Question about EAP-TTLS session resumption

stefan.paetow at diamond.ac.uk stefan.paetow at diamond.ac.uk
Mon Apr 29 14:39:41 CEST 2013


Hi, 

We're trying to put together an EAP-TTLS authentication solution with another open-source authentication server (Jasig CAS). We've found that only the first authentication process succeeds, but everything else after fails. In order for us to pinpoint whether this is a problem in the CAS software or the JRadius implementation of the EAP-TTLS Radius authenticator, I'd just like to confirm with the Radius experts on the list that I have some things right.

As far as I understand RFC5281 (the EAP-TTLS RFC) in general and Section 15.3 (session resumption) more in particular, the EAP-TTLS session should only be resumed if the client was successfully authenticated with the server. So am I correct in saying that if an EAP-TTLS session was established and a username and password were passed through the tunnel that were not successfully authenticated (i.e. the password was incorrect), the session cannot be resumed and should start again, i.e. a new tunnel session should be negotiated and the authentication request retried?

What we've seen is that the radiusd -X output shows a full EAP-TTLS session negotiation the first time, but then only a resumption (or at least that's what FreeRADIUS assumes, based on the debug output) of the session to continue. FreeRADIUS then sees the EAP handler fail. 

Should that session (i.e. 'request 7 ID 9') have been renegotiated and restarted because the user-password combination of 'bob' and 'test' is invalid? 

-- begin of debug output --

Ready to process requests.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=2, length=53
	User-Name = "bob"
	EAP-Message = 0x0200000801626f62
	Message-Authenticator = 0xeec2f0280b8274f92fc902a15122729c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 172.23.6.33 port 49802
	EAP-Message = 0x010100061520
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xee0ac522ee0bd0bfaaf533badfdea46d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=3, length=135
	User-Name = "bob"
	State = 0xee0ac522ee0bd0bfaaf533badfdea46d
	EAP-Message = 0x020100481500160301003d010000390301517e66cc1774b02aba3b0067774c719d9a7c24c36fb94a5d97f862a59f866bd30000120039003800330032001600130035002f000a0100
	Message-Authenticator = 0x93d337adcf53e180ece72e8e881f3022
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 72
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 003d], ClientHello  
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 085e], Certificate  
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange  
[ttls]     TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 3 to 172.23.6.33 port 49802
	EAP-Message = 0x0102040015c000000aad160301002a020000260301517e66cc4dd7399c18c8e95722c093c30c18a2b3549d244021917a9abb3cf70c00003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
	EAP-Message = 0x301e170d3133303332383130343130335a170d3133303532373130343130335a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c2361ca9a23bfb2d48d6a3c5f76e83350f2a58e42587f9adc4de3612058d892aa23524ebdd297ca35a4f8c0611df6c3c5fefe1960457461c408837e5a510
	EAP-Message = 0x34b1ae326dd147568ab1f1bff4fa5d40bcf87b28c9c030344a4cbe39a61ff41fe8cfdc10ef05ccc6aafeff7f0174dddb5eaa3b9c1fd69123d1ea0200dc979466ade9c041914e82e1797ad55d78246505f6afe90216d3ccb0dd528f3af0d3ac20cb3211bd6add5ac2c17aa4162059f955ecbefd1f15f9129b81189d265af1ec0079756a51cfed7d324ba21ef25f76331646759c0803ff0991f67146414b32c22dcc55403641c94e203e4cef260f1becdab151f573deaf0cc24f91fd48d2f5256beef50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010041663c32fe5eedd682
	EAP-Message = 0xddc752319616593b579b11640c49c453da1185607efccb85c520e0b6ff8c5af5ee473eedce1dc2b34511697a799e7714d1a172ff7b28a795f98d318b22a8830949f603ea384648c5b5dc87d29aaf0837b35656dce70a09354480a66724153ab9fad79c4beef5f2e7cb2dbcd5bcecc6a09351cb60e7052d3c8e3d61d2bd731ebe2ffe45b961c1eaebe18d869dcd3a90c3330bcfa11426d5b69a100a67171af5c5f4c9a039a8633facfa708cdd222bdf9b3c5eca0ac2b9d2b2b6cd64c0e36e2a552c2599bd718a439eb451fca5061d049aa0b4da32261b5d42f03bb66414744b5dd5eb409203f382991f8c30ba7a39459570d75007dfeaaf0004ab308204
	EAP-Message = 0xa73082038fa0030201020209
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xee0ac522ef08d0bfaaf533badfdea46d
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=4, length=69
	User-Name = "bob"
	State = 0xee0ac522ef08d0bfaaf533badfdea46d
	EAP-Message = 0x020200061500
	Message-Authenticator = 0x70dbb506dd3e90f77ccd778face63bce
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 4 to 172.23.6.33 port 49802
	EAP-Message = 0x0103040015c000000aad0084f610431892d8fc300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303332383130343130335a170d3133303532373130343130335a308193310b3009060355040613024652310f300d0603550408130652616469757331123010
	EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100bbed8595e784e9c7c0df8907a92d8fbd387b3573c00086b0f36a983ef0f17a98a884b384f3f9b735c2ca53bf7752d09a75c86c4ae311ad013ed00a6f8e5059e49fbbc4d0bb89deff65a02ecb4bfe539b732f40c1f5eec0e948aceff8f4c127db4a0d094802ce5c831d5fdf
	EAP-Message = 0xc29ab0bdf654698c465becf471fa0e9ff5a4710ac2049b3b1e0c5c28130974a15d3196b2e9ed8045ecd85877bd2c5d5a2611960a7bf231b24a7df880684adcb83672ede7978ed87702fc5dea2481b7e57b2915a6e636095acd7ccf81fb63d9ad11a662e603e608e99ce8f8da2ad5580a4ff9e2fc04e17e48880e88469b2eeec32a799ea415402223b6963f0457fe9e078b7700ac850203010001a381fb3081f8301d0603551d0e041604149fb44e41b351c3814ceb1717bb8635456bb14c373081c80603551d230481c03081bd80149fb44e41b351c3814ceb1717bb8635456bb14c37a18199a48196308193310b3009060355040613024652310f300d
	EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090084f610431892d8fc300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100998e6624f26413f190607c91e2c1980a631e7502118553724829370404c2a76be99df3f8fc002ab9d5058e545a4fba5d5141ee1289e23210e2a68046e2f84f251d8a2aac18bf7d480882dc7bab3b
	EAP-Message = 0x6e17558a9a641e99eb1dd950
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xee0ac522ec09d0bfaaf533badfdea46d
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=5, length=69
	User-Name = "bob"
	State = 0xee0ac522ec09d0bfaaf533badfdea46d
	EAP-Message = 0x020300061500
	Message-Authenticator = 0xc5b78f00d90d9000f380c6c4ffbf1e03
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 5 to 172.23.6.33 port 49802
	EAP-Message = 0x010402cb158000000aadbf54dd4a547886f0e1b9c2de1016d7e2cffa5639e29b519987f01a974ea9f4808f63b48391965c13a0a7f93dbeb91696b8c1aee94ea74d7a347a3f54d5bf68bb967c97aeec64c7360224f361a18df585547ce3b547cf6d9955dcbc1a514d792259c0b25672a871f18a14a8a25abe32f12e42917dfac450cb0361478cec76ffb33bb2d0cae6b7edc1e1aa81620b64c586e4a1c09bf360c6b72b716122184825d718ac7c120d91160301020d0c0002090080b34ae22174e4eeae3fca75f04f4d925acf03a3263797fdd693c77f43551070859c00a5c1efc1c1ac0c50a3be2a6f3f8020a1642dbe282f5f528c6eab4e563c30609a
	EAP-Message = 0x63b1526ba290556dbd48c0f94578e2e90209ec08f006b2cee430c8daeb0f8940309fbbecaa2fb31fa3a9e6f0a518acdf08f2b49cdc25668b2753648e28730001020080543bbf88aa79bd53f6160d0d35a072f857b9c2972aab6332705af63a790d6403e9c49ff22b2dc49357404f932d07dd5f356f50278d7bbcf0626306b6ebaf3b31094b6f3969d60275c81928f76c7324e7432e60e507fc82f2047d9fd1116d0cc7492cd19e8af4e0dfad67e34f71c991ac2124e0ec5cc0bfc4d66d1105044afb3301002609ffc594fff901957db2d2aa85722cb988ef50d088331db2bd44fc8b42c435dbb8acfe4b7132f89ad2d6962ce4d15bf2b3f59f6089fd12
	EAP-Message = 0xa0a20b93710c7261920e086b869d8830fd2b364478a99aad88e55943423ed0e9685288e1a6296eafc1e6ecbfd23814050ac1be7fb16f7a14e18cf093e42d6ef9c5e76b56f4c8dfbd1190faaf3612164971be6ed9afad7139baee74ad1fd919830e4dd47e5c39323f8c30ad328883d247faf64041a8fc47e6900b1fe4d32fe34bb1570021cd2eb41e84fd085c44c0c4fa850c993265052d2d736bf5b618ddfa80ef1d38a3fc4b7adf22e4cd87dc042e7b6532a38c7f3ff378502cba9ef44e929e31984e44cc10803a16030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xee0ac522ed0ed0bfaaf533badfdea46d
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=6, length=283
	User-Name = "bob"
	State = 0xee0ac522ed0ed0bfaaf533badfdea46d
	EAP-Message = 0x020400dc150016030100861000008200807a3e5b1c5275fc1a5d9703a1869a10c97c0a5d952ef68856282db3247caa800e92f99db7e955628d4b8169744a4041bdeb9283fe6325b96111d66b23fbc6a9d08247e07848ee4b455e093eb0c42ddbb1471c7a7d767d000578d9a72d98f3f10a6867235b586db242befec8b05e9fc7f6290035a891c22ed8dcd63e7c281d0e2714030100010116030100403c4b17cf47865ca8145dadaa0ccaf7e4583434a078dfac613f87a2ab57bab4268a49102b25db060671325f131472762ba222400f2922d8b86a1c41b4929a6d77
	Message-Authenticator = 0xab95b02d63cd2fce1e5d84f12d46df51
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 220
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 6 to 172.23.6.33 port 49802
	EAP-Message = 0x0105004515800000003b1403010001011603010030bfce3580cef44ecb9c8167c8936362b0e3d27e143628bced69d63ee326962203b07bfdce8c5ff92be9a767135dfa174e
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xee0ac522ea0fd0bfaaf533badfdea46d
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=7, length=69
	User-Name = "bob"
	State = 0xee0ac522ea0fd0bfaaf533badfdea46d
	EAP-Message = 0x020500061500
	Message-Authenticator = 0xed6e7eafb52ef1f2d6420942208619b7
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake is finished
[ttls] eaptls_verify returned 3 
[ttls] eaptls_process returned 3 
++[eap] returns handled
Sending Access-Challenge of id 7 to 172.23.6.33 port 49802
	EAP-Message = 0x0106000a158000000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xee0ac522eb0cd0bfaaf533badfdea46d
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=8, length=175
	User-Name = "bob"
	State = 0xee0ac522eb0cd0bfaaf533badfdea46d
	EAP-Message = 0x02060070150017030100204bd552b4e34fa7ad1f304d79a10e0268d458c78c0ab0a4dfa7e5eba562ad977f170301004070b2bbfb2617b0c7e477b6bb36c0d1264019ac58b3994ee3b2a5567d091719ca07f880770713cc8b6813b2d08ab93c50f4a07d3e3a361a7fd95a8dba52d56ade
	Message-Authenticator = 0xcef7f32703068c422db34b44728943c9
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls] eaptls_process returned 7 
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
	User-Name = "bob"
	User-Password = "test"
	FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
	User-Name = "bob"
	User-Password = "test"
	FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> bob
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 8 to 172.23.6.33 port 49802
	EAP-Message = 0x04060004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 0 ID 2 with timestamp +56
Cleaning up request 1 ID 3 with timestamp +56
Cleaning up request 2 ID 4 with timestamp +56
Cleaning up request 3 ID 5 with timestamp +56
Waking up in 0.1 seconds.
Cleaning up request 4 ID 6 with timestamp +56
Cleaning up request 5 ID 7 with timestamp +56
Waking up in 1.0 seconds.
Cleaning up request 6 ID 8 with timestamp +56
Ready to process requests.
rad_recv: Access-Request packet from host 172.23.6.33 port 49808, id=9, length=55
	User-Name = "steve"
	EAP-Message = 0x0200000801626f62
	Message-Authenticator = 0xc73f5d44c09c2e24670ad724fb07ec95
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "steve", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry steve at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> steve
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 9 to 172.23.6.33 port 49808
Waking up in 4.9 seconds.
Cleaning up request 7 ID 9 with timestamp +78
Ready to process requests.

-- end of debug --

Stefan Paetow

-- 
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
 





More information about the Freeradius-Users mailing list