LDAP-FreeRadius-Cisco Switch-802.1x Fails.

Wassim Zaarour wassim.zaarour at navlink.com
Thu Apr 19 15:32:19 CEST 2012





On 4/19/12 4:18 PM, "Alan DeKok" <aland at deployingradius.com> wrote:

>Wassim Zaarour wrote:
>> Hi Alan, and thanks for your reply, I don't want to paste the output
>>here
>> coz its large, should I attach it or paste here anyways or??
>
>  You can follow instructions, or you can be unsubscribed and banned
>from the list.
>
>  When we ask for the debug log TWICE, the response shouldn't be "should
>I post it?"  The response SHOULD be to post it.
>
>  Just like everyone else does.
>
>  Daily on this list.
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html

Below the output of radiusd -X

Appreciate the help.



FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Jul 19
2011 at 1
0:16:18
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
	user = "radiusd"
	group = "radiusd"
	allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/radius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
	retry_delay = 5
	retry_count = 3
	default_fallback = no
	dead_time = 120
	wake_all_if_all_dead = no
 }
 home_server localhost {
	ipaddr = 127.0.0.1
	port = 1812
	type = "auth"
	secret = "testing123"
	response_window = 20
	max_outstanding = 65536
	require_message_authenticator = yes
	zombie_period = 40
	status_check = "status-server"
	ping_interval = 30
	check_interval = 30
	num_answers_to_alive = 3
	num_pings_to_alive = 3
	revive_interval = 120
	status_check_timeout = 4
	irt = 2
	mrt = 16
	mrc = 5
	mrd = 30
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
 realm example.com {
	auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "testing123"
	nastype = "other"
 }
 client 192.168.1.8 {
	require_message_authenticator = no
	secret = "testing123"
	shortname = "localhost"
 }
 client 192.168.0.0/22 {
	require_message_authenticator = no
	secret = "testing123"
	shortname = "private-network-1"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/raddb/modules/exec
  exec {
	wait = no
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/raddb/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file
/etc/raddb/modules/expirati
on
  expiration {
	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
  logintime {
	reply-message = "You are calling outside your allowed timespan  "
	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/raddb/modules/pap
  pap {
	encryption_scheme = "auto"
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/raddb/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
  mschap {
	use_mppe = yes
	require_encryption = no
	require_strong = no
	with_ntdomain_hack = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/raddb/modules/unix
  unix {
	radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/raddb/eap.conf
  eap {
	default_eap_type = "md5"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "
	auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	CA_path = "/etc/raddb/certs"
	pem_file_type = yes
	private_key_file = "/etc/raddb/certs/server.pem"
	certificate_file = "/etc/raddb/certs/server.pem"
	CA_file = "/etc/raddb/certs/ca.pem"
	private_key_password = "whatever"
	dh_file = "/etc/raddb/certs/dh"
	random_file = "/etc/raddb/certs/random"
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
    cache {
	enable = no
	lifetime = 24
	max_entries = 255
    }
    verify {
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
	default_eap_type = "md5"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	virtual_server = "inner-tunnel"
	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
	default_eap_type = "mschapv2"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	proxy_tunneled_request_as_eap = yes
	virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
  realm suffix {
	format = "suffix"
	delimiter = "@"
	ignore_default = no
	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/raddb/modules/files
  files {
	usersfile = "/etc/raddb/users"
	acctusersfile = "/etc/raddb/acct_users"
	preproxy_usersfile = "/etc/raddb/preproxy_users"
	compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file
/etc/raddb/modules/radutmp
  radutmp {
	filename = "/var/log/radius/radutmp"
	username = "%{User-Name}"
	case_sensitive = yes
	check_with_nas = yes
	perm = 384
	callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/m
odules/attr_filter
  attr_filter attr_filter.access_reject {
	attrsfile = "/etc/raddb/attrs.access_reject"
	key = "%{User-Name}"
  }
 } # modules
} # server
server { # from file /etc/raddb/radiusd.conf
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /etc/raddb/modules/digest
 Module: Linked to module rlm_ldap
 Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap
  ldap {
	server = "192.168.1.40"
	port = 389
	password = "Hayalla5"
	identity = ""
	net_timeout = 1
	timeout = 4
	timelimit = 3
	tls_mode = no
	start_tls = no
	tls_require_cert = "allow"
   tls {
	start_tls = no
	require_cert = "allow"
   }
	basedn = "o=navbey.com, dc=navbey,dc=com"
	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
	base_filter = "(objectclass=radiusprofile)"
	auto_header = no
	access_attr_used_for_allow = yes
	groupname_attribute = "cn"
	groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-U
serDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
	dictionary_mapping = "/etc/raddb/ldap.attrmap"
	ldap_debug = 0
	ldap_connections_number = 5
	compare_check_items = no
	do_xlat = yes
	set_auth_type = yes
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Ne
twork
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-
Id
conns: 0x134f7b8
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preproce
ss
  preprocess {
	huntgroups = "/etc/raddb/huntgroups"
	hints = "/etc/raddb/hints"
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_un
ique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NA
S-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file /etc/raddb/modules/detail
  detail {
	detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Instantiating module "attr_filter.accounting_response" from file
/etc/r
addb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
	attrsfile = "/etc/raddb/attrs.accounting_response"
	key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
listen {
	type = "control"
 listen {
	socket = "/var/run/radiusd/radiusd.sock"
 }
}
listen {
	type = "auth"
	ipaddr = 127.0.0.1
	port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=211,
length=
119
	NAS-IP-Address = 192.168.1.8
	NAS-Port = 50023
	NAS-Port-Type = Ethernet
	User-Name = "pk"
	Called-Station-Id = "00-15-F9-F8-4E-97"
	Calling-Station-Id = "60-33-4B-9E-BD-AE"
	Service-Type = Framed-User
	Framed-MTU = 1500
	EAP-Message = 0x0200000701706b
	Message-Authenticator = 0x9ae593aebf9c52b1e02301b1b14ad375
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 7
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for pk
[ldap] 	expand: %{Stripped-User-Name} ->
[ldap] 	... expanding second conditional
[ldap] 	expand: %{User-Name} -> pk
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk)
[ldap] 	expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com,
dc=navbey,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to 192.168.1.40:389, authentication 0
  [ldap] bind as /Hayalla5 to 192.168.1.40:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
(uid=p
k)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user
 is configured correctly?
[ldap] user pk authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may 
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 211 to 192.168.1.8 port 1645
	EAP-Message = 0x01010016041079a9375f2ecae9fbad432dffd46c8a70
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x05d7488505d64c198fb22dc79c936aef
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=212,
length=
136
	NAS-IP-Address = 192.168.1.8
	NAS-Port = 50023
	NAS-Port-Type = Ethernet
	User-Name = "pk"
	Called-Station-Id = "00-15-F9-F8-4E-97"
	Calling-Station-Id = "60-33-4B-9E-BD-AE"
	Service-Type = Framed-User
	Framed-MTU = 1500
	State = 0x05d7488505d64c198fb22dc79c936aef
	EAP-Message = 0x020100060315
	Message-Authenticator = 0xfce1c51f41d8a8841a47d753a647b272
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for pk
[ldap] 	expand: %{Stripped-User-Name} ->
[ldap] 	... expanding second conditional
[ldap] 	expand: %{User-Name} -> pk
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk)
[ldap] 	expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com,
dc=navbey,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
(uid=p
k)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user
 is configured correctly?
[ldap] user pk authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may 
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 212 to 192.168.1.8 port 1645
	EAP-Message = 0x010200061520
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x05d7488504d55d198fb22dc79c936aef
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=213,
length=
294
	NAS-IP-Address = 192.168.1.8
	NAS-Port = 50023
	NAS-Port-Type = Ethernet
	User-Name = "pk"
	Called-Station-Id = "00-15-F9-F8-4E-97"
	Calling-Station-Id = "60-33-4B-9E-BD-AE"
	Service-Type = Framed-User
	Framed-MTU = 1500
	State = 0x05d7488504d55d198fb22dc79c936aef
	EAP-Message = 0x020200a415800000009a16030100950100009103014f901334c909cf
125f752b6d60c7ab2cd4506453387a9225c1a27ad315372805000056c00ac009c007c008c01
3c014
c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000
60032
0033003800390016001500140013001200110034003a0018001b001a0017001900010100001
2000a
00080006001700180019000b00020100
	Message-Authenticator = 0x2b8b499cccf5cdd88941980aaef40146
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 164
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 154
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0095], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 085e], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode 
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 213 to 192.168.1.8 port 1645
	EAP-Message = 0x0103040015c00000089b160301002a0200002603014f9013280467e2
a9849b1aaca60adb81e33c1f390e8934f4d18cf1902014402700002f00160301085e0b00085
a0008
570003a6308203a23082028aa003020102020101300d06092a864886f70d010105050030819
3310b
3009060355040613024652310f300d060355040813065261646975733112301006035504071
30953
6f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092
a8648
86f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d457
8616d
706c6520436572746966696361746520417574686f72697479
	EAP-Message = 0x301e170d3132303431393035323632305a170d313230363138303532
3632305a307c310b3009060355040613024652310f300d06035504081306526164697573311
53013
060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c652
05365
727665722043657274696669636174653120301e06092a864886f70d010901161161646d696
e4065
78616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010
a0282
010100d8e5bb5cefd0db1624fbbcbba0a02f4d2b23a12f9f0ea9d1f96dc0ef3a08536f4096b
8cb43
4aac77b625bb7610ea5eafdcba502cc3c094f74c16743d6ec1
	EAP-Message = 0x6f4a8104cc5b98ea30fb86287bf0906ed458604e63412a6339c8bf25
fd7f627131a6219db5e5d5f56460df027982eb5b1ca3b59a2fd27666fb7016df166162fe720
c659f
959cb04266ced87b083b6641a431d002b996fdb4c342b0205c9d2d70878caebee08fc19402b
6867a
f343fe3a43a740bc44c66fcf993bc6c9812377983bcee8f5562d0974abc6142d95c3d582403
fcf5d
d9d5403fca88bb28eaec1cddafe9d23d1d17e804eb15da303e169756418be76cb204ce0c8bc
be428
ceb75995cd2b0203010001a317301530130603551d25040c300a06082b06010505070301300
d0609
2a864886f70d010105050003820101009e6cc83de144237e09
	EAP-Message = 0xce61668125af89da7f9d0dc727464fb50a1a8519ba3eed74c9553738
541642751ece1617a2f1f567741ce6ce7e2bec8a2dd7871058ec5c440fc9342fa040dff416c
ddda6
1f48137d54fcf6725f487093947b9a02697e2ebf41962618b94e2a4453a1b43f1eacd51657b
54074
00d2404423f719e9b3779d6936d3b739599586f4ee8138bfac0cce760d17db9072576cea1ae
391b9
5968c7ac2563f4f578a0dbee4750ef50e137a2e998ee6d9e7ea5050688e73a971905e1d468a
04f82
29c7fc1736cf8ee216f942a6a08790e49070f85fad784a5220f2ef9c99b0bd281d6486d5e8f
699c8
43af9d57a10bc1a4a3d57bc470785d8736c7860004ab308204
	EAP-Message = 0xa73082038fa0030201020209
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x05d7488507d45d198fb22dc79c936aef
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=214,
length=
136
	NAS-IP-Address = 192.168.1.8
	NAS-Port = 50023
	NAS-Port-Type = Ethernet
	User-Name = "pk"
	Called-Station-Id = "00-15-F9-F8-4E-97"
	Calling-Station-Id = "60-33-4B-9E-BD-AE"
	Service-Type = Framed-User
	Framed-MTU = 1500
	State = 0x05d7488507d45d198fb22dc79c936aef
	EAP-Message = 0x020300061500
	Message-Authenticator = 0xe77fe59ab7d1664be0a0eac58fc242d1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 214 to 192.168.1.8 port 1645
	EAP-Message = 0x0104040015c00000089b00bcccc1285b561d81300d06092a864886f7
0d0101050500308193310b3009060355040613024652310f300d06035504081306526164697
57331
12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c652
0496e
632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312
63024
0603550403131d4578616d706c6520436572746966696361746520417574686f72697479301
e170d
3132303431393035323632305a170d3132303631383035323632305a308193310b300906035
50406
13024652310f300d0603550408130652616469757331123010
	EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c45
78616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616
d706c
652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417
57468
6f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010
0c200
0de5769708aa73a3affa3ae2581583c4882e26f16a18d443e29db8316192c28b219cbb09705
95267
63db5440029da5f07038fb6a904f36e3a41dc25ee2d693730072613aaff090fd98e30623969
bc0d4
3527de8a6e60ecbcfa6672df1f278419f652471cc787c882a1
	EAP-Message = 0x34970210e501a5f008bce3abbcd4de1b5c5da2287cf6af098930a2a4
6f6c4c68f2db00dc8b8289dfb961b00fb1b8cec26b996c69e2f2a4207cf29afc6e1e7a95599
78238
8b5a5b5a10f961d816e101fdf26cf6062274aef2b443a5c60787edcd755a986de269abf78fd
e55ea
e7f450bca4434e6495b264e6db1bce418c8a417739b3bd52739f9ac134c2c9ed6b7bbf4ed47
9cb33
690203010001a381fb3081f8301d0603551d0e0416041410d684dcfea11dfdc1bb500b75937
3530a
a6d64b3081c80603551d230481c03081bd801410d684dcfea11dfdc1bb500b759373530aa6d
64ba1
8199a48196308193310b3009060355040613024652310f300d
	EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65
776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a86488
6f70d
010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d7
06c65
20436572746966696361746520417574686f72697479820900bcccc1285b561d81300c06035
51d13
040530030101ff300d06092a864886f70d010105050003820101002d0d028da27788c0e5d36
23cdb
4cf11f09216955fe7493bfa233ec62bb45d3cb9dd71d61a95ca6e1ddb8aa2f8b80fbfcea5b8
b3577
6bc61c9acab1408bc31daf3cf0f27d531819b600d3ca7a7c33
	EAP-Message = 0xf4b1017102971b6ff4eedeea
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x05d7488506d35d198fb22dc79c936aef
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=215,
length=
136
	NAS-IP-Address = 192.168.1.8
	NAS-Port = 50023
	NAS-Port-Type = Ethernet
	User-Name = "pk"
	Called-Station-Id = "00-15-F9-F8-4E-97"
	Calling-Station-Id = "60-33-4B-9E-BD-AE"
	Service-Type = Framed-User
	Framed-MTU = 1500
	State = 0x05d7488506d35d198fb22dc79c936aef
	EAP-Message = 0x020400061500
	Message-Authenticator = 0xc8fc232e0ecdd2755b3a06eb17b5161e
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 215 to 192.168.1.8 port 1645
	EAP-Message = 0x010500b915800000089b77cbd7b846662c36009c223bb1dab20d1956
c65d6dfdd68e272a551fae0e5b9066339a0f279041f434256e4aa905eb8dbabc508c2a0771d
29cb0
810ff8a278d32154413350d24a65e9c3cfb9e15e9057d0dce5f2cbd3d523586b6b7f60bf3a6
d92c8
772b862711d539a2412abe6a6c4f79816985453331bc5f8661a99c795b6d6a92fd75d732733
73be4
17324e2b8696ff3d6cb180e1619343b8bf9d39a193cf49a3f008a74e16030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x05d7488501d25d198fb22dc79c936aef
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=216,
length=
468
	NAS-IP-Address = 192.168.1.8
	NAS-Port = 50023
	NAS-Port-Type = Ethernet
	User-Name = "pk"
	Called-Station-Id = "00-15-F9-F8-4E-97"
	Calling-Station-Id = "60-33-4B-9E-BD-AE"
	Service-Type = Framed-User
	Framed-MTU = 1500
	State = 0x05d7488501d25d198fb22dc79c936aef
	EAP-Message = 0x02050150158000000146160301010610000102010072c5fede7f2e7b
230c06cbaa9d64a82ab40b8f1c00f4eb185fd65ac9b5a5aa77f01f72a924b1c0d64299b8b4c
6f1e6
00315be72327a9309c2c09facb390a9a5152a5a54bb9d70da4bb4a8fff41ee237aebcc66fc1
35060
b52f2ae59e0c7f24145b8a5f9bb835e34cca66ec73caf9d6c846606bee9982f48f3152ba97b
d60b8
892409fb4c8705c77cb12e0a49e833a64dfc75dd46720b8d01c58c412f7757fecc911837a30
97e2f
edfefd010b380fd1ea933172ffb9b622f31291bcb0ffb3bdc07e7cfd89062c3561ac7a426dc
c6c6c
321e728572e43e8c6583a7ed9bdb3f0b77768bc3fab2b362b0
	EAP-Message = 0x60c40751cbfa2ce5489cb51da39f2bcde8809cc090d288a814030100
01011603010030a88137a19eb3de41455b95e6cf888d69cfefcdc25a9107413546a9d655282
16b90
1dbf1ffbca796cea189c3be7a33fcb
	Message-Authenticator = 0x79b14a1f2282941539c8ad3f77eedf74
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 326
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange  
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 216 to 192.168.1.8 port 1645
	EAP-Message = 0x0106004515800000003b1403010001011603010030d036b958b86f93
12a5340cdc63b90eef649553da5f9186dac246185953519a52464d9f3ec98641caa8a9b66c6
baae4
e4
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x05d7488500d15d198fb22dc79c936aef
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=217, 
length=
209
	NAS-IP-Address = 192.168.1.8
	NAS-Port = 50023
	NAS-Port-Type = Ethernet
	User-Name = "pk"
	Called-Station-Id = "00-15-F9-F8-4E-97"
	Calling-Station-Id = "60-33-4B-9E-BD-AE"
	Service-Type = Framed-User
	Framed-MTU = 1500
	State = 0x05d7488500d15d198fb22dc79c936aef
	EAP-Message = 0x0206004f1580000000451703010040b8ec8ac0db69d05575e41855e4
21b91d518d37f9e86e6d54eec8adac3b5ffb88509ff9ede906d8207dff83440fb7937501f9b
3c9bb
4bf91e4947a7fd59ba4a59
	Message-Authenticator = 0xa6f6070865d2788011b84396377516fa
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 79
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 69
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls] eaptls_process returned 7 
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
	User-Name = "pk"
	User-Password = "pascal"
	FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
	User-Name = "pk"
	User-Password = "pascal"
	FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting 
the u
ser
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> pk
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 217 to 192.168.1.8 port 1645
	EAP-Message = 0x04060004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 0 ID 211 with timestamp +41
Cleaning up request 1 ID 212 with timestamp +41
Cleaning up request 2 ID 213 with timestamp +41
Cleaning up request 3 ID 214 with timestamp +41
Cleaning up request 4 ID 215 with timestamp +41
Cleaning up request 5 ID 216 with timestamp +41
Waking up in 1.0 seconds.
Cleaning up request 6 ID 217 with timestamp +41
Ready to process requests.



>




More information about the Freeradius-Users mailing list