Radius not accepting user
Matthew Boyle
matthewcboyle at gmail.com
Thu Mar 3 22:07:39 CET 2011
Hi,
I'm having a problem with my radius server with TLS and TTLS
authentication protocols. My current configuration works with simple
MD5 and PEAP but fails with TLS and TTLS. I am using freeradius
v2.1.10.
Previously I was using freeradius v2.1.9 on a different linux box and
didn't have the same problems. At the time I was successfully using
the same configuration files for all the protocols. I can't figure
out what is different now.
The client is not a windows platform either so I don't think it's the
common windows issues mentioned on the FAQ even though the warning
message within the output would imply this. Again, I never saw this
problem when running with the older v2.1.9 version of freeradius.
As suggested on the wiki, i have included the suggested output below.
Thanks.
Matt
The contents of my users file:
testuser Cleartext-Password := "whatever"
# md5 user
user2 Cleartext-Password := "testing"
user3 Cleartext-Password := "testing"
The output of my radtest:
csahwreg4:/users/mboyle/ws/gash_main/testsuites/dot1x[84]> radtest -d
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/default/ testuser
whatever localhost 1812 testing123
Sending Access-Request of id 4 to 127.0.0.1 port 1812
User-Name = "testuser"
User-Password = "whatever"
NAS-IP-Address = 138.120.210.28
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=4, length=20
csahwreg4:/users/mboyle/ws/gash_main/testsuites/dot1x[85]>
The debug output of the radiusd command:
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Nov 1
2010 at 11:19:03
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/radiusd.conf
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/proxy.conf
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/clients.conf
including files in directory
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/attr_rewrite
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/krb5
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/linelog
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/sql_log
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/expr
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/inner-eap
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/chap
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/ippool
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/ntlm_auth
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/files
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/preprocess
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/smbpasswd
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/echo
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/pam
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/mac2ip
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/pap
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/counter
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/mschap
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/sradutmp
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/checkval
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/mac2vlan
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/logintime
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/passwd
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/radutmp
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/cui
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/acct_unique
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/otp
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/unix
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/always
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/exec
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/detail
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/expiration
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/digest
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/ldap
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/smsotp
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/policy
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/realm
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/attr_filter
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/wimax
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/perl
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/etc_group
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/detail.example.com
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/sqlcounter_expire_on_login
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/detail.log
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/eap.conf
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/policy.conf
including files in directory
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/control-socket
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default
including configuration file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/inner-tunnel
main {
allow_core_dumps = no
}
including dictionary file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/dictionary
main {
prefix = "/usr/global"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/global/lib/freeradius-2.1.10"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run//radiusd.pid"
checkrad = "/usr/global/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
login = "!root"
password = "someadminpas"
}
client 192.168.255.0/24 {
require_message_authenticator = no
secret = "testing123"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file =
"/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/certs/server.pem"
certificate_file =
"/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/certs/server.pem"
CA_file = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/certs/dh"
random_file = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command =
"/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/files
files {
usersfile = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/users"
acctusersfile =
"/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/acct_users"
preproxy_usersfile =
"/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/preprocess
preprocess {
huntgroups = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/huntgroups"
hints = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from
file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.255.1 port 49312,
id=119, length=93
User-Name = "testuser"
NAS-IP-Address = 138.120.210.29
NAS-Port = 38010880
State = 0xdd49e7f3de30fe9757a3fc0fc6955614
EAP-Message = 0x0277000d017465737475736572
Message-Authenticator = 0xb349b01f57c2fe1a0aec36df96359f1c
# Executing section authorize from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 119 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry testuser at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 119 to 192.168.255.1 port 49312
EAP-Message = 0x017800061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xec965d8cecee44fb4d8bbceb4458d522
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.255.1 port 49312,
id=119, length=192
Cleaning up request 0 ID 119 with timestamp +28
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xec965d8cecee44fb did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "testuser"
NAS-IP-Address = 138.120.210.29
NAS-Port = 38010880
State = 0xec965d8cecee44fb4d8bbceb4458d522
EAP-Message = 0x0278007019800000006616030100610100005d03014d70058ee0655af152c0e724b6741c74136e3d548354be1e963f370b2234bf2d00003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
Message-Authenticator = 0x42d70e806767446718452f51ccc1e5e5
# Executing section authorize from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 120 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 102
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0061], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 119 to 192.168.255.1 port 49312
EAP-Message = 0x0179040019c000000a2d160301002a0200002603014d700273dfcb6b7bc149262d1830dad9b1e18fabc701dea59587d18b401b5e9200003900160301085e0b00085a0008570003a6308203a23082028aa003020102020102300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3131303330333230353333365a170d3132303330323230353333365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a32285766650c2373324c3727ab93b2a90b3e8a7d34f0646824eca4f6ea0274be4f5d4d8d701e0c0d22c68c71f500d73811315207b281a50aefa449731bd
EAP-Message = 0x40df95cd4f764927e7102325987e933a91b6594817b13cfab2b10e8cb0f56a8b034db409049d30326162d8aafd12b6e930c688713b808cc85c9b60dd1ad158b98dcfabbac78cbbc0595360d5521c21e0b1370cccdad5512f356c4384582c846c771d54c15b226aaaf2e358b12214b6eb36144e75af1d192789efcc68cded9ff8c8161a6912b0badb9878472cd5714f7fa246d7dba82bbde2250cde6d223bb9cce737652a9d0a718b176eaf4e34089a727fad05b157ab4ddaaf2a45b59f99a10463230203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100d1d306f0df7ff08492
EAP-Message = 0x84ff486b464125ab59ff20d77b1320cb3d9b5a094c5ef39f2a7a11c64cb59bfc9027982761a8a1f65e3427357f320b760d12085a49c652591ef95d9d9adb7abf42685d0376a55512b02beb0ca52cb86a465583006be8d8fe220095901291a95dc030782ff7ddb86854753786ca1271f4074e02aba54582ab364b817cab75f5c788533afd1caa308ee749586b591db6317f5260b195922e7f7dc751c74b3bd150c4a98428b7bc1f357c8d5772acbb931f8e8e7472b5789174b8bf1ba8fde82e51b62347f05bf4083a2a08df0d8aa2045e037a1f0c5183b8c0c5d32741aeaa4b201dc565c28a1a51d48d61af7cb4e6133d1dd4d99a4670700004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xec965d8cedef44fb4d8bbceb4458d522
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.255.1 port 49312,
id=119, length=86
Cleaning up request 1 ID 119 with timestamp +28
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xec965d8cedef44fb did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "testuser"
NAS-IP-Address = 138.120.210.29
NAS-Port = 38010880
State = 0xec965d8cedef44fb4d8bbceb4458d522
EAP-Message = 0x027900061900
Message-Authenticator = 0x6c18d5570978030e54e5db55c56387b4
# Executing section authorize from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 121 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 119 to 192.168.255.1 port 49312
EAP-Message = 0x017a03fc194000f7697706395171f3300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303330333230353133355a170d3132303330323230353133355a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dc6ea4edbe4db69d4bd69d326323cdedb3338ff5723be976695f323d78072114aa95dfc6cd2eb3f53e9cf87b6b05c13fffed7ec3552718903d63183b44a709850c570d5a48f0f18ee99ea8c6cb909d77e9d96b49f730d5ee478a9f81c539a76e33d48787295893ef62391296c2db52
EAP-Message = 0xeee772007805c6254ed137f33c19bece6594b52ca67166980cf74ecf5d0ac57020b67ffe21ebcbeccd60984be329ec926dc666dc9dd03d9eaccba298e9001c378b80af004cbc65c3ce6dcda73c21f5a29f290d1dc115140f983d66805c1e9ac76261c4ddd0717019e8e0ee82fbdbed4357f62d48b6a5562301a59f0823e5d3f813c04be10e285f7e71b500a0e7e26c0eab0203010001a381fb3081f8301d0603551d0e04160414cbd9b86f2696ac67ca45b68e79c20922efe1cdfa3081c80603551d230481c03081bd8014cbd9b86f2696ac67ca45b68e79c20922efe1cdfaa18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900f7697706395171f3300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100be853339529a1e2a7cc494c6291ce912a33d81c089ec703836a052acaca622500c9aba2cac5b7240821bd651c032a3577e146016368573865ae1637d99b068dce4f6caf1114a71625b0a877c096b96405b90
EAP-Message = 0xee81783cfb132a81
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xec965d8ceeec44fb4d8bbceb4458d522
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.255.1 port 49312,
id=119, length=86
Cleaning up request 2 ID 119 with timestamp +28
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xec965d8ceeec44fb did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "testuser"
NAS-IP-Address = 138.120.210.29
NAS-Port = 38010880
State = 0xec965d8ceeec44fb4d8bbceb4458d522
EAP-Message = 0x027a00061900
Message-Authenticator = 0x9254622fc70a462364a5ff4a5ceb68a9
# Executing section authorize from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 122 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 119 to 192.168.255.1 port 49312
EAP-Message = 0x017b02471900870dcd2be5d84d70dc8fe5ff8853345779cc683f87fcbfb3103a549b568fa52c8f8284f1e9eee492b52d288c42571d94d76aab093b67fca9cc0a75161b84b46cf32128b4921d8a23064c7282ed9719aef7834453c0872ee0562ca3efcad21e24e839eb3fdcdd3a1616feddf2e2fe3ceec9b3a8100c438e5342cd3a9a0604ab0b0cbbe043617d5ffc343197f0f618fa81bb54212eb18eca4b47369bceeb80c11f6c91f1cf6bb1160301018d0c000189004083ace75d820fb0e461fdc6327ee023cd85361001cc4aa6b53540b0aeb31ffb806496f201d45eaba5ccb14fc9917cc37485b5140b3fa02c30566068a8a2a57833000102004061
EAP-Message = 0x8b363669d93b01e15b09e3755c24bcfc8de7efdc24547fa007d57096cfd884101aa191c786d4d2303833c206e28aeb1fd1d601ee02a26bb82254864f0b3d0601005238091945165edf3b6e638e6f7b6930cfd6a942056f0e5e3efce74d4b4956d12d7a5e7ee69e29c093231874ab76afaab6e2fce822b74818ec07b2a09c0166b7ae51d92e0551c89ef58adc7fbbf74a122260522746e2c56209cf7b677276ec9cef4ebff1e63636a1e07657ad3af4b428a43c4282b4ae50402422192723ef067636695a866bcef036bd7d2e1e1fed7b00758ea8f96e9a1e22c848c393162e79f8e05fb7a1c5e84f6cc9d4c49f841be4d8785830932530c8aa23bb58eb
EAP-Message = 0x93f445f895b15e6bb06aaa7792f8c766d6a64d85d4d023bc2a839709a251c94b7fe2225d0d7964835c1932a401bd967ec6fdca56f22764dbf4af68f26339c25f0dec4ab816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xec965d8cefed44fb4d8bbceb4458d522
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.255.1 port 49312,
id=119, length=97
Cleaning up request 3 ID 119 with timestamp +28
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xec965d8cefed44fb did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "testuser"
NAS-IP-Address = 138.120.210.29
NAS-Port = 38010880
State = 0xec965d8cefed44fb4d8bbceb4458d522
EAP-Message = 0x027b001119800000000715030100020233
Message-Authenticator = 0x249feeaa383c0a20a88c331e98abbb41
# Executing section authorize from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 123 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert read:fatal:decrypt error
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1
alert decrypt error
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:decrypt error): [testuser] (from
client 192.168.255.0/24 port 38010880)
Using Post-Auth-Type Reject
# Executing group from file
/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 119 to 192.168.255.1 port 49312
EAP-Message = 0x047b0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 4 ID 119 with timestamp +29
Ready to process requests.
More information about the Freeradius-Users
mailing list