Freeradius + Fedora-DS + EAP-MSCHAPv2 for WIFI/AP authentication
uselessidbr
gustavov at sc.senai.br
Tue Sep 20 00:19:04 CEST 2011
Hello.
People, i've read a lot about the WIFI/AP authentication over Freeradius
using LDAP but it seems i cannot make it work unless i use clear-text
password or Nt/Lmpassword which as far as i know implies in Samba + LDAP
integration.
My question is, is that really the only way to make freeradius authenticate
users using a LDAP database?
Do i need to have samba + ldap to authenticate WIFI users using freeradius +
LDAP with EAP-MSCHAPv2?
If so, is there any other solution to authenticate Windows WIFI users
without using a 3rd party wifi supplicant?
Definetely, theres no other way i can use freeradius and fedora-ds without
Samba/clear-text password OR a 3rd party supplicant that supports EAP/PAP?
With my current configuration i was able to authenticate LDAP users with
clear-text password but thats not i really want as a WIFI authentication
solution. My goal is to use freeradius to authenticate WIFI users using a
LDAP database and without the need of use a non-native Windows application.
Here goes my debug using a encrypted user password (which fails):
*FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Mar
25 2011 at 10:54:38
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm mydomain {
authhost = LOCAL
accthost = LOCAL
}
realm host {
authhost = LOCAL
accthost = LOCAL
}
realm teste {
authhost = LOCAL
accthost = LOCAL
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.10.10.1 {
require_message_authenticator = no
secret = "password"
shortname = "AP1"
}
client 10.10.10.2 {
require_message_authenticator = no
secret = "password"
shortname = "AP2"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap
ldap {
server = "10.10.10.15"
port = 389
password = "mypassword"
identity = "cn=user,dc=domain"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
cacertfile = "/etc/raddb/cacert.pem"
cacertdir = "/etc/raddb/"
certfile = "/etc/raddb/server.pem"
keyfile = "/etc/raddb/certs/server.key"
randfile = "/dev/urandom"
require_cert = "allow"
}
basedn = "ou=User,dc=domain"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "userPassword"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x7fbe6f08c1d0
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.key"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "password"
dh_file = "/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "IPASS" from file /etc/raddb/modules/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Instantiating module "ntdomain" from file /etc/raddb/modules/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/raddb/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.1 port 42873, id=254,
length=214
User-Name = "teste2"
NAS-IP-Address = 10.10.10.2
NAS-Port = 51
Framed-MTU = 1400
Called-Station-Id = "00:04:96:32:c1:bd"
Calling-Station-Id = "74:f0:6d:0a:ce:4f"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "teste"
Extreme-Attr-3 = 0x31303030303038303144303831323937
Extreme-Attr-2 = 0x544943
Extreme-Attr-4 = 0x7465737465
Extreme-Attr-5 = 0x7465737465
Extreme-Attr-6 = 0x30303a30343a39363a33323a63313a6264
EAP-Message = 0x0200000b01746573746532
Message-Authenticator = 0xcd3cde11fdb9c9e173401a1ab63137d0
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = "teste2", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "teste2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "teste2", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for teste2
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> teste2
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=teste2)
[ldap] expand: ou=Users,dc=domain -> ou=Users,dc=domain
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 10.10.10.15:389, authentication 0
[ldap] setting TLS CACert File to /etc/raddb/cacert.pem
[ldap] setting TLS CACert Directory to /etc/raddb/
[ldap] setting TLS Cert File to /etc/raddb/server.pem
[ldap] setting TLS Key File to /etc/raddb/certs/server.key
[ldap] setting TLS Key File to /dev/urandom
[ldap] bind as cn=user,dc=domain/password to 10.10.10.15:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=Users,dc=domain, with filter (uid=teste2)
[ldap] Added User-Password = {SHA}lqYsqYvex/VTQ/jPpZQ3m9unbMk= in check
items
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header ==
"{SHA}lqYsqYvex/VTQ/jPpZQ3m9unbMk="
[ldap] looking for reply items in directory...
[ldap] user teste2 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 254 to 10.10.10.1 port 42873
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf7c592a0f7c48bb76be870fae22db0ee
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.1 port 42873, id=254,
length=326
Cleaning up request 0 ID 254 with timestamp +15
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xf7c592a0f7c48bb7 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "teste2"
NAS-IP-Address = 10.10.10.2
NAS-Port = 51
Framed-MTU = 1400
Called-Station-Id = "00:04:96:32:c1:bd"
Calling-Station-Id = "74:f0:6d:0a:ce:4f"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "teste"
Extreme-Attr-3 = 0x31303030303038303144303831323937
Extreme-Attr-2 = 0x544943
Extreme-Attr-4 = 0x7465737465
Extreme-Attr-5 = 0x7465737465
Extreme-Attr-6 = 0x30303a30343a39363a33323a63313a6264
EAP-Message =
0x0201006919800000005f160301005a0100005603014e77ac4ef302031ce6cf78b5efa69c7b099159b307be6b4012f60c9ce315c67a000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
State = 0xf7c592a0f7c48bb76be870fae22db0ee
Message-Authenticator = 0xcc0f4382d29993c82ea7d5f28d83ec6d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = "teste2", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "teste2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "teste2", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 1 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 084e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 254 to 10.10.10.1 port 42873
EAP-Message =
0x0102040019c00000089216030100310200002d03014e7781fa48b1668d6dc3508aa04d009d637158e1e9b2392d30882d8af3d6112c00002f000005ff01000100160301084e0b00084a00084700039c3082039830820280a003020102020101300d06092a864886f70d0101050500308191310b3009060355040613024252311730150603550408130e53616e7461204361746172696e61311630140603550407130d466c6f7269616e6f706f6c697331163014060355040a130d53697374656d612046494553433123302106092a864886f70d01090116146775737461766f764073632e73656e61692e6272311430120603550403130b726164697573
EAP-Message =
0x2d6c646170301e170d3131303931363138313231335a170d3131313131353138313231335a3074310b3009060355040613024252311730150603550408130e53616e7461204361746172696e6131163014060355040a130d53697374656d61204649455343310f300d060355040313067261646975733123302106092a864886f70d01090116146775737461766f764073632e73656e61692e627230820122300d06092a864886f70d01010105000382010f003082010a0282010100a337fa12d31d1ed51bcb1fffaa53334ba8cadb3ed3af8b31e27bb1e39d1f1fd443fc3816694b624ec3c1bb001e7fb3e857ccc2969b12e6c7a325ec6c85a91fe55a
EAP-Message =
0x30bb97bff1c3c0dab5501e098caca79fd7783716b796229ad0b782e4c94d74ce5a7788e9ceb37c7d8dd5c16e0cfafcaf06ae1c5941d47d1cb453fe9e71328b9691aab267ff9709e566d20e8cd0268d74e63cc4a2f29e793abb11743b15d99bceda923e559616c3658111d23b9ad516d9a71b498fa247bc9b0951c24dc1400073019bd45986a6888c606614695167f13f0b66e6780c8acb88275e7bb11d128c50823b0a79422be774746664269fd0f7a4ca030d744dbd6d8d54e6e231668e6b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010016220a41d5c790eb38558a82
EAP-Message =
0x6bc456db3a90e9f9bc07dd7cbe5bde908110897dcd7e9de6c433b95f64948d153d3112330ff1c1556ad6f17703448769c8ac1f75be0299da1599afd53077cbbafea440095a26c1f5c7c383a333f1fd17c6006ef66ebab59d4e469dc9fd5a2efcac5c55ccf10832263ad166792185a68ee04eae8004ce13ea9af3319b9cbc8abbf486dc29ae8577c46f57da3311b056f8a525e00c1ba7c728f707ff7e20d730bec81811ba0132fa83030d0c0f2c150a9590d3610e0035f70f562818e395b5e3e9e45c9f692f9992caf1dd21d81d25291f981eda4323de4e3b053480a06e19d5ba7280eea50f03af7ba7041286dfca1c5dbdd43ee90004a5308204a13082
EAP-Message = 0x0389a003020102020900e0c2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf7c592a0f6c78bb76be870fae22db0ee
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.1 port 42873, id=254,
length=227
Cleaning up request 1 ID 254 with timestamp +15
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xf7c592a0f6c78bb7 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "teste2"
NAS-IP-Address = 10.10.10.2
NAS-Port = 51
Framed-MTU = 1400
Called-Station-Id = "00:04:96:32:c1:bd"
Calling-Station-Id = "74:f0:6d:0a:ce:4f"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "teste"
Extreme-Attr-3 = 0x31303030303038303144303831323937
Extreme-Attr-2 = 0x544943
Extreme-Attr-4 = 0x7465737465
Extreme-Attr-5 = 0x7465737465
Extreme-Attr-6 = 0x30303a30343a39363a33323a63313a6264
EAP-Message = 0x020200061900
State = 0xf7c592a0f6c78bb76be870fae22db0ee
Message-Authenticator = 0x841c3e3abcb3dae6bd7e27170021ad46
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = "teste2", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "teste2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "teste2", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 254 to 10.10.10.1 port 42873
EAP-Message =
0x010303fc19404e91650fc6bd300d06092a864886f70d0101050500308191310b3009060355040613024252311730150603550408130e53616e7461204361746172696e61311630140603550407130d466c6f7269616e6f706f6c697331163014060355040a130d53697374656d612046494553433123302106092a864886f70d01090116146775737461766f764073632e73656e61692e6272311430120603550403130b7261646975732d6c646170301e170d3131303931363138313231335a170d3131313131353138313231335a308191310b3009060355040613024252311730150603550408130e53616e7461204361746172696e613116301406
EAP-Message =
0x03550407130d466c6f7269616e6f706f6c697331163014060355040a130d53697374656d612046494553433123302106092a864886f70d01090116146775737461766f764073632e73656e61692e6272311430120603550403130b7261646975732d6c64617030820122300d06092a864886f70d01010105000382010f003082010a02820101009edb7b6d13d4cb6cb0ece777406b67fcbb5cb6c1ea6684cb6bbc889842571086f9f7feb6c8bc5caea752e7a959f9c150f2a214bb6f9d3258a6d1a772630dc8eb3541452c4049f3aa77767bb76783963d02c5e6480181929ea1d45289828c6315f0f6f4f1ef2ac148633b98889359ad3917366c62a016
EAP-Message =
0x5c57ffd578b66a5b47e07deeeeee9a85f242afd159a8bf47ce89c3932d1f0d685969b032a7db9ff5b234d576dc9d88359c72e9bc0265a2dbc7eed1c28dfab6adea4b8c19c663e2bd146db6545040406a63adfa9821d5f4fc898d495b19814a858776bfeef089f2f3d017c546f63384dc597e3733746e944b70f352f0aaa1f61d620fdfd2f4aa3767874d0203010001a381f93081f6301d0603551d0e041604146b9a8e7c8a45dd05ff8c4dddfa1fd3f7208c50bb3081c60603551d230481be3081bb80146b9a8e7c8a45dd05ff8c4dddfa1fd3f7208c50bba18197a48194308191310b3009060355040613024252311730150603550408130e53616e74
EAP-Message =
0x61204361746172696e61311630140603550407130d466c6f7269616e6f706f6c697331163014060355040a130d53697374656d612046494553433123302106092a864886f70d01090116146775737461766f764073632e73656e61692e6272311430120603550403130b7261646975732d6c646170820900e0c24e91650fc6bd300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010079c9edb5ba94bd3e270940114bf55b4713e241fe03bb6bdc2d0f3e2bae8f94922726f2345f4d9a997725b295a326f0171c5d5ce28c407bff5f9ebe638652fce8b6d377ea5d09e982080eb7142890108bb7955e8f9004767e40fbc9
EAP-Message = 0x80dc01dc76af44cc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf7c592a0f5c68bb76be870fae22db0ee
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.1 port 42873, id=254,
length=227
Cleaning up request 2 ID 254 with timestamp +15
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xf7c592a0f5c68bb7 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "teste2"
NAS-IP-Address = 10.10.10.2
NAS-Port = 51
Framed-MTU = 1400
Called-Station-Id = "00:04:96:32:c1:bd"
Calling-Station-Id = "74:f0:6d:0a:ce:4f"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "teste"
Extreme-Attr-3 = 0x31303030303038303144303831323937
Extreme-Attr-2 = 0x544943
Extreme-Attr-4 = 0x7465737465
Extreme-Attr-5 = 0x7465737465
Extreme-Attr-6 = 0x30303a30343a39363a33323a63313a6264
EAP-Message = 0x020300061900
State = 0xf7c592a0f5c68bb76be870fae22db0ee
Message-Authenticator = 0x0a39b42d7de2a7b38ed8cf7b807d341c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = "teste2", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "teste2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "teste2", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 254 to 10.10.10.1 port 42873
EAP-Message =
0x010400ac1900952b3388d9fc8a18902a7ca2464057045b225266793cad184508c644fc450b67d8d016c13e1a97223a5527ed1dd363c511abe6d9e39ea657cf521efa4088ec8560b1fb3bc99c16291861233ee7991f1190ff7ad5dceda93c0806e1d53fd3a51f26ea62917bf1129cd8cf3641e8bfa4578aaf5b05faef5dbe70f444573b7771bcaccffcb6dcb83f3c4219f8a51e65b18379a9a234940a859e6796bbc39816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf7c592a0f4c18bb76be870fae22db0ee
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.1 port 42873, id=254,
length=559
Cleaning up request 3 ID 254 with timestamp +15
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xf7c592a0f4c18bb7 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "teste2"
NAS-IP-Address = 10.10.10.2
NAS-Port = 51
Framed-MTU = 1400
Called-Station-Id = "00:04:96:32:c1:bd"
Calling-Station-Id = "74:f0:6d:0a:ce:4f"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "teste"
Extreme-Attr-3 = 0x31303030303038303144303831323937
Extreme-Attr-2 = 0x544943
Extreme-Attr-4 = 0x7465737465
Extreme-Attr-5 = 0x7465737465
Extreme-Attr-6 = 0x30303a30343a39363a33323a63313a6264
EAP-Message =
0x02040150198000000146160301010610000102010075fc3886b2a7c7e90af41113b65a4816320b71cedb5191036e66db4dbe750b95b9d72729977eb87a940fab3d9df3fc5ead01338d2303ec9d60875b53aec9f89a17bdacb3304c7fb5efead3eb81847908091f74d8e38d8b71225bd68a459ba2eca7ee05ac5eb040ea5f8f638511a241e0d34ff6f0f13e023e6ebf73e315e9313b422a163a72c8b0ce92e8f2bcd4b02fc7ef0b19ad5ffa8db8f3d038f35e599fb8fc1e8cc32e0ebe4afa690801fa10e7437c5bbd5ac31cfb1c5577070013fdfa001dccb3bef73a8542732a48fa2a40d495db6429f9939af95c137433938a1cb7fe57983319da987b
EAP-Message =
0x023c90c2eaa483212cd56dee5f2eb41ce20867c910eac4920114030100010116030100302bdb38b496d679466f1893edff2f8eb093624b411c47368c13c583a737d0bec2f68dd3e7d53b98d27dfbc986248cb05f
State = 0xf7c592a0f4c18bb76be870fae22db0ee
Message-Authenticator = 0xa522fecab2ac7eca750166755205bf27
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = "teste2", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "teste2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "teste2", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 4 length 252
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 254 to 10.10.10.1 port 42873
EAP-Message =
0x0105004119001403010001011603010030d1e5dba0e82d06aa0efc4287843d8208d124a58d449a582c793dc50977fc3d0b85c0aef80bfc5e004d93ae6ce60d0ed5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf7c592a0f3c08bb76be870fae22db0ee
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.1 port 42873, id=254,
length=227
Cleaning up request 4 ID 254 with timestamp +15
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xf7c592a0f3c08bb7 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "teste2"
NAS-IP-Address = 10.10.10.2
NAS-Port = 51
Framed-MTU = 1400
Called-Station-Id = "00:04:96:32:c1:bd"
Calling-Station-Id = "74:f0:6d:0a:ce:4f"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "teste"
Extreme-Attr-3 = 0x31303030303038303144303831323937
Extreme-Attr-2 = 0x544943
Extreme-Attr-4 = 0x7465737465
Extreme-Attr-5 = 0x7465737465
Extreme-Attr-6 = 0x30303a30343a39363a33323a63313a6264
EAP-Message = 0x020500061900
State = 0xf7c592a0f3c08bb76be870fae22db0ee
Message-Authenticator = 0x0b80ba1e60a27eeb5eb41f1458465a19
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = "teste2", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "teste2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "teste2", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 254 to 10.10.10.1 port 42873
EAP-Message =
0x0106002b190017030100205764f8ef2b3b7d310fa296587d149cb2a3f7ed99b582d06f9083773de55dc14d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf7c592a0f2c38bb76be870fae22db0ee
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.1 port 42873, id=254,
length=264
Cleaning up request 5 ID 254 with timestamp +15
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xf7c592a0f2c38bb7 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "teste2"
NAS-IP-Address = 10.10.10.2
NAS-Port = 51
Framed-MTU = 1400
Called-Station-Id = "00:04:96:32:c1:bd"
Calling-Station-Id = "74:f0:6d:0a:ce:4f"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "teste"
Extreme-Attr-3 = 0x31303030303038303144303831323937
Extreme-Attr-2 = 0x544943
Extreme-Attr-4 = 0x7465737465
Extreme-Attr-5 = 0x7465737465
Extreme-Attr-6 = 0x30303a30343a39363a33323a63313a6264
EAP-Message =
0x0206002b190017030100207dea7432b1b04d11512baf1695f76ff6b7b9ce4b2b3ae758c52da2236bbfc395
State = 0xf7c592a0f2c38bb76be870fae22db0ee
Message-Authenticator = 0x85cf9261aac6080e4048a0b9d23c7176
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = "teste2", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "teste2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "teste2", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 6 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - teste2
[peap] Got inner identity 'teste2'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0206000b01746573746532
server {
PEAP: Setting User-Name to teste2
Sending tunneled request
EAP-Message = 0x0206000b01746573746532
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "teste2"
NAS-IP-Address = 10.10.10.2
NAS-Port = 51
Framed-MTU = 1400
Called-Station-Id = "00:04:96:32:c1:bd"
Calling-Station-Id = "74:f0:6d:0a:ce:4f"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "teste"
Extreme-Attr-3 = 0x31303030303038303144303831323937
Extreme-Attr-2 = 0x544943
Extreme-Attr-4 = 0x7465737465
Extreme-Attr-5 = 0x7465737465
Extreme-Attr-6 = 0x30303a30343a39363a33323a63313a6264
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[IPASS] No '/' in User-Name = "teste2", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "teste2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "teste2", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for teste2
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> teste2
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=teste2)
[ldap] expand: ou=Users,dc=domain -> ou=Users,dc=domain
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Users,dc=domain, with filter (uid=teste2)
[ldap] Added User-Password = {SHA}lqYsqYvex/VTQ/jPpZQ3m9unbMk= in check
items
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header ==
"{SHA}lqYsqYvex/VTQ/jPpZQ3m9unbMk="
[ldap] looking for reply items in directory...
[ldap] user teste2 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010700201a0107001b103a5115f773349150b9b5946cfbff32d0746573746532
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbe0fa53abe08bf4800211b259017b493
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010700201a0107001b103a5115f773349150b9b5946cfbff32d0746573746532
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbe0fa53abe08bf4800211b259017b493
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 254 to 10.10.10.1 port 42873
EAP-Message =
0x0107004b1900170301004042ba4c5209794b623511eacc7f0bb8ee3e5bb95842822987291efd1f421464113439a4b10135432498834418ec8a98a86a81aa45f7acfe3832bbb6f8322e7977
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf7c592a0f1c28bb76be870fae22db0ee
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.1 port 42873, id=254,
length=328
Cleaning up request 6 ID 254 with timestamp +15
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xf7c592a0f1c28bb7 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "teste2"
NAS-IP-Address = 10.10.10.2
NAS-Port = 51
Framed-MTU = 1400
Called-Station-Id = "00:04:96:32:c1:bd"
Calling-Station-Id = "74:f0:6d:0a:ce:4f"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "teste"
Extreme-Attr-3 = 0x31303030303038303144303831323937
Extreme-Attr-2 = 0x544943
Extreme-Attr-4 = 0x7465737465
Extreme-Attr-5 = 0x7465737465
Extreme-Attr-6 = 0x30303a30343a39363a33323a63313a6264
EAP-Message =
0x0207006b1900170301006081c9d132cfa04368529dade57d67641e7fd3b378acac26d660c7a84c45a8f53ad96d366b40632a6fa8edaf935b809d4470016bde67708bbb5c33faa93f9a7f7df7e87f30fb963c0bd4c0e435206f2e235c56100377c8acba97ab332b6b7cff4e
State = 0xf7c592a0f1c28bb76be870fae22db0ee
Message-Authenticator = 0xca3d17d60332ac20951db7bde6f666a0
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = "teste2", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "teste2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "teste2", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020700411a0207003c3166967fb6fe3977d049f2c9bc6916ed8c000000000000000088e0c96ae4e8b5f451d108eff34d695a452a9b67e1348db400746573746532
server {
PEAP: Setting User-Name to teste2
Sending tunneled request
EAP-Message =
0x020700411a0207003c3166967fb6fe3977d049f2c9bc6916ed8c000000000000000088e0c96ae4e8b5f451d108eff34d695a452a9b67e1348db400746573746532
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "teste2"
State = 0xbe0fa53abe08bf4800211b259017b493
NAS-IP-Address = 10.10.10.2
NAS-Port = 51
Framed-MTU = 1400
Called-Station-Id = "00:04:96:32:c1:bd"
Calling-Station-Id = "74:f0:6d:0a:ce:4f"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "teste"
Extreme-Attr-3 = 0x31303030303038303144303831323937
Extreme-Attr-2 = 0x544943
Extreme-Attr-4 = 0x7465737465
Extreme-Attr-5 = 0x7465737465
Extreme-Attr-6 = 0x30303a30343a39363a33323a63313a6264
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[IPASS] No '/' in User-Name = "teste2", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "teste2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "teste2", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for teste2
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> teste2
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=teste2)
[ldap] expand: ou=Users,dc=domain -> ou=Users,dc=domain
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Users,dc=domain, with filter (uid=teste2)
[ldap] Added User-Password = {SHA}lqYsqYvex/VTQ/jPpZQ3m9unbMk= in check
items
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header ==
"{SHA}lqYsqYvex/VTQ/jPpZQ3m9unbMk="
[ldap] looking for reply items in directory...
[ldap] user teste2 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: teste2
[mschap] Told to do MS-CHAPv2 for teste2 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 254 to 10.10.10.1 port 42873
EAP-Message =
0x0108002b190017030100201e991601faad6e17dbd36948aaa0ffa54bab24d9694a5f874f454b3c9068678f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf7c592a0f0cd8bb76be870fae22db0ee
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.1 port 42873, id=254,
length=264
Cleaning up request 7 ID 254 with timestamp +15
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xf7c592a0f0cd8bb7 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
User-Name = "teste2"
NAS-IP-Address = 10.10.10.2
NAS-Port = 51
Framed-MTU = 1400
Called-Station-Id = "00:04:96:32:c1:bd"
Calling-Station-Id = "74:f0:6d:0a:ce:4f"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "teste"
Extreme-Attr-3 = 0x31303030303038303144303831323937
Extreme-Attr-2 = 0x544943
Extreme-Attr-4 = 0x7465737465
Extreme-Attr-5 = 0x7465737465
Extreme-Attr-6 = 0x30303a30343a39363a33323a63313a6264
EAP-Message =
0x0208002b190017030100200f24e2e08569178721784c13cfa2fed7b033940f2b653d7616966358be7e87eb
State = 0xf7c592a0f0cd8bb76be870fae22db0ee
Message-Authenticator = 0x775b3a54b6f3809cbff7365813a3ae59
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[IPASS] No '/' in User-Name = "teste2", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] returns noop
[suffix] No '@' in User-Name = "teste2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "teste2", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> teste2
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 254 to 10.10.10.1 port 42873
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.*
Thanks in advance,
Gustavo.
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-Fedora-DS-EAP-MSCHAPv2-for-WIFI-AP-authentication-tp4820687p4820687.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list