with timestamp +17
Cleaning up request 12 ID 2 with timestamp +17
More information about the Freeradius-Users
mailing list