LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Wassim Zaarour
wassim.zaarour at navlink.com
Thu Apr 19 15:32:19 CEST 2012
On 4/19/12 4:18 PM, "Alan DeKok" <aland at deployingradius.com> wrote:
>Wassim Zaarour wrote:
>> Hi Alan, and thanks for your reply, I don't want to paste the output
>>here
>> coz its large, should I attach it or paste here anyways or??
>
> You can follow instructions, or you can be unsubscribed and banned
>from the list.
>
> When we ask for the debug log TWICE, the response shouldn't be "should
>I post it?" The response SHOULD be to post it.
>
> Just like everyone else does.
>
> Daily on this list.
>
> Alan DeKok.
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
Below the output of radiusd -X
Appreciate the help.
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Jul 19
2011 at 1
0:16:18
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 192.168.1.8 {
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
}
client 192.168.0.0/22 {
require_message_authenticator = no
secret = "testing123"
shortname = "private-network-1"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expirati
on
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/m
odules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/raddb/modules/digest
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap
ldap {
server = "192.168.1.40"
port = 389
password = "Hayalla5"
identity = ""
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "o=navbey.com, dc=navbey,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-U
serDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Ne
twork
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-
Id
conns: 0x134f7b8
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preproce
ss
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_un
ique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NA
S-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/r
addb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=211,
length=
119
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "60-33-4B-9E-BD-AE"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200000701706b
Message-Authenticator = 0x9ae593aebf9c52b1e02301b1b14ad375
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 7
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for pk
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> pk
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk)
[ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com,
dc=navbey,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 192.168.1.40:389, authentication 0
[ldap] bind as /Hayalla5 to 192.168.1.40:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
(uid=p
k)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user
is configured correctly?
[ldap] user pk authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 211 to 192.168.1.8 port 1645
EAP-Message = 0x01010016041079a9375f2ecae9fbad432dffd46c8a70
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05d7488505d64c198fb22dc79c936aef
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=212,
length=
136
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "60-33-4B-9E-BD-AE"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x05d7488505d64c198fb22dc79c936aef
EAP-Message = 0x020100060315
Message-Authenticator = 0xfce1c51f41d8a8841a47d753a647b272
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for pk
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> pk
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk)
[ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com,
dc=navbey,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
(uid=p
k)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user
is configured correctly?
[ldap] user pk authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 212 to 192.168.1.8 port 1645
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05d7488504d55d198fb22dc79c936aef
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=213,
length=
294
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "60-33-4B-9E-BD-AE"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x05d7488504d55d198fb22dc79c936aef
EAP-Message = 0x020200a415800000009a16030100950100009103014f901334c909cf
125f752b6d60c7ab2cd4506453387a9225c1a27ad315372805000056c00ac009c007c008c01
3c014
c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000
60032
0033003800390016001500140013001200110034003a0018001b001a0017001900010100001
2000a
00080006001700180019000b00020100
Message-Authenticator = 0x2b8b499cccf5cdd88941980aaef40146
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 164
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 154
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0095], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 085e], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 213 to 192.168.1.8 port 1645
EAP-Message = 0x0103040015c00000089b160301002a0200002603014f9013280467e2
a9849b1aaca60adb81e33c1f390e8934f4d18cf1902014402700002f00160301085e0b00085
a0008
570003a6308203a23082028aa003020102020101300d06092a864886f70d010105050030819
3310b
3009060355040613024652310f300d060355040813065261646975733112301006035504071
30953
6f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092
a8648
86f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d457
8616d
706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3132303431393035323632305a170d313230363138303532
3632305a307c310b3009060355040613024652310f300d06035504081306526164697573311
53013
060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c652
05365
727665722043657274696669636174653120301e06092a864886f70d010901161161646d696
e4065
78616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010
a0282
010100d8e5bb5cefd0db1624fbbcbba0a02f4d2b23a12f9f0ea9d1f96dc0ef3a08536f4096b
8cb43
4aac77b625bb7610ea5eafdcba502cc3c094f74c16743d6ec1
EAP-Message = 0x6f4a8104cc5b98ea30fb86287bf0906ed458604e63412a6339c8bf25
fd7f627131a6219db5e5d5f56460df027982eb5b1ca3b59a2fd27666fb7016df166162fe720
c659f
959cb04266ced87b083b6641a431d002b996fdb4c342b0205c9d2d70878caebee08fc19402b
6867a
f343fe3a43a740bc44c66fcf993bc6c9812377983bcee8f5562d0974abc6142d95c3d582403
fcf5d
d9d5403fca88bb28eaec1cddafe9d23d1d17e804eb15da303e169756418be76cb204ce0c8bc
be428
ceb75995cd2b0203010001a317301530130603551d25040c300a06082b06010505070301300
d0609
2a864886f70d010105050003820101009e6cc83de144237e09
EAP-Message = 0xce61668125af89da7f9d0dc727464fb50a1a8519ba3eed74c9553738
541642751ece1617a2f1f567741ce6ce7e2bec8a2dd7871058ec5c440fc9342fa040dff416c
ddda6
1f48137d54fcf6725f487093947b9a02697e2ebf41962618b94e2a4453a1b43f1eacd51657b
54074
00d2404423f719e9b3779d6936d3b739599586f4ee8138bfac0cce760d17db9072576cea1ae
391b9
5968c7ac2563f4f578a0dbee4750ef50e137a2e998ee6d9e7ea5050688e73a971905e1d468a
04f82
29c7fc1736cf8ee216f942a6a08790e49070f85fad784a5220f2ef9c99b0bd281d6486d5e8f
699c8
43af9d57a10bc1a4a3d57bc470785d8736c7860004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05d7488507d45d198fb22dc79c936aef
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=214,
length=
136
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "60-33-4B-9E-BD-AE"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x05d7488507d45d198fb22dc79c936aef
EAP-Message = 0x020300061500
Message-Authenticator = 0xe77fe59ab7d1664be0a0eac58fc242d1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 214 to 192.168.1.8 port 1645
EAP-Message = 0x0104040015c00000089b00bcccc1285b561d81300d06092a864886f7
0d0101050500308193310b3009060355040613024652310f300d06035504081306526164697
57331
12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c652
0496e
632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312
63024
0603550403131d4578616d706c6520436572746966696361746520417574686f72697479301
e170d
3132303431393035323632305a170d3132303631383035323632305a308193310b300906035
50406
13024652310f300d0603550408130652616469757331123010
EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c45
78616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616
d706c
652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417
57468
6f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010
0c200
0de5769708aa73a3affa3ae2581583c4882e26f16a18d443e29db8316192c28b219cbb09705
95267
63db5440029da5f07038fb6a904f36e3a41dc25ee2d693730072613aaff090fd98e30623969
bc0d4
3527de8a6e60ecbcfa6672df1f278419f652471cc787c882a1
EAP-Message = 0x34970210e501a5f008bce3abbcd4de1b5c5da2287cf6af098930a2a4
6f6c4c68f2db00dc8b8289dfb961b00fb1b8cec26b996c69e2f2a4207cf29afc6e1e7a95599
78238
8b5a5b5a10f961d816e101fdf26cf6062274aef2b443a5c60787edcd755a986de269abf78fd
e55ea
e7f450bca4434e6495b264e6db1bce418c8a417739b3bd52739f9ac134c2c9ed6b7bbf4ed47
9cb33
690203010001a381fb3081f8301d0603551d0e0416041410d684dcfea11dfdc1bb500b75937
3530a
a6d64b3081c80603551d230481c03081bd801410d684dcfea11dfdc1bb500b759373530aa6d
64ba1
8199a48196308193310b3009060355040613024652310f300d
EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65
776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a86488
6f70d
010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d7
06c65
20436572746966696361746520417574686f72697479820900bcccc1285b561d81300c06035
51d13
040530030101ff300d06092a864886f70d010105050003820101002d0d028da27788c0e5d36
23cdb
4cf11f09216955fe7493bfa233ec62bb45d3cb9dd71d61a95ca6e1ddb8aa2f8b80fbfcea5b8
b3577
6bc61c9acab1408bc31daf3cf0f27d531819b600d3ca7a7c33
EAP-Message = 0xf4b1017102971b6ff4eedeea
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05d7488506d35d198fb22dc79c936aef
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=215,
length=
136
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "60-33-4B-9E-BD-AE"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x05d7488506d35d198fb22dc79c936aef
EAP-Message = 0x020400061500
Message-Authenticator = 0xc8fc232e0ecdd2755b3a06eb17b5161e
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 215 to 192.168.1.8 port 1645
EAP-Message = 0x010500b915800000089b77cbd7b846662c36009c223bb1dab20d1956
c65d6dfdd68e272a551fae0e5b9066339a0f279041f434256e4aa905eb8dbabc508c2a0771d
29cb0
810ff8a278d32154413350d24a65e9c3cfb9e15e9057d0dce5f2cbd3d523586b6b7f60bf3a6
d92c8
772b862711d539a2412abe6a6c4f79816985453331bc5f8661a99c795b6d6a92fd75d732733
73be4
17324e2b8696ff3d6cb180e1619343b8bf9d39a193cf49a3f008a74e16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05d7488501d25d198fb22dc79c936aef
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=216,
length=
468
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "60-33-4B-9E-BD-AE"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x05d7488501d25d198fb22dc79c936aef
EAP-Message = 0x02050150158000000146160301010610000102010072c5fede7f2e7b
230c06cbaa9d64a82ab40b8f1c00f4eb185fd65ac9b5a5aa77f01f72a924b1c0d64299b8b4c
6f1e6
00315be72327a9309c2c09facb390a9a5152a5a54bb9d70da4bb4a8fff41ee237aebcc66fc1
35060
b52f2ae59e0c7f24145b8a5f9bb835e34cca66ec73caf9d6c846606bee9982f48f3152ba97b
d60b8
892409fb4c8705c77cb12e0a49e833a64dfc75dd46720b8d01c58c412f7757fecc911837a30
97e2f
edfefd010b380fd1ea933172ffb9b622f31291bcb0ffb3bdc07e7cfd89062c3561ac7a426dc
c6c6c
321e728572e43e8c6583a7ed9bdb3f0b77768bc3fab2b362b0
EAP-Message = 0x60c40751cbfa2ce5489cb51da39f2bcde8809cc090d288a814030100
01011603010030a88137a19eb3de41455b95e6cf888d69cfefcdc25a9107413546a9d655282
16b90
1dbf1ffbca796cea189c3be7a33fcb
Message-Authenticator = 0x79b14a1f2282941539c8ad3f77eedf74
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 326
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 216 to 192.168.1.8 port 1645
EAP-Message = 0x0106004515800000003b1403010001011603010030d036b958b86f93
12a5340cdc63b90eef649553da5f9186dac246185953519a52464d9f3ec98641caa8a9b66c6
baae4
e4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05d7488500d15d198fb22dc79c936aef
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=217,
length=
209
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "60-33-4B-9E-BD-AE"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x05d7488500d15d198fb22dc79c936aef
EAP-Message = 0x0206004f1580000000451703010040b8ec8ac0db69d05575e41855e4
21b91d518d37f9e86e6d54eec8adac3b5ffb88509ff9ede906d8207dff83440fb7937501f9b
3c9bb
4bf91e4947a7fd59ba4a59
Message-Authenticator = 0xa6f6070865d2788011b84396377516fa
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 79
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 69
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "pk"
User-Password = "pascal"
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "pk"
User-Password = "pascal"
FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the u
ser
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> pk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 217 to 192.168.1.8 port 1645
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 0 ID 211 with timestamp +41
Cleaning up request 1 ID 212 with timestamp +41
Cleaning up request 2 ID 213 with timestamp +41
Cleaning up request 3 ID 214 with timestamp +41
Cleaning up request 4 ID 215 with timestamp +41
Cleaning up request 5 ID 216 with timestamp +41
Waking up in 1.0 seconds.
Cleaning up request 6 ID 217 with timestamp +41
Ready to process requests.
>
More information about the Freeradius-Users
mailing list