Freeradius not expanding %{User-Password} (EAP-TTLS with MD5 authentication)

Mon Jun 18 12:53:52 CEST 2012

Hi,

I've stumbled upon a nasty problem:
- I need to set up FreeRadius as an authentication server where I have 
to authenticate users from two external databases. I've set up 
FreeRadius to use ntlm_auth module and swapped the 'ntlm_auth' command 
with my own script (see debug output). This script must be called with 
full username and password in cleartext so that I can then connect to 
the databases and check if user's credentials are correct and (s)he is 
allowed to connect to service. Both databases save user passwords 
encrypted according to their rules (SHA256 with and without salt) and 
for that reason I need a password supplied from the Radius client in 
cleartext.

However, when everything is set up, somehow '%{User-Password}' or 
'%{Cleartext-Password}' (I've tried them both) does not expand to 
anything when executing ntlm_auth authentication and my script always 
rejects the user. For testing purposes, I've set up a bash script that 
exits with status 0 if the username is 'testuser at med.bg.ac.rs' and 
password is 'proba.321' or with status 1 otherwise. The script works 
when called from command line.

The OS is CentOS 5.8 64-bit and FreeRADIUS version is 2.1.12. I have 
tried to check the auth with 'eapol_test' with the following configuration:

network={
         key_mgmt=IEEE8021X
         eap=TTLS
         identity="testuser at med.bg.ac.rs"
         password="proba.321"
         anonymous_identity="anonymous"
         phase2="auth=MD5"
         ca_cert="/etc/raddb/certs/ca.pem"
}

The output from the 'radiusd -X' is as follows:

FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on 
Feb 22 2012 at 14:59:35
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/eduroam
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/eduroam-inner-tunnel
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
     user = "radiusd"
     group = "radiusd"
     allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
     name = "radiusd"
     prefix = "/usr"
     localstatedir = "/var"
     sbindir = "/usr/sbin"
     logdir = "/var/log/radius"
     run_dir = "/var/run/radiusd"
     libdir = "/usr/lib64/freeradius"
     radacctdir = "/var/log/radius/radacct"
     hostname_lookups = no
     max_request_time = 30
     cleanup_delay = 5
     max_requests = 1024
     pidfile = "/var/run/radiusd/radiusd.pid"
     checkrad = "/usr/sbin/checkrad"
     debug_level = 0
     proxy_requests = yes
  log {
     stripped_names = no
     auth = yes
     auth_badpass = yes
     auth_goodpass = yes
  }
  security {
     max_attributes = 200
     reject_delay = 1
     status_server = yes
  }
}
radiusd: #### Loading Realms and Home Servers ####
  proxy server {
     retry_delay = 5
     retry_count = 3
     default_fallback = no
     dead_time = 120
     wake_all_if_all_dead = no
  }
  home_server localhost {
     ipaddr = 127.0.0.1
     port = 1812
     type = "auth+acct"
     secret = "testing123"
     response_window = 20
     max_outstanding = 65536
     require_message_authenticator = yes
     zombie_period = 40
     status_check = "status-server"
     ping_interval = 30
     check_interval = 30
     num_answers_to_alive = 3
     num_pings_to_alive = 3
     revive_interval = 120
     status_check_timeout = 4
  }
  realm med.bg.ac.rs {
     authhost = LOCAL
     accthost = LOCAL
  }
  realm LOCAL {
  }
  realm NULL {
  }
radiusd: #### Loading Clients ####
  client localhost {
     ipaddr = 127.0.0.1
     require_message_authenticator = no
     secret = "testing123"
     nastype = "other"
     virtual_server = "eduroam"
  }
  client ftlr1.ac.rs {
     ipaddr = 147.91.4.204
     require_message_authenticator = no
     secret = "******"
     shortname = "ftlr1"
     nastype = "other"
     virtual_server = "eduroam"
  }
  client ftlr2.ac.rs {
     ipaddr = 147.91.1.101
     require_message_authenticator = no
     secret = "******"
     shortname = "ftlr2"
     nastype = "other"
     virtual_server = "eduroam"
  }
  client netiis.monitor {
     ipaddr = 147.91.3.12
     require_message_authenticator = no
     secret = "******"
     shortname = "netiis"
     nastype = "other"
     virtual_server = "eduroam"
  }
radiusd: #### Instantiating modules ####
  instantiate {
  Module: Linked to module rlm_exec
  Module: Instantiating module "exec" from file /etc/raddb/modules/exec
   exec {
     wait = no
     input_pairs = "request"
     shell_escape = yes
   }
  Module: Linked to module rlm_expr
  Module: Instantiating module "expr" from file /etc/raddb/modules/expr
  Module: Linked to module rlm_expiration
  Module: Instantiating module "expiration" from file 
/etc/raddb/modules/expiration
   expiration {
     reply-message = "Password Has Expired  "
   }
  Module: Linked to module rlm_logintime
  Module: Instantiating module "logintime" from file 
/etc/raddb/modules/logintime
   logintime {
     reply-message = "You are calling outside your allowed timespan  "
     minimum-timeout = 60
   }
  }
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
  modules {
   Module: Creating Auth-Type = digest
   Module: Creating Post-Auth-Type = REJECT
  Module: Checking authenticate {...} for more modules to load
  Module: Linked to module rlm_pap
  Module: Instantiating module "pap" from file /etc/raddb/modules/pap
   pap {
     encryption_scheme = "auto"
     auto_header = no
   }
  Module: Linked to module rlm_chap
  Module: Instantiating module "chap" from file /etc/raddb/modules/chap
  Module: Linked to module rlm_mschap
  Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
   mschap {
     use_mppe = yes
     require_encryption = no
     require_strong = no
     with_ntdomain_hack = no
     allow_retry = yes
   }
  Module: Linked to module rlm_digest
  Module: Instantiating module "digest" from file /etc/raddb/modules/digest
  Module: Linked to module rlm_unix
  Module: Instantiating module "unix" from file /etc/raddb/modules/unix
   unix {
     radwtmp = "/var/log/radius/radwtmp"
   }
  Module: Linked to module rlm_eap
  Module: Instantiating module "eap" from file /etc/raddb/eap.conf
   eap {
     default_eap_type = "ttls"
     timer_expire = 60
     ignore_unknown_eap_types = no
     cisco_accounting_username_bug = no
     max_sessions = 4096
   }
  Module: Linked to sub-module rlm_eap_md5
  Module: Instantiating eap-md5
  Module: Linked to sub-module rlm_eap_leap
  Module: Instantiating eap-leap
  Module: Linked to sub-module rlm_eap_gtc
  Module: Instantiating eap-gtc
    gtc {
     challenge = "Password: "
     auth_type = "PAP"
    }
  Module: Linked to sub-module rlm_eap_tls
  Module: Instantiating eap-tls
    tls {
     rsa_key_exchange = no
     dh_key_exchange = yes
     rsa_key_length = 512
     dh_key_length = 512
     verify_depth = 0
     CA_path = "/etc/raddb/certs"
     pem_file_type = yes
     private_key_file = "/etc/raddb/certs/server.key"
     certificate_file = "/etc/raddb/certs/server.pem"
     CA_file = "/etc/raddb/certs/ca.pem"
     private_key_password = "******"
     dh_file = "/etc/raddb/certs/dh"
     random_file = "/dev/urandom"
     fragment_size = 1024
     include_length = yes
     check_crl = no
     cipher_list = "DEFAULT"
     make_cert_command = "/etc/raddb/certs/bootstrap"
     cache {
     enable = no
     lifetime = 24
     max_entries = 255
     }
     verify {
     }
    }
  Module: Linked to sub-module rlm_eap_ttls
  Module: Instantiating eap-ttls
    ttls {
     default_eap_type = "md5"
     copy_request_to_tunnel = no
     use_tunneled_reply = no
     virtual_server = "eduroam-inner-tunnel"
     include_length = yes
    }
  Module: Linked to sub-module rlm_eap_peap
  Module: Instantiating eap-peap
    peap {
     default_eap_type = "mschapv2"
     copy_request_to_tunnel = no
     use_tunneled_reply = no
     proxy_tunneled_request_as_eap = yes
     virtual_server = "eduroam-inner-tunnel"
     soh = no
    }
  Module: Linked to sub-module rlm_eap_mschapv2
  Module: Instantiating eap-mschapv2
    mschapv2 {
     with_ntdomain_hack = no
     send_error = no
    }
  Module: Checking authorize {...} for more modules to load
  Module: Linked to module rlm_preprocess
  Module: Instantiating module "preprocess" from file 
/etc/raddb/modules/preprocess
   preprocess {
     huntgroups = "/etc/raddb/huntgroups"
     hints = "/etc/raddb/hints"
     with_ascend_hack = no
     ascend_channels_per_line = 23
     with_ntdomain_hack = no
     with_specialix_jetstream_hack = no
     with_cisco_vsa_hack = no
     with_alvarion_vsa_hack = no
   }
  Module: Linked to module rlm_realm
  Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
   realm suffix {
     format = "suffix"
     delimiter = "@"
     ignore_default = no
     ignore_null = no
   }
  Module: Linked to module rlm_files
  Module: Instantiating module "files" from file /etc/raddb/modules/files
   files {
     usersfile = "/etc/raddb/users"
     acctusersfile = "/etc/raddb/acct_users"
     preproxy_usersfile = "/etc/raddb/preproxy_users"
     compat = "no"
   }
  Module: Checking preacct {...} for more modules to load
  Module: Linked to module rlm_acct_unique
  Module: Instantiating module "acct_unique" from file 
/etc/raddb/modules/acct_unique
   acct_unique {
     key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"
   }
  Module: Checking accounting {...} for more modules to load
  Module: Linked to module rlm_detail
  Module: Instantiating module "detail" from file /etc/raddb/modules/detail
   detail {
     detailfile = 
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
     header = "%t"
     detailperm = 384
     dirperm = 493
     locking = no
     log_packet_header = no
   }
  Module: Linked to module rlm_radutmp
  Module: Instantiating module "radutmp" from file 
/etc/raddb/modules/radutmp
   radutmp {
     filename = "/var/log/radius/radutmp"
     username = "%{User-Name}"
     case_sensitive = yes
     check_with_nas = yes
     perm = 384
     callerid = yes
   }
  Module: Linked to module rlm_attr_filter
  Module: Instantiating module "attr_filter.accounting_response" from 
file /etc/raddb/modules/attr_filter
   attr_filter attr_filter.accounting_response {
     attrsfile = "/etc/raddb/attrs.accounting_response"
     key = "%{User-Name}"
     relaxed = no
   }
  Module: Checking session {...} for more modules to load
  Module: Checking post-proxy {...} for more modules to load
  Module: Checking post-auth {...} for more modules to load
  Module: Instantiating module "attr_filter.access_reject" from file 
/etc/raddb/modules/attr_filter
   attr_filter attr_filter.access_reject {
     attrsfile = "/etc/raddb/attrs.access_reject"
     key = "%{User-Name}"
     relaxed = no
   }
  } # modules
} # server
server eduroam { # from file /etc/raddb/sites-enabled/eduroam
  modules {
  Module: Checking authenticate {...} for more modules to load
  Module: Checking authorize {...} for more modules to load
  Module: Instantiating module "auth_log" from file 
/etc/raddb/modules/detail.log
   detail auth_log {
     detailfile = 
"/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
     header = "%t"
     detailperm = 384
     dirperm = 493
     locking = no
     log_packet_header = no
   }
  Module: Checking preacct {...} for more modules to load
  Module: Checking accounting {...} for more modules to load
  Module: Checking session {...} for more modules to load
  Module: Checking pre-proxy {...} for more modules to load
  Module: Instantiating module "pre_proxy_log" from file 
/etc/raddb/modules/detail.log
   detail pre_proxy_log {
     detailfile = 
"/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d"
     header = "%t"
     detailperm = 384
     dirperm = 493
     locking = no
     log_packet_header = no
   }
  Module: Checking post-proxy {...} for more modules to load
  Module: Instantiating module "post_proxy_log" from file 
/etc/raddb/modules/detail.log
   detail post_proxy_log {
     detailfile = 
"/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d"
     header = "%t"
     detailperm = 384
     dirperm = 493
     locking = no
     log_packet_header = no
   }
  Module: Checking post-auth {...} for more modules to load
  Module: Instantiating module "reply_log" from file 
/etc/raddb/modules/detail.log
   detail reply_log {
     detailfile = 
"/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
     header = "%t"
     detailperm = 384
     dirperm = 493
     locking = no
     log_packet_header = no
   }
  } # modules
} # server
server eduroam-inner-tunnel { # from file 
/etc/raddb/sites-enabled/eduroam-inner-tunnel
  modules {
   Module: Creating Auth-Type = ntlm_auth
  Module: Checking authenticate {...} for more modules to load
  Module: Instantiating module "ntlm_auth" from file 
/etc/raddb/modules/ntlm_auth
   exec ntlm_auth {
     wait = yes
     program = "/usr/local/sbin/medauth %{User-Name} 
%{Cleartext-Password} >& /dev/null"
     input_pairs = "request"
     shell_escape = yes
   }
  Module: Checking authorize {...} for more modules to load
  Module: Checking session {...} for more modules to load
  Module: Checking pre-proxy {...} for more modules to load
  Module: Checking post-proxy {...} for more modules to load
  Module: Checking post-auth {...} for more modules to load
  } # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
  modules {
  Module: Checking authenticate {...} for more modules to load
  Module: Checking authorize {...} for more modules to load
  Module: Checking session {...} for more modules to load
  Module: Checking post-proxy {...} for more modules to load
  Module: Checking post-auth {...} for more modules to load
  } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
     type = "auth"
     ipaddr = *
     port = 0
}
listen {
     type = "acct"
     ipaddr = *
     port = 0
}
listen {
     type = "control"
  listen {
     socket = "/var/run/radiusd/radiusd.sock"
  }
}
listen {
     type = "auth"
     ipaddr = 127.0.0.1
     port = 18120
}
  ... adding new socket proxy address * port 36934
  ... adding new socket proxy address * port 33386
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server 
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=0, 
length=126
     User-Name = "anonymous"
     NAS-IP-Address = 127.0.0.1
     Calling-Station-Id = "02-00-00-00-00-01"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 11Mbps 802.11b"
     EAP-Message = 0x0200000e01616e6f6e796d6f7573
     Message-Authenticator = 0x1ce7f102551d22fcc6ba9815d29d098f
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
/var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands 
to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 0 to 127.0.0.1 port 57434
     EAP-Message = 0x010100061520
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x453e5638453f433c1dde145a555d75ae
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=1, 
length=225
     User-Name = "anonymous"
     NAS-IP-Address = 127.0.0.1
     Calling-Station-Id = "02-00-00-00-00-01"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 11Mbps 802.11b"
     EAP-Message = 
0x0201005f150016030100540100005003014fdefc0a35aa637e8a3b2e436e90f60e9e83e5b6c5631ebb720ffbd5e117812800002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100
     State = 0x453e5638453f433c1dde145a555d75ae
     Message-Authenticator = 0x960996a07cd20c784ce8b254694b6c90
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
/var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands 
to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 1 length 95
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0054], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 0920], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[ttls]     TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 1 to 127.0.0.1 port 57434
     EAP-Message = 
0x0102040015c000000b7616030100310200002d03014fdefc0a8aff87adf2ab470247564a15f475076cf5c27c0b81400b87be48c892000039010005ff0100010016030109200b00091c0009190003e8308203e4308202cca003020102020101300d06092a864886f70d01010505003081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a864886f70d010901161163696b74406d65642e62672e61632e727331333031
     EAP-Message = 
0x0603550403132a5363686f6f6c206f66204d65646963696e652043657274696669636174696f6e20417574686f72697479301e170d3132303631363032343733355a170d3132303831353032343733355a308193310b3009060355040613025253310f300d0603550408130653657262696131333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c6772616465311c301a060355040313137261646975732e6d65642e62672e61632e72733120301e06092a864886f70d010901161163696b74406d65642e62672e61632e727330820122300d06092a864886f70d0101010500038201
     EAP-Message = 
0x0f003082010a0282010100d7b1a23166efda162efe3b619671dc16aa89e337d70c55b4deb769d0b5136e8f7a098d83f6d30b7a60896ca1067f5b94de49d56bc1db3a7c874eab1f41101061886a1ef7d1f3b184cea254719a9f5781e8305cf2cd06921923b964ec94020e95fd53a9f7b8b00dad9c821901e53705f9763fdae2d9cb72167b4c770bc9c5b527fd3f11bd83ebbf957716c36764743ef8e3a93b8e8392ef4b5e0f1c3fcc6196d5796f444633c397f350367aa16d85db0dff74d66c3f7d664fbd1c64690e41e15b23a0dae9fabcb439455eb91054f348b605156f6167c4010fdc57e0fd286bd93ae5a31636c2b601f360191384afc480131583
     EAP-Message = 
0x33a45b144e4308383fd57a8630730203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010044b74245061b3b22760405c9d5f91cbd59e99c6c69716a2b9e73709f453bc962760dfde83c429c28970c9360e03760886604d99c33a9ea869a4a415bb2eb288421c193583e8fd440af40feda2db008a03160be444eb111e8441b4ff3f072dda6b456b52e0270aa9bacd3a08226f6ad01b0f480b5656433b56fabea5484f2eb2b0900aaea34603de355fc1084c7fe7ed3762e506a4da9188dc04616785bf3f42562ad4f9871df0d7559f0b42380995a4cd5167b2b1a6456b0585bce4a82
     EAP-Message = 0xc332ff74a92620533a7b61da
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x453e5638443c433c1dde145a555d75ae
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=2, 
length=136
     User-Name = "anonymous"
     NAS-IP-Address = 127.0.0.1
     Calling-Station-Id = "02-00-00-00-00-01"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 11Mbps 802.11b"
     EAP-Message = 0x020200061500
     State = 0x453e5638443c433c1dde145a555d75ae
     Message-Authenticator = 0xa3b3094ac897f879e1f4d836e982f0ee
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
/var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands 
to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 2 to 127.0.0.1 port 57434
     EAP-Message = 
0x0103040015c000000b767190effa7c037121c8eaa8702f555ead739aceed753b5959e59bc050b756d274cc85e5d6e6701f3981baae062502de1480a1695c0f54d500052b308205273082040fa003020102020900cb73058e093a87dc300d06092a864886f70d01010505003081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a864886f70d010901161163696b74406d65642e62672e61632e727331333031060355
     EAP-Message = 
0x0403132a5363686f6f6c206f66204d65646963696e652043657274696669636174696f6e20417574686f72697479301e170d3132303631363032343733355a170d3132303831353032343733355a3081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a864886f70d010901161163696b74406d65642e62672e61632e7273313330310603550403132a5363686f6f6c206f66204d65646963696e6520436572746966
     EAP-Message = 
0x69636174696f6e20417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100cd1d33bc86769aab2584b35488d4adbb56935d320ca011116d7a3da9aa7b331cd98db824215b4328f742a62825df0cc2b8cf7a0e3599e5cf54080334bca0d7360bec4961d34c58525302fb74a140b32e2815c67ebdf46d470759c6e55398bbe822efb14fb1e94338cb37cf12814f6c2c69af576bda232a01cbe7ba1a2f48f740f44a2942c7ea50c3be896372d6a972b0c29fc39e8de188891c9b273a90bcf8021d6185fb679d77f482bee8d8ec727535aaf66c93b41bb8c4e5499e3b7f7894cbbd1505c5fa9c3e4c8d1166
     EAP-Message = 
0x9c58ce4f2d041fc783d9397acf87d083a5041a77a534f0fb5dfe8d8d85cc011fb63af7060a54ebcd5e1667a9874284430c3be348e90203010001a382012630820122301d0603551d0e04160414b7dc49418f1a1fe4235e3a3a53de7b35691c8c9c3081f20603551d230481ea3081e78014b7dc49418f1a1fe4235e3a3a53de7b35691c8c9ca181c3a481c03081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a8648
     EAP-Message = 0x86f70d010901161163696b74
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x453e5638473d433c1dde145a555d75ae
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=3, 
length=136
     User-Name = "anonymous"
     NAS-IP-Address = 127.0.0.1
     Calling-Station-Id = "02-00-00-00-00-01"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 11Mbps 802.11b"
     EAP-Message = 0x020300061500
     State = 0x453e5638473d433c1dde145a555d75ae
     Message-Authenticator = 0xab683dac1c19264b7cefbfb39f1036e4
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
/var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands 
to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 3 to 127.0.0.1 port 57434
     EAP-Message = 
0x01040394158000000b76406d65642e62672e61632e7273313330310603550403132a5363686f6f6c206f66204d65646963696e652043657274696669636174696f6e20417574686f72697479820900cb73058e093a87dc300c0603551d13040530030101ff300d06092a864886f70d010105050003820101006069bb5c8707f0caca80d1998f57a5ab0bf43843b6359b91085100a3fcd29348b669e5cfdff8ef56a583af32823d20a34f213a0bee64d360319eab9b6cb936a78f4345e96139b36caa0f394e850a20e9b2b96cbda103eabf7533af89f84731b82d7599a592455a0d8f10c6fc3eaebff1939d74609589fc820372df3d16414aa5c4f14e0d
     EAP-Message = 
0xe6d9375f29d21aa334834aefe4de97c9076f6f59d538c973884a5929440962f02c1f05692564b636bd8f2b33dab7e387c5190e0d4a9894304d4c41651ff78feec39bba7d9590ac6e5a423cc83a63c26d47bea741cb0af86017727c7d2a16b611a9374d3d8c2a7d6773eef0d0a3f15b0288d7d4d2f0d0376d9dc0d91b160301020d0c00020900809581c2d77458ae39e8ced3fc1c136cdf0e5c874f0145a1ba3b1cadd518c96731cf5ce5ffdb56d03d05fd3920b7e19d3bd0435ca1ae9bd7c7888e953c4f4c572bb511a70579b804f7f7cc5392222e6fe69cac502f39bf2166c7281fd6ddedfc9a5934dbdb44133155fe1f89cf6b33db04059e65164fb0
     EAP-Message = 
0xf060679b652950dab40b00010200800ed41ea9a51c998c4f28af7bfa7e70b31a5baf43a288bf5c40ed11226423740f5a79393a18b936d417fe3156726fd8d3017faa90807b1924beb8ba713b585c03fdd8e401576caee1d777b6b7e876afd14a5b4fc9902484c04a28cb14a04718f45e294c86bdb06bce91c9002d345bd7411e77bc4e07cea999589bbdebc0f20c1701004b5fac779365dafeca7ef4696018786c2fa7c9b70579b45182df31d5c1f70751076524d3196265774ed43c460fa8991a6aad5506125c17f46614d8ec7ad5ad621aab6be4f7cf7d21d17f37b3bad0bcb1a8206a77a3c2f1789ef2bebf81926b429255f1e513f97e00c71540b6
     EAP-Message = 
0x2f4821bea23b5cff0a7d3990578d637d2644223669454da8f87a85d22cb30008a01230edcfeee10c19cab0697e3c1e98ca88ec691eebb16e6b3ecba362ed16e0d01690f4264191dc2e3d77f4af8a6481968a0c936d3e69c9f818d724f1c7e8cda71a1d424b016c9c669c153607d196eaa753a20ef07ee60b920849cd38087231067a53bc5cde17c3664302856b61f434968c22bf16030100040e000000
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x453e5638463a433c1dde145a555d75ae
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=4, 
length=334
     User-Name = "anonymous"
     NAS-IP-Address = 127.0.0.1
     Calling-Station-Id = "02-00-00-00-00-01"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 11Mbps 802.11b"
     EAP-Message = 
0x020400cc150016030100861000008200804947f508ab581679165a93c50e5588f04e8e34bef4b96e49115c604a5012d77ed91e7003b1e5d72cd2585c830fe047329ece54be7e4b482d67ead0b996de2c7036893af0bf556b8c2d0a345756b5f4f6c34ef3d7a438ef6596de4b722eebc538222a1ae3141433123867a99fca7debea94caf233eee09c4d1f8fc4986355b771140301000101160301003024c728b211d0593f1a575c7f570f7cd38dfbfe14c76a92baf855b3d245407a1ac4497e4349e0450a70857a9685355d39
     State = 0x453e5638463a433c1dde145a555d75ae
     Message-Authenticator = 0x6cb71a422ffeaad397d8c36e03ff6703
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
/var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands 
to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 4 to 127.0.0.1 port 57434
     EAP-Message = 
0x0105004515800000003b1403010001011603010030d13042ffaa9f5208530f9d196691755fe795dbe60c277e81e11947821f2698414cce5df41150a18716654f9fee2c4068
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x453e5638413b433c1dde145a555d75ae
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 57434, id=5, 
length=242
     User-Name = "anonymous"
     NAS-IP-Address = 127.0.0.1
     Calling-Station-Id = "02-00-00-00-00-01"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 11Mbps 802.11b"
     EAP-Message = 
0x02050070150017030100202b83edb5b87ff66b7b5d13339196f62f8e44061ac02821a6ab8f5fe44aa5ff6b17030100404de9cda8169d8c9e0969a9fb2245697166f27290ce6f23473c57364c7d5ae08e85039938f8cbb126727f888bf92807c008c7f46f8b1e0f9c42e504b25f8c3bb2
     State = 0x453e5638413b433c1dde145a555d75ae
     Message-Authenticator = 0x6197eff33cfffb5b484c44e49735b5d4
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]     expand: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
/var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands 
to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 5 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
     EAP-Message = 0x0200001a017465737475736572406d65642e62672e61632e7273
     FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Got tunneled identity of testuser at med.bg.ac.rs
[ttls] Setting default EAP type for tunneled EAP session.
[ttls] Sending tunneled request
     EAP-Message = 0x0200001a017465737475736572406d65642e62672e61632e7273
     FreeRADIUS-Proxied-To = 127.0.0.1
     User-Name = "testuser at med.bg.ac.rs"
server eduroam-inner-tunnel {
# Executing section authorize from file 
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+- entering group authorize {...}
[auth_log]     expand: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
/var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log] 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands 
to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618
[auth_log]     expand: %t -> Mon Jun 18 11:59:38 2012
++[auth_log] returns ok
[suffix] Looking up realm "med.bg.ac.rs" for User-Name = 
"testuser at med.bg.ac.rs"
[suffix] Found realm "med.bg.ac.rs"
[suffix] Adding Stripped-User-Name = "testuser"
[suffix] Adding Realm = "med.bg.ac.rs"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 0 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth]     expand: %{User-Name} -> testuser at med.bg.ac.rs
[ntlm_auth]     expand: %{Cleartext-Password} ->
Exec-Program output:
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Invalid user: [testuser at med.bg.ac.rs/<via Auth-Type = ntlm_auth>] (from 
client localhost port 0 via TLS tunnel)
} # server eduroam-inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user testuser at med.bg.ac.rs
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client 
localhost port 0 cli 02-00-00-00-00-01)
} # server eduroam
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 5 to 127.0.0.1 port 57434
     EAP-Message = 0x04050004
     Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +5
Cleaning up request 1 ID 1 with timestamp +5
Cleaning up request 2 ID 2 with timestamp +5
Cleaning up request 3 ID 3 with timestamp +5
Cleaning up request 4 ID 4 with timestamp +5
Waking up in 1.0 seconds.
Cleaning up request 5 ID 5 with timestamp +5
Ready to process requests.
-- 
*Veselin Mijus(kovic'*
Senior System Administrator
School of Electrical Engineering's Computing Centre
University of Belgrade * Serbia * www.etf.bg.ac.rs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120618/ec4f6a0b/attachment-0001.html>