cisco WAP/FreeRadius/OpenLDAP

Matthew Arguin matt.arguin at currensee.com
Thu Nov 3 21:33:19 CET 2011


looks like removing the 'unix' from the two enabled sites might have 
done the trick.  i have a w7 machine running off of one of the AP's 
using the RADIUS server... more testing next tues.

-m

On 11/3/2011 2:40 PM, freeradius-users-request at lists.freeradius.org wrote:
> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> 	freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>     1. use pam as authentication medium of FreeRadius (Ivan Matala)
>     2. Re: cisco WAP/FreeRadius/OpenLDAP (Matthew Arguin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 3 Nov 2011 07:08:32 -0700
> From: Ivan Matala<ivanmatala at gmail.com>
> Subject: use pam as authentication medium of FreeRadius
> To: freeradius-users at lists.freeradius.org
> Message-ID:
> 	<CAH92aV5T6AoSqTF6ky4jWhQYdyK=p0xmHy-v6ODrL-CHcKT5cg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> i have a server A with freeradius installed. is there anyway to use
> the pam of it to be use as authentication medium of freeradius?
> (instead of using Auth Type = System, Local, SQL
>
> The pam module (http://linuxexplore.wordpress.com/how-tos/pam-with-radius-authentication/)
> connects to another radius server (Server B), and then returns a reply
> whether it is valid or invalid.
> Thanks
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 03 Nov 2011 14:40:06 -0400
> From: Matthew Arguin<matt.arguin at currensee.com>
> Subject: Re: cisco WAP/FreeRadius/OpenLDAP
> To: freeradius-users at lists.freeradius.org
> Message-ID:<4EB2E006.3040705 at currensee.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> sorry about the snipped debug.  i am attaching another fresh one here.
>
> there are no users in the files on the computer, all in LDAP so the
> shadow file should not be an issue.  I will find the 'unix' part and
> comment it out.
>
> -m
>
> full debug below frm windows machine attempt:
>
> [root at ops2 ~]# radiusd -X
> FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on
> Oct  3 2011 at 10:29:04
> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License v2.
> Starting - reading configuration files ...
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> including configuration file /etc/raddb/clients.conf
> including files in directory /etc/raddb/modules/
> including configuration file /etc/raddb/modules/pap
> including configuration file /etc/raddb/modules/preprocess
> including configuration file /etc/raddb/modules/perl
> including configuration file /etc/raddb/modules/linelog
> including configuration file /etc/raddb/modules/sql_log
> including configuration file /etc/raddb/modules/cui
> including configuration file /etc/raddb/modules/acct_unique
> including configuration file /etc/raddb/modules/mac2ip
> including configuration file /etc/raddb/modules/detail.example.com
> including configuration file /etc/raddb/modules/replicate
> including configuration file /etc/raddb/modules/dynamic_clients
> including configuration file /etc/raddb/modules/passwd
> including configuration file /etc/raddb/modules/wimax
> including configuration file /etc/raddb/modules/inner-eap
> including configuration file /etc/raddb/modules/logintime
> including configuration file /etc/raddb/modules/chap
> including configuration file /etc/raddb/modules/digest
> including configuration file /etc/raddb/modules/ippool
> including configuration file /etc/raddb/modules/mschap
> including configuration file /etc/raddb/modules/pam
> including configuration file /etc/raddb/modules/redis
> including configuration file /etc/raddb/modules/detail.log
> including configuration file /etc/raddb/modules/always
> including configuration file /etc/raddb/modules/radutmp
> including configuration file /etc/raddb/modules/ldap
> including configuration file /etc/raddb/modules/ntlm_auth
> including configuration file /etc/raddb/modules/ldap.new
> including configuration file /etc/raddb/modules/mac2vlan
> including configuration file /etc/raddb/modules/etc_group
> including configuration file /etc/raddb/modules/sradutmp
> including configuration file /etc/raddb/modules/counter
> including configuration file /etc/raddb/modules/attr_filter
> including configuration file /etc/raddb/modules/soh
> including configuration file /etc/raddb/modules/policy
> including configuration file /etc/raddb/modules/unix
> including configuration file /etc/raddb/modules/opendirectory
> including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
> including configuration file /etc/raddb/modules/otp
> including configuration file /etc/raddb/modules/exec
> including configuration file /etc/raddb/modules/realm
> including configuration file /etc/raddb/modules/rediswho
> including configuration file /etc/raddb/modules/expiration
> including configuration file /etc/raddb/modules/checkval
> including configuration file /etc/raddb/modules/echo
> including configuration file /etc/raddb/modules/detail
> including configuration file /etc/raddb/modules/attr_rewrite
> including configuration file /etc/raddb/modules/smsotp
> including configuration file /etc/raddb/modules/expr
> including configuration file /etc/raddb/modules/smbpasswd
> including configuration file /etc/raddb/modules/files
> including configuration file /etc/raddb/eap.conf
> including configuration file /etc/raddb/policy.conf
> including files in directory /etc/raddb/sites-enabled/
> including configuration file /etc/raddb/sites-enabled/inner-tunnel
> including configuration file /etc/raddb/sites-enabled/default
> including configuration file /etc/raddb/sites-enabled/control-socket
> main {
>           user = "radiusd"
>           group = "radiusd"
>           allow_core_dumps = no
> }
> including dictionary file /etc/raddb/dictionary
> main {
>           name = "radiusd"
>           prefix = "/usr"
>           localstatedir = "/var"
>           sbindir = "/usr/sbin"
>           logdir = "/var/log/radius"
>           run_dir = "/var/run/radiusd"
>           libdir = "/usr/lib64/freeradius"
>           radacctdir = "/var/log/radius/radacct"
>           hostname_lookups = no
>           max_request_time = 30
>           cleanup_delay = 5
>           max_requests = 1024
>           pidfile = "/var/run/radiusd/radiusd.pid"
>           checkrad = "/usr/sbin/checkrad"
>           debug_level = 0
>           proxy_requests = yes
>    log {
>           stripped_names = no
>           auth = no
>           auth_badpass = no
>           auth_goodpass = no
>    }
>    security {
>           max_attributes = 200
>           reject_delay = 1
>           status_server = yes
>    }
> }
> radiusd: #### Loading Realms and Home Servers ####
>    proxy server {
>           retry_delay = 5
>           retry_count = 3
>           default_fallback = no
>           dead_time = 120
>           wake_all_if_all_dead = no
>    }
>    home_server localhost {
>           ipaddr = 127.0.0.1
>           port = 1812
>           type = "auth"
>           secret = "testing123"
>           response_window = 20
>           max_outstanding = 65536
>           require_message_authenticator = no
>           zombie_period = 40
>           status_check = "status-server"
>           ping_interval = 30
>           check_interval = 30
>           num_answers_to_alive = 3
>           num_pings_to_alive = 3
>           revive_interval = 120
>           status_check_timeout = 4
>     coa {
>           irt = 2
>           mrt = 16
>           mrc = 5
>           mrd = 30
>     }
>    }
>    home_server_pool my_auth_failover {
>           type = fail-over
>           home_server = localhost
>    }
>    realm local.currensee.com {
>           auth_pool = my_auth_failover
>    }
>    realm LOCAL {
>    }
> radiusd: #### Loading Clients ####
>    client localhost {
>           ipaddr = 127.0.0.1
>           require_message_authenticator = no
>           secret = "i6Lw7uNsG7pZDUGgxirg"
>           nastype = "other"
>    }
>    client ops2 {
>           ipaddr = 192.168.10.247
>           require_message_authenticator = no
>           secret = "i6Lw7uNsG7pZDUGgxirg"
>           nastype = "other"
>    }
>    client ap1 {
>           ipaddr = 192.168.10.31
>           require_message_authenticator = no
>           secret = "i6Lw7uNsG7pZDUGgxirg"
>           shortname = "ap1"
>           nastype = "cisco"
>    }
>    client ap2 {
>           ipaddr = 192.168.10.30
>           require_message_authenticator = no
>           secret = "i6Lw7uNsG7pZDUGgxirg"
>           shortname = "ap2"
>           nastype = "cisco"
>    }
> radiusd: #### Instantiating modules ####
>    instantiate {
>    Module: Linked to module rlm_exec
>    Module: Instantiating module "exec" from file /etc/raddb/modules/exec
>     exec {
>           wait = no
>           input_pairs = "request"
>           shell_escape = yes
>     }
>    Module: Linked to module rlm_expr
>    Module: Instantiating module "expr" from file /etc/raddb/modules/expr
>    Module: Linked to module rlm_expiration
>    Module: Instantiating module "expiration" from file
> /etc/raddb/modules/expiration
>     expiration {
>           reply-message = "Password Has Expired  "
>     }
>    Module: Linked to module rlm_logintime
>    Module: Instantiating module "logintime" from file
> /etc/raddb/modules/logintime
>     logintime {
>           reply-message = "You are calling outside your allowed timespan  "
>           minimum-timeout = 60
>     }
>    }
> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/raddb/radiusd.conf
>    modules {
>     Module: Creating Auth-Type = LDAP
>     Module: Creating Post-Auth-Type = REJECT
>    Module: Checking authenticate {...} for more modules to load
>    Module: Linked to module rlm_pap
>    Module: Instantiating module "pap" from file /etc/raddb/modules/pap
>     pap {
>           encryption_scheme = "auto"
>           auto_header = yes
>     }
>    Module: Linked to module rlm_chap
>    Module: Instantiating module "chap" from file /etc/raddb/modules/chap
>    Module: Linked to module rlm_mschap
>    Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
>     mschap {
>           use_mppe = yes
>           require_encryption = yes
>           require_strong = yes
>           with_ntdomain_hack = no
>           allow_retry = yes
>     }
>    Module: Linked to module rlm_unix
>    Module: Instantiating module "unix" from file /etc/raddb/modules/unix
>     unix {
>           radwtmp = "/var/log/radius/radwtmp"
>     }
>    Module: Linked to module rlm_ldap
>    Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap
>     ldap {
>           server = "ldap.local.currensee.com"
>           port = 389
>           password = "VcnxJbFqeAuAFyiu3zvi"
>           identity = "cn=manager,dc=currensee,dc=com"
>           net_timeout = 1
>           timeout = 4
>           timelimit = 3
>           tls_mode = no
>           start_tls = yes
>           tls_cacertfile = "/etc/ldap/csca.crt"
>           tls_require_cert = "demand"
>      tls {
>           start_tls = no
>           require_cert = "allow"
>      }
>           basedn = "ou=people,dc=currensee,dc=com"
>           filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>           base_filter = "(objectclass=radiusprofile)"
>           auto_header = no
>           access_attr = "uid"
>           access_attr_used_for_allow = yes
>           groupname_attribute = "cn"
>           groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>           dictionary_mapping = "/etc/raddb/ldap.attrmap"
>           ldap_debug = 40
>           ldap_connections_number = 5
>           compare_check_items = no
>           do_xlat = yes
>           set_auth_type = yes
>     }
> rlm_ldap: Registering ldap_groupcmp for Ldap-Group
> rlm_ldap: Registering ldap_xlat with xlat_name ldap
> rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
> rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
> rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
> rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
> rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
> rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
> rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
> rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
> rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
> rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
> rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
> rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
> rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
> rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
> rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
> rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
> rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
> rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
> rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
> rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
> rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
> rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
> rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
> rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
> rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
> rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
> rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
> rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
> rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
> rlm_ldap: LDAP radiusClass mapped to RADIUS Class
> rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
> rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
> rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
> rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
> rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
> rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
> rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
> Framed-AppleTalk-Link
> rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
> Framed-AppleTalk-Network
> rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
> Framed-AppleTalk-Zone
> rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
> rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
> rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
> rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
> rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
> rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
> Tunnel-Private-Group-Id
> conns: 0xb5bdcd0
>    Module: Linked to module rlm_eap
>    Module: Instantiating module "eap" from file /etc/raddb/eap.conf
>     eap {
>           default_eap_type = "peap"
>           timer_expire = 60
>           ignore_unknown_eap_types = no
>           cisco_accounting_username_bug = no
>           max_sessions = 2048
>     }
>    Module: Linked to sub-module rlm_eap_md5
>    Module: Instantiating eap-md5
>    Module: Linked to sub-module rlm_eap_leap
>    Module: Instantiating eap-leap
>    Module: Linked to sub-module rlm_eap_gtc
>    Module: Instantiating eap-gtc
>      gtc {
>           challenge = "Password: "
>           auth_type = "PAP"
>      }
>    Module: Linked to sub-module rlm_eap_tls
>    Module: Instantiating eap-tls
>      tls {
>           rsa_key_exchange = no
>           dh_key_exchange = yes
>           rsa_key_length = 512
>           dh_key_length = 512
>           verify_depth = 0
>           pem_file_type = yes
>           private_key_file = "/etc/raddb/certs/radius.key.pem"
>           certificate_file = "/etc/raddb/certs/radius.crt.pem"
>           CA_file = "/etc/raddb/certs/cacert.pem"
>           private_key_password = "i6Lw7uNsG7pZDUGgxirg"
>           dh_file = "/etc/raddb/certs/dh"
>           random_file = "/dev/urandom"
>           fragment_size = 1024
>           include_length = yes
>           check_crl = no
>           cipher_list = "DEFAULT"
>           make_cert_command = "/etc/raddb/certs/bootstrap"
>       cache {
>           enable = no
>           lifetime = 24
>           max_entries = 255
>       }
>      }
>    Module: Linked to sub-module rlm_eap_ttls
>    Module: Instantiating eap-ttls
>      ttls {
>           default_eap_type = "md5"
>           copy_request_to_tunnel = no
>           use_tunneled_reply = no
>           virtual_server = "inner-tunnel"
>           include_length = yes
>      }
>    Module: Linked to sub-module rlm_eap_peap
>    Module: Instantiating eap-peap
>      peap {
>           default_eap_type = "mschapv2"
>           copy_request_to_tunnel = no
>           use_tunneled_reply = no
>           proxy_tunneled_request_as_eap = yes
>           virtual_server = "inner-tunnel"
>           soh = no
>      }
>    Module: Linked to sub-module rlm_eap_mschapv2
>    Module: Instantiating eap-mschapv2
>      mschapv2 {
>           with_ntdomain_hack = no
>           send_error = no
>      }
>    Module: Checking authorize {...} for more modules to load
>    Module: Linked to module rlm_preprocess
>    Module: Instantiating module "preprocess" from file
> /etc/raddb/modules/preprocess
>     preprocess {
>           huntgroups = "/etc/raddb/huntgroups"
>           hints = "/etc/raddb/hints"
>           with_ascend_hack = no
>           ascend_channels_per_line = 23
>           with_ntdomain_hack = no
>           with_specialix_jetstream_hack = no
>           with_cisco_vsa_hack = no
>           with_alvarion_vsa_hack = no
>     }
>    Module: Linked to module rlm_realm
>    Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
>     realm suffix {
>           format = "suffix"
>           delimiter = "@"
>           ignore_default = no
>           ignore_null = no
>     }
>    Module: Linked to module rlm_files
>    Module: Instantiating module "files" from file /etc/raddb/modules/files
>     files {
>           usersfile = "/etc/raddb/users"
>           acctusersfile = "/etc/raddb/acct_users"
>           preproxy_usersfile = "/etc/raddb/preproxy_users"
>           compat = "no"
>     }
>    Module: Checking preacct {...} for more modules to load
>    Module: Linked to module rlm_acct_unique
>    Module: Instantiating module "acct_unique" from file
> /etc/raddb/modules/acct_unique
>     acct_unique {
>           key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
>     }
>    Module: Checking accounting {...} for more modules to load
>    Module: Linked to module rlm_detail
>    Module: Instantiating module "detail" from file /etc/raddb/modules/detail
>     detail {
>           detailfile =
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>           header = "%t"
>           detailperm = 384
>           dirperm = 493
>           locking = no
>           log_packet_header = no
>     }
>    Module: Linked to module rlm_radutmp
>    Module: Instantiating module "radutmp" from file
> /etc/raddb/modules/radutmp
>     radutmp {
>           filename = "/var/log/radius/radutmp"
>           username = "%{User-Name}"
>           case_sensitive = yes
>           check_with_nas = yes
>           perm = 384
>           callerid = yes
>     }
>    Module: Linked to module rlm_attr_filter
>    Module: Instantiating module "attr_filter.accounting_response" from
> file /etc/raddb/modules/attr_filter
>     attr_filter attr_filter.accounting_response {
>           attrsfile = "/etc/raddb/attrs.accounting_response"
>           key = "%{User-Name}"
>           relaxed = no
>     }
>    Module: Checking session {...} for more modules to load
>    Module: Checking post-proxy {...} for more modules to load
>    Module: Checking post-auth {...} for more modules to load
>    Module: Instantiating module "attr_filter.access_reject" from file
> /etc/raddb/modules/attr_filter
>     attr_filter attr_filter.access_reject {
>           attrsfile = "/etc/raddb/attrs.access_reject"
>           key = "%{User-Name}"
>           relaxed = no
>     }
>    } # modules
> } # server
> server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
>    modules {
>    Module: Checking authenticate {...} for more modules to load
>    Module: Checking authorize {...} for more modules to load
>    Module: Checking session {...} for more modules to load
>    Module: Checking post-proxy {...} for more modules to load
>    Module: Checking post-auth {...} for more modules to load
>    } # modules
> } # server
> radiusd: #### Opening IP addresses and Ports ####
> listen {
>           type = "auth"
>           ipaddr = *
>           port = 0
> }
> listen {
>           type = "acct"
>           ipaddr = *
>           port = 0
> }
> listen {
>           type = "control"
>    listen {
>           socket = "/var/run/radiusd/radiusd.sock"
>    }
> }
>    ... adding new socket proxy address * port 50281
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on command file /var/run/radiusd/radiusd.sock
> Listening on proxy address * port 1814
> Ready to process requests.
>
>
> rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
> id=105, length=133
>           User-Name = "anonymous"
>           Framed-MTU = 1400
>           Called-Station-Id = "64a0.e729.b890"
>           Calling-Station-Id = "1c65.9d32.fb68"
>           Service-Type = Login-User
>           Message-Authenticator = 0x7b50b55eaa1b8572fd679e2acff05bba
>           EAP-Message = 0x0202000e01616e6f6e796d6f7573
>           NAS-Port-Type = Wireless-802.11
>           NAS-Port = 2387
>           NAS-Port-Id = "2387"
>           NAS-IP-Address = 192.168.10.31
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 2 length 14
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for anonymous
> [ldap]  expand: %{Stripped-User-Name} ->
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} ->  anonymous
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (uid=anonymous)
> [ldap]  expand: ou=people,dc=currensee,dc=com ->
> ou=people,dc=currensee,dc=com
>     [ldap] ldap_get_conn: Checking Id: 0
>     [ldap] ldap_get_conn: Got Id: 0
>     [ldap] attempting LDAP reconnection
>     [ldap] (re)connect to ldap.local.currensee.com:389, authentication 0
>     [ldap] setting TLS CACert File to /etc/ldap/csca.crt
>     [ldap] bind as cn=manager,dc=currensee,dc=com/VcnxJbFqeAuAFyiu3zvi to
> ldap.local.currensee.com:389
>     [ldap] waiting for bind result ...
> request done: ld 0xb5ee050 msgid 1
>     [ldap] Bind was successful
>     [ldap] performing search in ou=people,dc=currensee,dc=com, with
> filter (uid=anonymous)
> request done: ld 0xb5ee050 msgid 2
>     [ldap] object not found
> [ldap] search failed
>     [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns notfound
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 105 to 192.168.10.31 port 1645
>           EAP-Message = 0x010300061920
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0xd78eeafcd78df33bec47a0da331d3912
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
> id=106, length=229
>           User-Name = "anonymous"
>           Framed-MTU = 1400
>           Called-Station-Id = "64a0.e729.b890"
>           Calling-Station-Id = "1c65.9d32.fb68"
>           Service-Type = Login-User
>           Message-Authenticator = 0xab1d629124040d4a484088109c2dabd1
>           EAP-Message =
> 0x0203005c190016030100510100004d03014eb2df500e212426b1eb54e97dcf30eb655cfb3f10a02b7cda369f1be5bc676a00002600390038003500160013000a00330032002f00050004001500120009001400110008000600030100
>           NAS-Port-Type = Wireless-802.11
>           NAS-Port = 2387
>           NAS-Port-Id = "2387"
>           State = 0xd78eeafcd78df33bec47a0da331d3912
>           NAS-IP-Address = 192.168.10.31
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 3 length 92
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap]     (other): before/accept initialization
> [peap]     TLS_accept: before/accept initialization
> [peap]<<<  TLS 1.0 Handshake [length 0051], ClientHello
> [peap]     TLS_accept: SSLv3 read client hello A
> [peap]>>>  TLS 1.0 Handshake [length 002a], ServerHello
> [peap]     TLS_accept: SSLv3 write server hello A
> [peap]>>>  TLS 1.0 Handshake [length 06cd], Certificate
> [peap]     TLS_accept: SSLv3 write certificate A
> [peap]>>>  TLS 1.0 Handshake [length 018d], ServerKeyExchange
> [peap]     TLS_accept: SSLv3 write key exchange A
> [peap]>>>  TLS 1.0 Handshake [length 0004], ServerHelloDone
> [peap]     TLS_accept: SSLv3 write server done A
> [peap]     TLS_accept: SSLv3 flush data
> [peap]     TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 106 to 192.168.10.31 port 1645
>           EAP-Message =
> 0x0104040019c00000089c160301002a0200002603014eb2df2dbf13dc964c4b531d3eb1305f35f8be28746de76d5e5c8741d18bbd180000390016030106cd0b0006c90006c60002a6308202a23082020b0203100028300d06092a864886f70d01010405003081b931183016060355040a130f43757272656e7365652c20496e632e31143012060355040b130b456e67696e656572696e673121301f06092a864886f70d0109011612726f6f744063757272656e7365652e636f6d310f300d06035504071306426f73746f6e311630140603550408130d4d617373616368757365747473310b3009060355040613025553312e302c060355040313254c6f
>           EAP-Message =
> 0x63616c2043757272656e73656520436572746966696361746520417574686f72697479301e170d3131313032313135313134335a170d3231313032303135313134335a3077310b3009060355040613025553311630140603550408130d4d61737361636875736574747331183016060355040a130f43757272656e7365652c20496e632e31133011060355040b130a4f7065726174696f6e733121301f060355040313186f7073322e6c6f63616c2e63757272656e7365652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100dbd67230f6e9b1f8d37cd689371e4965f6760ef34369b95ea48e1ef153be887b5dd5ef31
>           EAP-Message =
> 0x7a47e5d66048731d7458d9ae1ebe0508aa349d4fa74dd0c077cdca1fb2af2868d309e938cd6222f3c6737116ff656e10bbb175b76e2aa83c35efc2b0655f3bf669cabbad375d98d89c84f9d30b5887ac5225685c5bee55176ce2fe890203010001300d06092a864886f70d01010405000381810023558f75bca5500a1b7ca225f46cd98622ef05c01cc43e000dcae1cd19b8d8fcf7c53d2dff7c6403781839d0dd4a0bffb4eec337967c32665ee5f11720e09760c222e2fc6a029b0d4eb33c45614d21a6fb55cb6f01df47958d97578160057f0d23aa685539931ad0229522218b7d7c31f9fb1b8e94a9b88d6e8bc4f410a9701400041a308204163082
>           EAP-Message =
> 0x037fa003020102020900d869d83ec24831ce300d06092a864886f70d01010405003081b931183016060355040a130f43757272656e7365652c20496e632e31143012060355040b130b456e67696e656572696e673121301f06092a864886f70d0109011612726f6f744063757272656e7365652e636f6d310f300d06035504071306426f73746f6e311630140603550408130d4d617373616368757365747473310b3009060355040613025553312e302c060355040313254c6f63616c2043757272656e73656520436572746966696361746520417574686f72697479301e170d3130303432363138323634325a170d3230303432353138323634325a
>           EAP-Message = 0x3081b931183016060355040a
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0xd78eeafcd68af33bec47a0da331d3912
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
> id=107, length=143
>           User-Name = "anonymous"
>           Framed-MTU = 1400
>           Called-Station-Id = "64a0.e729.b890"
>           Calling-Station-Id = "1c65.9d32.fb68"
>           Service-Type = Login-User
>           Message-Authenticator = 0x331b8832fcf1fc4ecce2b5d8b11d74e0
>           EAP-Message = 0x020400061900
>           NAS-Port-Type = Wireless-802.11
>           NAS-Port = 2387
>           NAS-Port-Id = "2387"
>           State = 0xd78eeafcd68af33bec47a0da331d3912
>           NAS-IP-Address = 192.168.10.31
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 4 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 107 to 192.168.10.31 port 1645
>           EAP-Message =
> 0x010503fc1940130f43757272656e7365652c20496e632e31143012060355040b130b456e67696e656572696e673121301f06092a864886f70d0109011612726f6f744063757272656e7365652e636f6d310f300d06035504071306426f73746f6e311630140603550408130d4d617373616368757365747473310b3009060355040613025553312e302c060355040313254c6f63616c2043757272656e73656520436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100d6e8fe8f9e3905fcd63f0c9f3b9eded323e8b7a1e47ef23d8d53a29572e41656e189ccd616664ad52ea7
>           EAP-Message =
> 0x36ee86a2e1fe0696e1fe24e0345cd5b3167530ef0d6b7a58f9f55774d7a403b9a03e5d9374118a1dbb30fcab8c8bc499ef62b3aac1aec00134b635416c73e2f555b24e08933cefe2fb2a47024ee61ab51490f1cae3070203010001a38201223082011e300c0603551d13040530030101ff301d0603551d0e04160414706ed0933d93523470a6e9bc979d124333df14b03081ee0603551d230481e63081e38014706ed0933d93523470a6e9bc979d124333df14b0a181bfa481bc3081b931183016060355040a130f43757272656e7365652c20496e632e31143012060355040b130b456e67696e656572696e673121301f06092a864886f70d01090116
>           EAP-Message =
> 0x12726f6f744063757272656e7365652e636f6d310f300d06035504071306426f73746f6e311630140603550408130d4d617373616368757365747473310b3009060355040613025553312e302c060355040313254c6f63616c2043757272656e73656520436572746966696361746520417574686f72697479820900d869d83ec24831ce300d06092a864886f70d010104050003818100d435d275a02b5e04e17e75b6046bbd1ab3ca33299cee907f2bd9c7603b3da4a23ee97e677e97e442bd855e8c2dffc351e134e03fbec16ad71eb7608c62c29bd2a2aaa2660013bc8d76520a5a9f3b516dcbddf6a773564e57c29e20d0a614a6116a36aef3cdfb
>           EAP-Message =
> 0xdc510f1058d291e6310d9b53c8b17e521038a866f3510355ef29160301018d0c0001890080ff76d1db8e9c6aa6bbe3d1bcc691f539a047acfa556255866a6d802ab6698cb71cf82f2fb16dfe236b5855ea6c50768f5725618bf523493f97785eda71b4aab842513a83fdb1b2466f94df90ec6c771bc6c8004fe3695f678f44ed4618b609c0e8eaf250ea9aef1bfc6213d2e48bd75258d4b20fcb2ea89eb6f562a93619ebeb0001020080214043a4ba5893fc759b15a385d241d1adb217e7f74e7109031b3640e522e9ed150cc6dfccf1bd4cb9f01442d33a8c09b936e53faf477aa1eff2a2ba70c808f1309c8c20fe2cf7231b8935ee494cf8868c7517
>           EAP-Message = 0xd6067c739d8d28db
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0xd78eeafcd58bf33bec47a0da331d3912
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
> id=108, length=143
>           User-Name = "anonymous"
>           Framed-MTU = 1400
>           Called-Station-Id = "64a0.e729.b890"
>           Calling-Station-Id = "1c65.9d32.fb68"
>           Service-Type = Login-User
>           Message-Authenticator = 0xd26c70de6bf8873741146ca58d32fc5d
>           EAP-Message = 0x020500061900
>           NAS-Port-Type = Wireless-802.11
>           NAS-Port = 2387
>           NAS-Port-Id = "2387"
>           State = 0xd78eeafcd58bf33bec47a0da331d3912
>           NAS-IP-Address = 192.168.10.31
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 5 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 108 to 192.168.10.31 port 1645
>           EAP-Message =
> 0x010600b61900c262d314f99faee60a3b1d641dc0639f14fc17da74acf016f52a585323c4f4597448ce37340080ac4cd31a3bdd6227eac7f5bff7134ca8897172a0533f3b6bbfbdca381a3c62ffc1fca799d5ed7fa8aab8d19ce8eb66f024b2e247dde53df5182ee42cb17aef581790d53feaacf1f35a0522c107ac8e32939b0899a5da755215e8758574e17aad17037d3bb79ef57b5ca937233bf3feee03d589b996aa635f676da7b9733458f116030100040e000000
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0xd78eeafcd488f33bec47a0da331d3912
> Finished request 3.
> Going to the next request
> Waking up in 4.8 seconds.
> rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
> id=109, length=341
>           User-Name = "anonymous"
>           Framed-MTU = 1400
>           Called-Station-Id = "64a0.e729.b890"
>           Calling-Station-Id = "1c65.9d32.fb68"
>           Service-Type = Login-User
>           Message-Authenticator = 0x5ea79a07344221e8a7b651c1590465f2
>           EAP-Message =
> 0x020600cc190016030100861000008200806b365dd6b7e8f0506b9beeff8cb047093b38f4ade146677bde95387db9a85179e3981438ecdb81dc8bd66ff17e75044860531e7a035008408cae1c45206bccb3b738ad64f073bd7f4047b618b619b618529ee0e3b4de03c98603332d4361b6806ce927f870ae05231c3137ee8ce31b9c74aeead97a5821a96d3f789c9552c5f9140301000101160301003075082bfc6ec0756f985b798560404ec0a42e93fc29e045e4d07dfb2cab101ee1db9c3dabb7cc87926bb2dce22b494a9f
>           NAS-Port-Type = Wireless-802.11
>           NAS-Port = 2387
>           NAS-Port-Id = "2387"
>           State = 0xd78eeafcd488f33bec47a0da331d3912
>           NAS-IP-Address = 192.168.10.31
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 6 length 204
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap]<<<  TLS 1.0 Handshake [length 0086], ClientKeyExchange
> [peap]     TLS_accept: SSLv3 read client key exchange A
> [peap]<<<  TLS 1.0 ChangeCipherSpec [length 0001]
> [peap]<<<  TLS 1.0 Handshake [length 0010], Finished
> [peap]     TLS_accept: SSLv3 read finished A
> [peap]>>>  TLS 1.0 ChangeCipherSpec [length 0001]
> [peap]     TLS_accept: SSLv3 write change cipher spec A
> [peap]>>>  TLS 1.0 Handshake [length 0010], Finished
> [peap]     TLS_accept: SSLv3 write finished A
> [peap]     TLS_accept: SSLv3 flush data
> [peap]     (other): SSL negotiation finished successfully
> SSL Connection Established
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 109 to 192.168.10.31 port 1645
>           EAP-Message =
> 0x01070041190014030100010116030100300a48ff69d71686b3d02fc914361e30c20649d2bae5c5807b805036131c0ba13b94ac2fa8f3e095f265452a799724a29a
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0xd78eeafcd389f33bec47a0da331d3912
> Finished request 4.
> Going to the next request
> Waking up in 0.2 seconds.
> rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
> id=110, length=143
>           User-Name = "anonymous"
>           Framed-MTU = 1400
>           Called-Station-Id = "64a0.e729.b890"
>           Calling-Station-Id = "1c65.9d32.fb68"
>           Service-Type = Login-User
>           Message-Authenticator = 0x4e6a3b2a54d77a7dd6d830e5371ce9d4
>           EAP-Message = 0x020700061900
>           NAS-Port-Type = Wireless-802.11
>           NAS-Port = 2387
>           NAS-Port-Id = "2387"
>           State = 0xd78eeafcd389f33bec47a0da331d3912
>           NAS-IP-Address = 192.168.10.31
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 7 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake is finished
> [peap] eaptls_verify returned 3
> [peap] eaptls_process returned 3
> [peap] EAPTLS_SUCCESS
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state TUNNEL ESTABLISHED
> ++[eap] returns handled
> Sending Access-Challenge of id 110 to 192.168.10.31 port 1645
>           EAP-Message =
> 0x0108002b1900170301002063d9c378f2cc040c57f69b9e176af752dc3b28f1b340bc482356cee997f5c7cc
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0xd78eeafcd286f33bec47a0da331d3912
> Finished request 5.
> Going to the next request
> Waking up in 0.2 seconds.
> Cleaning up request 0 ID 105 with timestamp +16
> Cleaning up request 1 ID 106 with timestamp +16
> Cleaning up request 2 ID 107 with timestamp +16
> Cleaning up request 3 ID 108 with timestamp +16
> Waking up in 4.6 seconds.
> rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
> id=111, length=217
>           User-Name = "anonymous"
>           Framed-MTU = 1400
>           Called-Station-Id = "64a0.e729.b890"
>           Calling-Station-Id = "1c65.9d32.fb68"
>           Service-Type = Login-User
>           Message-Authenticator = 0xfccbcc2ac4f1db3d69e75f2db50a71b1
>           EAP-Message =
> 0x020800501900170301002083120e205df189c08c8450ccf4ff0ce2c19a1b92251acb1bf4fe573413b384e117030100203af2415265a1b22ab46c54782d2fae8073830d3d8201f0a921cdb946eb1c86c8
>           NAS-Port-Type = Wireless-802.11
>           NAS-Port = 2387
>           NAS-Port-Id = "2387"
>           State = 0xd78eeafcd286f33bec47a0da331d3912
>           NAS-IP-Address = 192.168.10.31
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 8 length 80
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state WAITING FOR INNER IDENTITY
> [peap] Identity - marguin2
> [peap] Got inner identity 'marguin2'
> [peap] Setting default EAP type for tunneled EAP session.
> [peap] Got tunneled request
>           EAP-Message = 0x0208000d016d61726775696e32
> server  {
> [peap] Setting User-Name to marguin2
> Sending tunneled request
>           EAP-Message = 0x0208000d016d61726775696e32
>           FreeRADIUS-Proxied-To = 127.0.0.1
>           User-Name = "marguin2"
> server inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel
> +- entering group authorize {...}
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated
> [suffix] No '@' in User-Name = "marguin2", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 8 length 13
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for marguin2
> [ldap]  expand: %{Stripped-User-Name} ->
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} ->  marguin2
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (uid=marguin2)
> [ldap]  expand: ou=people,dc=currensee,dc=com ->
> ou=people,dc=currensee,dc=com
>     [ldap] ldap_get_conn: Checking Id: 0
>     [ldap] ldap_get_conn: Got Id: 0
>     [ldap] performing search in ou=people,dc=currensee,dc=com, with
> filter (uid=marguin2)
> request done: ld 0xb5ee050 msgid 3
> [ldap] checking if remote access for marguin2 is allowed by uid
> [ldap] looking for check items in directory...
>     [ldap] userPassword ->  Password-With-Header == "{CRYPT}tGS8HbszeyDmM"
> [ldap] looking for reply items in directory...
> [ldap] user marguin2 authorized to use remote access
>     [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set.  Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
>           EAP-Message =
> 0x010900221a0109001d100b6a17aa07733a1f91509b758d0a88b86d61726775696e32
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0x602c86f460259c20be85326c7f25bc52
> [peap] Got tunneled reply RADIUS code 11
>           EAP-Message =
> 0x010900221a0109001d100b6a17aa07733a1f91509b758d0a88b86d61726775696e32
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0x602c86f460259c20be85326c7f25bc52
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 111 to 192.168.10.31 port 1645
>           EAP-Message =
> 0x0109004b190017030100408f8962038e1da77347bee429f2d4dc18cfb0e6f1116c844102ce42970981de33c538b4e8e19bd069b5d1fb6bf7513b67f6178f452f3d016b3cccefbc70f45238
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0xd78eeafcd187f33bec47a0da331d3912
> Finished request 6.
> Going to the next request
> Waking up in 3.7 seconds.
> rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
> id=112, length=217
>           User-Name = "anonymous"
>           Framed-MTU = 1400
>           Called-Station-Id = "64a0.e729.b890"
>           Calling-Station-Id = "1c65.9d32.fb68"
>           Service-Type = Login-User
>           Message-Authenticator = 0x48c8b4886963729f80a85293243ad9a9
>           EAP-Message =
> 0x0209005019001703010020d22dda4e67687876b057da3c7c0555dc1d60323c6cc45bc6af2a53cad54722381703010020d6aab5196d83bf44cc35f02b892bbb5918c6dc786ac09570f3bbe96dc9fbe8b1
>           NAS-Port-Type = Wireless-802.11
>           NAS-Port = 2387
>           NAS-Port-Id = "2387"
>           State = 0xd78eeafcd187f33bec47a0da331d3912
>           NAS-IP-Address = 192.168.10.31
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 9 length 80
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state phase2
> [peap] EAP type nak
> [peap] Got tunneled request
>           EAP-Message = 0x020900060306
> server  {
> [peap] Setting User-Name to marguin2
> Sending tunneled request
>           EAP-Message = 0x020900060306
>           FreeRADIUS-Proxied-To = 127.0.0.1
>           User-Name = "marguin2"
>           State = 0x602c86f460259c20be85326c7f25bc52
> server inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel
> +- entering group authorize {...}
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated
> [suffix] No '@' in User-Name = "marguin2", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 9 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for marguin2
> [ldap]  expand: %{Stripped-User-Name} ->
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} ->  marguin2
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (uid=marguin2)
> [ldap]  expand: ou=people,dc=currensee,dc=com ->
> ou=people,dc=currensee,dc=com
>     [ldap] ldap_get_conn: Checking Id: 0
>     [ldap] ldap_get_conn: Got Id: 0
>     [ldap] performing search in ou=people,dc=currensee,dc=com, with
> filter (uid=marguin2)
> request done: ld 0xb5ee050 msgid 4
> [ldap] checking if remote access for marguin2 is allowed by uid
> [ldap] looking for check items in directory...
>     [ldap] userPassword ->  Password-With-Header == "{CRYPT}tGS8HbszeyDmM"
> [ldap] looking for reply items in directory...
> [ldap] user marguin2 authorized to use remote access
>     [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set.  Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP NAK
> [eap] EAP-NAK asked for EAP-Type/gtc
> [eap] processing type gtc
> [gtc]   expand: Password:  ->  Password:
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
>           EAP-Message = 0x010a000f0650617373776f72643a20
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0x602c86f461268020be85326c7f25bc52
> [peap] Got tunneled reply RADIUS code 11
>           EAP-Message = 0x010a000f0650617373776f72643a20
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0x602c86f461268020be85326c7f25bc52
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 112 to 192.168.10.31 port 1645
>           EAP-Message =
> 0x010a002b190017030100200420787dcb200576e528687e537fbcff4c0f871ed6b918a6126eb9f63e37d8ac
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0xd78eeafcd084f33bec47a0da331d3912
> Finished request 7.
> Going to the next request
> Waking up in 2.6 seconds.
> rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
> id=113, length=217
>           User-Name = "anonymous"
>           Framed-MTU = 1400
>           Called-Station-Id = "64a0.e729.b890"
>           Calling-Station-Id = "1c65.9d32.fb68"
>           Service-Type = Login-User
>           Message-Authenticator = 0x7e1a36f67f33d35949af6bf12455126d
>           EAP-Message =
> 0x020a005019001703010020c6bef0b5339d234f36fac19dd890ccc11decb7ad21400e3a6f09cbe1463f187117030100204e26d40af582983750b24ee8ba17aff71f3cdeae50d8d1187402a263dbe0efda
>           NAS-Port-Type = Wireless-802.11
>           NAS-Port = 2387
>           NAS-Port-Id = "2387"
>           State = 0xd78eeafcd084f33bec47a0da331d3912
>           NAS-IP-Address = 192.168.10.31
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 10 length 80
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state phase2
> [peap] EAP type gtc
> [peap] Got tunneled request
>           EAP-Message = 0x020a000d06723061646b696c6c
> server  {
> [peap] Setting User-Name to marguin2
> Sending tunneled request
>           EAP-Message = 0x020a000d06723061646b696c6c
>           FreeRADIUS-Proxied-To = 127.0.0.1
>           User-Name = "marguin2"
>           State = 0x602c86f461268020be85326c7f25bc52
> server inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel
> +- entering group authorize {...}
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated
> [suffix] No '@' in User-Name = "marguin2", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 10 length 13
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for marguin2
> [ldap]  expand: %{Stripped-User-Name} ->
> [ldap]  ... expanding second conditional
> [ldap]  expand: %{User-Name} ->  marguin2
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (uid=marguin2)
> [ldap]  expand: ou=people,dc=currensee,dc=com ->
> ou=people,dc=currensee,dc=com
>     [ldap] ldap_get_conn: Checking Id: 0
>     [ldap] ldap_get_conn: Got Id: 0
>     [ldap] performing search in ou=people,dc=currensee,dc=com, with
> filter (uid=marguin2)
> request done: ld 0xb5ee050 msgid 5
> [ldap] checking if remote access for marguin2 is allowed by uid
> [ldap] looking for check items in directory...
>     [ldap] userPassword ->  Password-With-Header == "{CRYPT}tGS8HbszeyDmM"
> [ldap] looking for reply items in directory...
> [ldap] user marguin2 authorized to use remote access
>     [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING: Auth-Type already set.  Not setting to PAP
> ++[pap] returns noop
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/gtc
> [eap] processing type gtc
> [gtc] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> [gtc] +- entering group PAP {...}
> [pap] login attempt with password "r0adkill"
> [pap] Using CRYPT password "*"
> [pap] Passwords don't match
> ++[pap] returns reject
> [eap] Handler failed in EAP/gtc
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> } # server inner-tunnel
> [peap] Got tunneled reply code 3
>           EAP-Message = 0x040a0004
>           Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Got tunneled reply RADIUS code 3
>           EAP-Message = 0x040a0004
>           Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
> ++[eap] returns handled
> Sending Access-Challenge of id 113 to 192.168.10.31 port 1645
>           EAP-Message =
> 0x010b002b1900170301002096e49cfd808473952eb3fa75834f12426a53b614dfecd8be68ecf308d9c0e582
>           Message-Authenticator = 0x00000000000000000000000000000000
>           State = 0xd78eeafcdf85f33bec47a0da331d3912
> Finished request 8.
> Going to the next request
> Waking up in 1.1 seconds.
> Cleaning up request 4 ID 109 with timestamp +21
> Cleaning up request 5 ID 110 with timestamp +21
> Waking up in 1.2 seconds.
> rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
> id=114, length=217
>           User-Name = "anonymous"
>           Framed-MTU = 1400
>           Called-Station-Id = "64a0.e729.b890"
>           Calling-Station-Id = "1c65.9d32.fb68"
>           Service-Type = Login-User
>           Message-Authenticator = 0xc89f6cfb84abeaafca32c0ca19c71cda
>           EAP-Message =
> 0x020b005019001703010020a5c60e28809a4129d771755d38edf4f696225365ed1ac4501fb72bab9eb3c3d017030100204a26a2449d048491deddc5081a17ee3198e1eeed73ca1b4bab8857cd7a5361be
>           NAS-Port-Type = Wireless-802.11
>           NAS-Port = 2387
>           NAS-Port-Id = "2387"
>           State = 0xd78eeafcdf85f33bec47a0da331d3912
>           NAS-IP-Address = 192.168.10.31
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "anonymous", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 11 length 80
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established.  Decoding tunneled attributes.
> [peap] Peap state send tlv failure
> [peap] Received EAP-TLV response.
> [peap]  The users session was previously rejected: returning reject (again.)
> [peap]  *** This means you need to read the PREVIOUS messages in the
> debug output
> [peap]  *** to find out the reason why the user was rejected.
> [peap]  *** Look for "reject" or "fail".  Those earlier messages will
> tell you.
> [peap]  *** what went wrong, and how to fix the problem.
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} ->  anonymous
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 9 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Cleaning up request 6 ID 111 with timestamp +22
> Sending delayed reject for request 9
> Sending Access-Reject of id 114 to 192.168.10.31 port 1645
>           EAP-Message = 0x040b0004
>           Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 1.0 seconds.
> Cleaning up request 7 ID 112 with timestamp +23
> Waking up in 1.4 seconds.
> Cleaning up request 8 ID 113 with timestamp +24
> Waking up in 2.4 seconds.
> Cleaning up request 9 ID 114 with timestamp +26
> Ready to process requests.
>
>
>
>
> On 11/2/2011 5:25 PM, freeradius-users-request at lists.freeradius.org wrote:
>> Re: cisco WAP/FreeRadius/OpenLDAP

-- 
Matthew Arguin
Currensee, Inc.
54 Canal St, 4th Floor
Boston, MA 02114
(617) 986-4758 (Office)
_________________________________________________________________________
This email and any files transmitted with it are confidential and intended solely for the addressee.  If you received this email in error, please do not disclose the contents to anyone; kindly notify the sender by return email and delete this email and any attachments from your system.

© 2011 Currensee Inc. is a member of the National Futures Association (NFA) Member ID 0403251 | Over the counter retail foreign currency (Forex) trading may involve significant risk of loss. It is not suitable for all investors and you should make sure you understand the risks involved before trading and seek independent advice if necessary. Performance, strategies and charts shown are not necessarily predictive of any particular result and past performance is no indication of future results. Investor returns may vary from Trade Leader returns based on slippage, fees, broker spreads, volatility or other market conditions.

Currensee Inc | 54 Canal St 4th Floor | Boston, MA 02114 | +1.617.624.3824




More information about the Freeradius-Users mailing list