cisco WAP/FreeRadius/OpenLDAP
Matthew Arguin
matt.arguin at currensee.com
Mon Nov 21 18:33:11 CET 2011
so it took me a while, but i finally tracked down a MAC to continue
troubleshooting...at this point windows machines can login with RAIDUS
auth... below is the output from an attempt with a MAC:
[root at ops2 raddb]# radiusd -X
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on
Oct 3 2011 at 10:29:04
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/ldap.new
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "i6Lw7uNsG7pZDUGgxirg"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm local.currensee.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "i6Lw7uNsG7pZDUGgxirg"
nastype = "other"
}
client ops2 {
ipaddr = 192.168.10.247
require_message_authenticator = no
secret = "i6Lw7uNsG7pZDUGgxirg"
nastype = "other"
}
client ap1 {
ipaddr = 192.168.10.31
require_message_authenticator = no
secret = "i6Lw7uNsG7pZDUGgxirg"
shortname = "ap1"
nastype = "cisco"
}
client ap2 {
ipaddr = 192.168.10.30
require_message_authenticator = no
secret = "i6Lw7uNsG7pZDUGgxirg"
shortname = "ap2"
nastype = "cisco"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Creating Auth-Type = LDAP
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap
ldap {
server = "ldap.local.currensee.com"
port = 389
password = "VcnxJbFqeAuAFyiu3zvi"
identity = "cn=manager,dc=currensee,dc=com"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = yes
tls_cacertfile = "/etc/ldap/csca.crt"
tls_require_cert = "demand"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "ou=people,dc=currensee,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr = "uid"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 40
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x1fa9ddb0
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/radius.key.pem"
certificate_file = "/etc/raddb/certs/radius.crt.pem"
CA_file = "/etc/raddb/certs/cacert.pem"
private_key_password = "i6Lw7uNsG7pZDUGgxirg"
dh_file = "/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
... adding new socket proxy address * port 55962
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=215, length=129
User-Name = "marguin"
Framed-MTU = 1400
Called-Station-Id = "64a0.e72f.69c0"
Calling-Station-Id = "001e.5273.4858"
Service-Type = Login-User
Message-Authenticator = 0x23138394454f3a974d4bda910d58bb2f
EAP-Message = 0x0202000c016d61726775696e
NAS-Port-Type = Wireless-802.11
NAS-Port = 2658
NAS-Port-Id = "2658"
NAS-IP-Address = 192.168.10.31
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marguin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for marguin
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> marguin
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=marguin)
[ldap] expand: ou=people,dc=currensee,dc=com ->
ou=people,dc=currensee,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap.local.currensee.com:389, authentication 0
[ldap] setting TLS CACert File to /etc/ldap/csca.crt
[ldap] bind as cn=manager,dc=currensee,dc=com/VcnxJbFqeAuAFyiu3zvi to
ldap.local.currensee.com:389
[ldap] waiting for bind result ...
request done: ld 0x1facdf30 msgid 1
[ldap] Bind was successful
[ldap] performing search in ou=people,dc=currensee,dc=com, with
filter (uid=marguin)
request done: ld 0x1facdf30 msgid 2
[ldap] checking if remote access for marguin is allowed by uid
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{CRYPT}WgRn.wiPxI6Tk"
[ldap] looking for reply items in directory...
[ldap] user marguin authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 215 to 192.168.10.31 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89f1065d89f21f4f1edcaaacea389153
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=216, length=299
User-Name = "marguin"
Framed-MTU = 1400
Called-Station-Id = "64a0.e72f.69c0"
Calling-Station-Id = "001e.5273.4858"
Service-Type = Login-User
Message-Authenticator = 0xf6ac040a0d51299187928c5519c1f828
EAP-Message =
0x020300a419800000009a16030100950100009103014eca8a0e0d18c4e50d054bb7ba7bd35d70cca59c3c85503893c89f2c738a923e000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100
NAS-Port-Type = Wireless-802.11
NAS-Port = 2658
NAS-Port-Id = "2658"
State = 0x89f1065d89f21f4f1edcaaacea389153
NAS-IP-Address = 192.168.10.31
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marguin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 164
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 154
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0095], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 06cd], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 216 to 192.168.10.31 port 1645
EAP-Message =
0x0104040019c00000070a160301002a0200002603014eca8a0e878b0a7c5cdf1693377ba27c35f0b8e63e093c939626ce43b3a8791d00002f0016030106cd0b0006c90006c60002a6308202a23082020b0203100028300d06092a864886f70d01010405003081b931183016060355040a130f43757272656e7365652c20496e632e31143012060355040b130b456e67696e656572696e673121301f06092a864886f70d0109011612726f6f744063757272656e7365652e636f6d310f300d06035504071306426f73746f6e311630140603550408130d4d617373616368757365747473310b3009060355040613025553312e302c060355040313254c6f
EAP-Message =
0x63616c2043757272656e73656520436572746966696361746520417574686f72697479301e170d3131313032313135313134335a170d3231313032303135313134335a3077310b3009060355040613025553311630140603550408130d4d61737361636875736574747331183016060355040a130f43757272656e7365652c20496e632e31133011060355040b130a4f7065726174696f6e733121301f060355040313186f7073322e6c6f63616c2e63757272656e7365652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100dbd67230f6e9b1f8d37cd689371e4965f6760ef34369b95ea48e1ef153be887b5dd5ef31
EAP-Message =
0x7a47e5d66048731d7458d9ae1ebe0508aa349d4fa74dd0c077cdca1fb2af2868d309e938cd6222f3c6737116ff656e10bbb175b76e2aa83c35efc2b0655f3bf669cabbad375d98d89c84f9d30b5887ac5225685c5bee55176ce2fe890203010001300d06092a864886f70d01010405000381810023558f75bca5500a1b7ca225f46cd98622ef05c01cc43e000dcae1cd19b8d8fcf7c53d2dff7c6403781839d0dd4a0bffb4eec337967c32665ee5f11720e09760c222e2fc6a029b0d4eb33c45614d21a6fb55cb6f01df47958d97578160057f0d23aa685539931ad0229522218b7d7c31f9fb1b8e94a9b88d6e8bc4f410a9701400041a308204163082
EAP-Message =
0x037fa003020102020900d869d83ec24831ce300d06092a864886f70d01010405003081b931183016060355040a130f43757272656e7365652c20496e632e31143012060355040b130b456e67696e656572696e673121301f06092a864886f70d0109011612726f6f744063757272656e7365652e636f6d310f300d06035504071306426f73746f6e311630140603550408130d4d617373616368757365747473310b3009060355040613025553312e302c060355040313254c6f63616c2043757272656e73656520436572746966696361746520417574686f72697479301e170d3130303432363138323634325a170d3230303432353138323634325a
EAP-Message = 0x3081b931183016060355040a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89f1065d88f51f4f1edcaaacea389153
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=217, length=141
User-Name = "marguin"
Framed-MTU = 1400
Called-Station-Id = "64a0.e72f.69c0"
Calling-Station-Id = "001e.5273.4858"
Service-Type = Login-User
Message-Authenticator = 0x2fef04ad0daf8fc25c5658adb07eb75b
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 2658
NAS-Port-Id = "2658"
State = 0x89f1065d88f51f4f1edcaaacea389153
NAS-IP-Address = 192.168.10.31
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marguin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 217 to 192.168.10.31 port 1645
EAP-Message =
0x0105031a1900130f43757272656e7365652c20496e632e31143012060355040b130b456e67696e656572696e673121301f06092a864886f70d0109011612726f6f744063757272656e7365652e636f6d310f300d06035504071306426f73746f6e311630140603550408130d4d617373616368757365747473310b3009060355040613025553312e302c060355040313254c6f63616c2043757272656e73656520436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100d6e8fe8f9e3905fcd63f0c9f3b9eded323e8b7a1e47ef23d8d53a29572e41656e189ccd616664ad52ea7
EAP-Message =
0x36ee86a2e1fe0696e1fe24e0345cd5b3167530ef0d6b7a58f9f55774d7a403b9a03e5d9374118a1dbb30fcab8c8bc499ef62b3aac1aec00134b635416c73e2f555b24e08933cefe2fb2a47024ee61ab51490f1cae3070203010001a38201223082011e300c0603551d13040530030101ff301d0603551d0e04160414706ed0933d93523470a6e9bc979d124333df14b03081ee0603551d230481e63081e38014706ed0933d93523470a6e9bc979d124333df14b0a181bfa481bc3081b931183016060355040a130f43757272656e7365652c20496e632e31143012060355040b130b456e67696e656572696e673121301f06092a864886f70d01090116
EAP-Message =
0x12726f6f744063757272656e7365652e636f6d310f300d06035504071306426f73746f6e311630140603550408130d4d617373616368757365747473310b3009060355040613025553312e302c060355040313254c6f63616c2043757272656e73656520436572746966696361746520417574686f72697479820900d869d83ec24831ce300d06092a864886f70d010104050003818100d435d275a02b5e04e17e75b6046bbd1ab3ca33299cee907f2bd9c7603b3da4a23ee97e677e97e442bd855e8c2dffc351e134e03fbec16ad71eb7608c62c29bd2a2aaa2660013bc8d76520a5a9f3b516dcbddf6a773564e57c29e20d0a614a6116a36aef3cdfb
EAP-Message =
0xdc510f1058d291e6310d9b53c8b17e521038a866f3510355ef2916030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89f1065d8bf41f4f1edcaaacea389153
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=218, length=343
User-Name = "marguin"
Framed-MTU = 1400
Called-Station-Id = "64a0.e72f.69c0"
Calling-Station-Id = "001e.5273.4858"
Service-Type = Login-User
Message-Authenticator = 0x6486cedcf368658f1ac009c0840251ca
EAP-Message =
0x020500d01980000000c616030100861000008200803dc6943c4914148a900e1702d8ee8987d0bc583cb75e1780b2b5c7765eba71cf74b70d417d0eb2cb3e8d58ebea0d9a1ed7b728c9cd2af2552b257dee8a82e43769183f905ece2a31908875dcd1f28206e95a42eaf7d15bfbd18cf3552921bf9d9e20ccf74668b61e218a80e80aee283d572a3e6eb1d90f6f02747523ff11c48214030100010116030100306760329b805ead4f68860983c061d59dab23f5dc4f3dd285e483cb7ee1813a4f5c68605ba2584cec0221c8617dd20ea6
NAS-Port-Type = Wireless-802.11
NAS-Port = 2658
NAS-Port-Id = "2658"
State = 0x89f1065d8bf41f4f1edcaaacea389153
NAS-IP-Address = 192.168.10.31
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marguin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 218 to 192.168.10.31 port 1645
EAP-Message =
0x01060041190014030100010116030100304303f9ea6bcd1acd5df76daa0c1644a13fa5bb07a55591fafe48c0450833bd54273446ec5ac97134a35b099238ffd2bd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89f1065d8af71f4f1edcaaacea389153
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 215 with timestamp +28
Cleaning up request 1 ID 216 with timestamp +28
Cleaning up request 2 ID 217 with timestamp +28
Cleaning up request 3 ID 218 with timestamp +28
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x89f1065d8af71f4f did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=219, length=141
User-Name = "marguin"
Framed-MTU = 1400
Called-Station-Id = "64a0.e72f.69c0"
Calling-Station-Id = "001e.5273.4858"
Service-Type = Login-User
Message-Authenticator = 0x739b73dd50f560d8225a81b34573a4a7
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 2658
NAS-Port-Id = "2658"
State = 0x89f1065d8af71f4f1edcaaacea389153
NAS-IP-Address = 192.168.10.31
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marguin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 219 to 192.168.10.31 port 1645
EAP-Message =
0x0107002b19001703010020e070168325d6bf65dbf125757cd93e2f39b2be90636f354dad19e3bffc763f18
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89f1065d8df61f4f1edcaaacea389153
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=220, length=178
User-Name = "marguin"
Framed-MTU = 1400
Called-Station-Id = "64a0.e72f.69c0"
Calling-Station-Id = "001e.5273.4858"
Service-Type = Login-User
Message-Authenticator = 0x51be84fc57ad005327459d7bf2508b03
EAP-Message =
0x0207002b19001703010020b69cc3f579947cc74451eebc8d55253fcb59470683540101774f0160ac4e20e6
NAS-Port-Type = Wireless-802.11
NAS-Port = 2658
NAS-Port-Id = "2658"
State = 0x89f1065d8df61f4f1edcaaacea389153
NAS-IP-Address = 192.168.10.31
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marguin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - marguin
[peap] Got inner identity 'marguin'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0207000c016d61726775696e
server {
[peap] Setting User-Name to marguin
Sending tunneled request
EAP-Message = 0x0207000c016d61726775696e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "marguin"
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marguin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for marguin
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> marguin
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=marguin)
[ldap] expand: ou=people,dc=currensee,dc=com ->
ou=people,dc=currensee,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=currensee,dc=com, with
filter (uid=marguin)
request done: ld 0x1facdf30 msgid 3
[ldap] checking if remote access for marguin is allowed by uid
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{CRYPT}WgRn.wiPxI6Tk"
[ldap] looking for reply items in directory...
[ldap] user marguin authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010800211a0108001c10162a56370ce0ab80767414d8abfb25486d61726775696e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2b2960c02b217a4e71d440973551574b
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800211a0108001c10162a56370ce0ab80767414d8abfb25486d61726775696e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2b2960c02b217a4e71d440973551574b
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 220 to 192.168.10.31 port 1645
EAP-Message =
0x0108004b19001703010040ce3d61076b12b99a3e4585a7c13cfa32c9b1fab601dca0271dbf8a13bd4b7ac08db1b5a9fbb630783357a9e7ffefdd5d729c9ce5298341277279a2f890dd2797
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89f1065d8cf91f4f1edcaaacea389153
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=221, length=242
User-Name = "marguin"
Framed-MTU = 1400
Called-Station-Id = "64a0.e72f.69c0"
Calling-Station-Id = "001e.5273.4858"
Service-Type = Login-User
Message-Authenticator = 0xa42f6af151fab3cbc3c37097202cc15b
EAP-Message =
0x0208006b1900170301006025cee42a47eed87aa4cbd0d2d1c78f3eecf22b6637712f1201fc1a14b1764025adb9ad700d880c6b51f116500593cd0e72c8e0e7221281cf93e116ea7f7792568d9e717607af5b364e4409959a9db88755383cd6679262c5a5bd10210424a9a0
NAS-Port-Type = Wireless-802.11
NAS-Port = 2658
NAS-Port-Id = "2658"
State = 0x89f1065d8cf91f4f1edcaaacea389153
NAS-IP-Address = 192.168.10.31
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marguin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020800421a0208003d31909dc14eec97e73e0a72148e501ca5130000000000000000fab91e4aa6e4c9a87b9259d1532db0e295ebe2213eda1462006d61726775696e
server {
[peap] Setting User-Name to marguin
Sending tunneled request
EAP-Message =
0x020800421a0208003d31909dc14eec97e73e0a72148e501ca5130000000000000000fab91e4aa6e4c9a87b9259d1532db0e295ebe2213eda1462006d61726775696e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "marguin"
State = 0x2b2960c02b217a4e71d440973551574b
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marguin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for marguin
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> marguin
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=marguin)
[ldap] expand: ou=people,dc=currensee,dc=com ->
ou=people,dc=currensee,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=currensee,dc=com, with
filter (uid=marguin)
request done: ld 0x1facdf30 msgid 4
[ldap] checking if remote access for marguin is allowed by uid
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{CRYPT}WgRn.wiPxI6Tk"
[ldap] looking for reply items in directory...
[ldap] user marguin authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: marguin
[mschap] Told to do MS-CHAPv2 for marguin with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 221 to 192.168.10.31 port 1645
EAP-Message =
0x0109002b19001703010020461bb03d763ae49d928d168b37006c190b066e2e5f291152d26e975eb8676af0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89f1065d8ff81f4f1edcaaacea389153
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=222, length=178
User-Name = "marguin"
Framed-MTU = 1400
Called-Station-Id = "64a0.e72f.69c0"
Calling-Station-Id = "001e.5273.4858"
Service-Type = Login-User
Message-Authenticator = 0xbe91fe2cf8cdbe0b2ab144028a6c71dd
EAP-Message =
0x0209002b190017030100203c08a31c5ec50023018f8534d0d652cde9744b100ba72bcf3eb8391a726d3dc3
NAS-Port-Type = Wireless-802.11
NAS-Port = 2658
NAS-Port-Id = "2658"
State = 0x89f1065d8ff81f4f1edcaaacea389153
NAS-IP-Address = 192.168.10.31
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "marguin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the
debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will
tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> marguin
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 222 to 192.168.10.31 port 1645
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.6 seconds.
Cleaning up request 4 ID 219 with timestamp +40
Cleaning up request 5 ID 220 with timestamp +40
Cleaning up request 6 ID 221 with timestamp +40
Waking up in 2.2 seconds.
Cleaning up request 7 ID 222 with timestamp +41
Ready to process requests.
On 11/3/2011 2:40 PM, freeradius-users-request at lists.freeradius.org wrote:
> cisco WAP/FreeRadius/OpenLDAP
--
Matthew Arguin
Currensee, Inc.
54 Canal St, 4th Floor
Boston, MA 02114
(617) 986-4758 (Office)
_________________________________________________________________________
This email and any files transmitted with it are confidential and intended solely for the addressee. If you received this email in error, please do not disclose the contents to anyone; kindly notify the sender by return email and delete this email and any attachments from your system.
© 2011 Currensee Inc. is a member of the National Futures Association (NFA) Member ID 0403251 | Over the counter retail foreign currency (Forex) trading may involve significant risk of loss. It is not suitable for all investors and you should make sure you understand the risks involved before trading and seek independent advice if necessary. Performance, strategies and charts shown are not necessarily predictive of any particular result and past performance is no indication of future results. Investor returns may vary from Trade Leader returns based on slippage, fees, broker spreads, volatility or other market conditions.
Currensee Inc | 54 Canal St 4th Floor | Boston, MA 02114 | +1.617.624.3824
More information about the Freeradius-Users
mailing list