FR 3.0 with eDir
Hubert Kupper
kupper at uni-landau.de
Wed Dec 18 13:49:23 CET 2013
Am 18.12.2013 10:54, schrieb Hubert Kupper:
> Am 18.12.2013 10:16, schrieb Olivier Beytrison:
>> On 18.12.2013 09:56, Hubert Kupper wrote:
>>> Bingo. You are right. When I use ldaps the ldap bind was successful
>>> now.
>>> With FR 2.x on OpenSuse 12.3 ldap and ldaps work both.
>> Good news !
>>
>>> (9) ldap : Added eDirectory password in check items as
>>> Cleartext-Password = pwddummy
>> Is that the password you used to test the authentication ?
>>
>>> (9) mschap : Creating challenge hash with username: dumm
>>> (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password
>>> (9) mschap : FAILED: MS-CHAP2-Response is incorrect
>>> (9) [mschap] = reject
>> It looks like you provided the wrong password.
>>
>> Olivier
> no, I used "pwddummy" only in my posting. In my tests I used the right
> password for the testuser dumm. With our other FR servers, the
> testuser and password works fine!
>
> Hubert
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Ok, I resetted the password for user dumm and tried it again. Here is
the output:
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests
rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770,
id=172, length=213
User-Name = 'dumm'
Calling-Station-Id = 'xx-xx-xx-xx-xx-xx'
Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663'
NAS-IP-Address = xxx.xx.xxx.x
NAS-Identifier = 'cisco'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '219'
EAP-Message = 0x020200090164756d6d
Message-Authenticator = 0x19d1460f5e754fa9589131e27aa1631b
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) ? if (!User-Name)
(0) ? if (!User-Name) -> FALSE
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'dumm'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /@\\./)
(0) ? if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(0) suffix : Found realm "NULL"
(0) suffix : Adding Stripped-User-Name = "dumm"
(0) suffix : Adding Realm = "NULL"
(0) suffix : Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap : EAP packet type response id 2 length 9
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_peap to process EAP data
(0) eap_peap : Flushing SSL sessions (of #0)
(0) eap_peap : Initiate
(0) eap_peap : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply
0xa86480cfa867997d
(0) [eap] = handled
(0) } # authenticate = handled
Sending Access-Challenge of id 172 from xxx.xx.x.xx port 1812 to
xxx.xx.xxx.x port 32770
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa86480cfa867997d12828dafc6890954
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770,
id=173, length=327
User-Name = 'dumm'
Calling-Station-Id = 'xx-xx-xx-xx-xx-xx'
Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663'
NAS-IP-Address = xxx.xx.xxx.x
NAS-Identifier = 'cisco'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '219'
EAP-Message =
0x0203006919800000005f160301005a01000056030152b1966ea0268f428ae5f5a4c8c1c0d1b6ad2fa9945b4b8f9d132cce1a818aec000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
State = 0xa86480cfa867997d12828dafc6890954
Message-Authenticator = 0xb4bdc760cfea245ec3ae498b0e0303a8
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) ? if (!User-Name)
(1) ? if (!User-Name) -> FALSE
(1) ? if (User-Name != "%{tolower:%{User-Name}}")
(1) expand: "%{tolower:%{User-Name}}" -> 'dumm'
(1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) ? if (User-Name =~ / /)
(1) ? if (User-Name =~ / /) -> FALSE
(1) ? if (User-Name =~ /@.*@/ )
(1) ? if (User-Name =~ /@.*@/ ) -> FALSE
(1) ? if (User-Name =~ /\\.\\./ )
(1) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(1) ? if (User-Name =~ /\\.$/)
(1) ? if (User-Name =~ /\\.$/) -> FALSE
(1) ? if (User-Name =~ /@\\./)
(1) ? if (User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(1) suffix : Found realm "NULL"
(1) suffix : Adding Stripped-User-Name = "dumm"
(1) suffix : Adding Realm = "NULL"
(1) suffix : Authentication realm is LOCAL
(1) [suffix] = ok
(1) eap : EAP packet type response id 3 length 105
(1) eap : Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0xa86480cfa867997d
(1) eap : Finished EAP session with state 0xa86480cfa867997d
(1) eap : Previous EAP request found for state 0xa86480cfa867997d,
released from the list
(1) eap : Peer sent PEAP (25)
(1) eap : EAP PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : processing EAP-TLS
TLS Length 95
(1) eap_peap : Length Included
(1) eap_peap : eaptls_verify returned 11
(1) eap_peap : (other): before/accept initialization
(1) eap_peap : TLS_accept: before/accept initialization
(1) eap_peap : <<< TLS 1.0 Handshake [length 005a], ClientHello
(1) eap_peap : TLS_accept: SSLv3 read client hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0051], ServerHello
(1) eap_peap : TLS_accept: SSLv3 write server hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 12e2], Certificate
(1) eap_peap : TLS_accept: SSLv3 write certificate A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap : TLS_accept: SSLv3 write server done A
(1) eap_peap : TLS_accept: SSLv3 flush data
(1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_peap : eaptls_process returned 13
(1) eap_peap : FR_TLS_HANDLED
(1) eap : New EAP session, adding 'State' attribute to reply
0xa86480cfa960997d
(1) [eap] = handled
(1) } # authenticate = handled
Sending Access-Challenge of id 173 from xxx.xx.x.xx port 1812 to
xxx.xx.xxx.x port 32770
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa86480cfa960997d12828dafc6890954
(1) Finished request 1.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770,
id=174, length=228
User-Name = 'dumm'
Calling-Station-Id = 'xx-xx-xx-xx-xx-xx'
Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663'
NAS-IP-Address = xxx.xx.xxx.x
NAS-Identifier = 'cisco'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '219'
EAP-Message = 0x020400061900
State = 0xa86480cfa960997d12828dafc6890954
Message-Authenticator = 0xbce2adf33028b31939f2dadd25dc21a6
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) ? if (!User-Name)
(2) ? if (!User-Name) -> FALSE
(2) ? if (User-Name != "%{tolower:%{User-Name}}")
(2) expand: "%{tolower:%{User-Name}}" -> 'dumm'
(2) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) ? if (User-Name =~ / /)
(2) ? if (User-Name =~ / /) -> FALSE
(2) ? if (User-Name =~ /@.*@/ )
(2) ? if (User-Name =~ /@.*@/ ) -> FALSE
(2) ? if (User-Name =~ /\\.\\./ )
(2) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(2) ? if (User-Name =~ /\\.$/)
(2) ? if (User-Name =~ /\\.$/) -> FALSE
(2) ? if (User-Name =~ /@\\./)
(2) ? if (User-Name =~ /@\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(2) suffix : Found realm "NULL"
(2) suffix : Adding Stripped-User-Name = "dumm"
(2) suffix : Adding Realm = "NULL"
(2) suffix : Authentication realm is LOCAL
(2) [suffix] = ok
(2) eap : EAP packet type response id 4 length 6
(2) eap : Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0xa86480cfa960997d
(2) eap : Finished EAP session with state 0xa86480cfa960997d
(2) eap : Previous EAP request found for state 0xa86480cfa960997d,
released from the list
(2) eap : Peer sent PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
(2) eap_peap : Received TLS ACK
(2) eap_peap : Received TLS ACK
(2) eap_peap : ACK handshake fragment handler
(2) eap_peap : eaptls_verify returned 1
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply
0xa86480cfaa61997d
(2) [eap] = handled
(2) } # authenticate = handled
Sending Access-Challenge of id 174 from xxx.xx.x.xx port 1812 to
xxx.xx.xxx.x port 32770
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa86480cfaa61997d12828dafc6890954
(2) Finished request 2.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770,
id=175, length=228
User-Name = 'dumm'
Calling-Station-Id = 'xx-xx-xx-xx-xx-xx'
Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663'
NAS-IP-Address = xxx.xx.xxx.x
NAS-Identifier = 'cisco'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '219'
EAP-Message = 0x020500061900
State = 0xa86480cfaa61997d12828dafc6890954
Message-Authenticator = 0x6424ccb720f6e6d11e217657449ec5b1
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) ? if (!User-Name)
(3) ? if (!User-Name) -> FALSE
(3) ? if (User-Name != "%{tolower:%{User-Name}}")
(3) expand: "%{tolower:%{User-Name}}" -> 'dumm'
(3) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(3) ? if (User-Name =~ / /)
(3) ? if (User-Name =~ / /) -> FALSE
(3) ? if (User-Name =~ /@.*@/ )
(3) ? if (User-Name =~ /@.*@/ ) -> FALSE
(3) ? if (User-Name =~ /\\.\\./ )
(3) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(3) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(3) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(3) ? if (User-Name =~ /\\.$/)
(3) ? if (User-Name =~ /\\.$/) -> FALSE
(3) ? if (User-Name =~ /@\\./)
(3) ? if (User-Name =~ /@\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(3) suffix : Found realm "NULL"
(3) suffix : Adding Stripped-User-Name = "dumm"
(3) suffix : Adding Realm = "NULL"
(3) suffix : Authentication realm is LOCAL
(3) [suffix] = ok
(3) eap : EAP packet type response id 5 length 6
(3) eap : Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0xa86480cfaa61997d
(3) eap : Finished EAP session with state 0xa86480cfaa61997d
(3) eap : Previous EAP request found for state 0xa86480cfaa61997d,
released from the list
(3) eap : Peer sent PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply
0xa86480cfab62997d
(3) [eap] = handled
(3) } # authenticate = handled
Sending Access-Challenge of id 175 from xxx.xx.x.xx port 1812 to
xxx.xx.xxx.x port 32770
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa86480cfab62997d12828dafc6890954
(3) Finished request 3.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770,
id=176, length=228
User-Name = 'dumm'
Calling-Station-Id = 'xx-xx-xx-xx-xx-xx'
Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663'
NAS-IP-Address = xxx.xx.xxx.x
NAS-Identifier = 'cisco'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '219'
EAP-Message = 0x020600061900
State = 0xa86480cfab62997d12828dafc6890954
Message-Authenticator = 0xed7f6b286401975720341fcbc89f9455
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) filter_username filter_username {
(4) ? if (!User-Name)
(4) ? if (!User-Name) -> FALSE
(4) ? if (User-Name != "%{tolower:%{User-Name}}")
(4) expand: "%{tolower:%{User-Name}}" -> 'dumm'
(4) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(4) ? if (User-Name =~ / /)
(4) ? if (User-Name =~ / /) -> FALSE
(4) ? if (User-Name =~ /@.*@/ )
(4) ? if (User-Name =~ /@.*@/ ) -> FALSE
(4) ? if (User-Name =~ /\\.\\./ )
(4) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(4) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(4) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(4) ? if (User-Name =~ /\\.$/)
(4) ? if (User-Name =~ /\\.$/) -> FALSE
(4) ? if (User-Name =~ /@\\./)
(4) ? if (User-Name =~ /@\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(4) suffix : Found realm "NULL"
(4) suffix : Adding Stripped-User-Name = "dumm"
(4) suffix : Adding Realm = "NULL"
(4) suffix : Authentication realm is LOCAL
(4) [suffix] = ok
(4) eap : EAP packet type response id 6 length 6
(4) eap : Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0xa86480cfab62997d
(4) eap : Finished EAP session with state 0xa86480cfab62997d
(4) eap : Previous EAP request found for state 0xa86480cfab62997d,
released from the list
(4) eap : Peer sent PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
(4) eap_peap : Received TLS ACK
(4) eap_peap : Received TLS ACK
(4) eap_peap : ACK handshake fragment handler
(4) eap_peap : eaptls_verify returned 1
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply
0xa86480cfac63997d
(4) [eap] = handled
(4) } # authenticate = handled
Sending Access-Challenge of id 176 from xxx.xx.x.xx port 1812 to
xxx.xx.xxx.x port 32770
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa86480cfac63997d12828dafc6890954
(4) Finished request 4.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770,
id=177, length=228
User-Name = 'dumm'
Calling-Station-Id = 'xx-xx-xx-xx-xx-xx'
Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663'
NAS-IP-Address = xxx.xx.xxx.x
NAS-Identifier = 'cisco'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '219'
EAP-Message = 0x020700061900
State = 0xa86480cfac63997d12828dafc6890954
Message-Authenticator = 0x350c6496caddb678f4145338d352ff5f
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) filter_username filter_username {
(5) ? if (!User-Name)
(5) ? if (!User-Name) -> FALSE
(5) ? if (User-Name != "%{tolower:%{User-Name}}")
(5) expand: "%{tolower:%{User-Name}}" -> 'dumm'
(5) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(5) ? if (User-Name =~ / /)
(5) ? if (User-Name =~ / /) -> FALSE
(5) ? if (User-Name =~ /@.*@/ )
(5) ? if (User-Name =~ /@.*@/ ) -> FALSE
(5) ? if (User-Name =~ /\\.\\./ )
(5) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(5) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(5) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(5) ? if (User-Name =~ /\\.$/)
(5) ? if (User-Name =~ /\\.$/) -> FALSE
(5) ? if (User-Name =~ /@\\./)
(5) ? if (User-Name =~ /@\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(5) suffix : Found realm "NULL"
(5) suffix : Adding Stripped-User-Name = "dumm"
(5) suffix : Adding Realm = "NULL"
(5) suffix : Authentication realm is LOCAL
(5) [suffix] = ok
(5) eap : EAP packet type response id 7 length 6
(5) eap : Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0xa86480cfac63997d
(5) eap : Finished EAP session with state 0xa86480cfac63997d
(5) eap : Previous EAP request found for state 0xa86480cfac63997d,
released from the list
(5) eap : Peer sent PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
(5) eap_peap : Received TLS ACK
(5) eap_peap : Received TLS ACK
(5) eap_peap : ACK handshake fragment handler
(5) eap_peap : eaptls_verify returned 1
(5) eap_peap : eaptls_process returned 13
(5) eap_peap : FR_TLS_HANDLED
(5) eap : New EAP session, adding 'State' attribute to reply
0xa86480cfad6c997d
(5) [eap] = handled
(5) } # authenticate = handled
Sending Access-Challenge of id 177 from xxx.xx.x.xx port 1812 to
xxx.xx.xxx.x port 32770
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa86480cfad6c997d12828dafc6890954
(5) Finished request 5.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770,
id=178, length=560
User-Name = 'dumm'
Calling-Station-Id = 'xx-xx-xx-xx-xx-xx'
Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663'
NAS-IP-Address = xxx.xx.xxx.x
NAS-Identifier = 'cisco'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '219'
EAP-Message =
0x020801501980000001461603010106100001020100895db16795383e66c1fbe477e6a32de3bbf7284cedcb90d740413663bb5723b9d64ebc2cd4fc722d68bbb218dd74930a5696ae34e6b6668d6da308cb4f056eaa47e914dfb5afc1ac3ea4060d56430d37b79b3f61203a2f5f13faa11be9ee39f6ad29e894d7fe443569ba4ce8c91245e17b0d198d0bdd5a5a838eaad32d44be2fa954ad8be8ca01c9542f438fd9c2018ccc398b5fc326cd2bd6610d6fe3cc57fbffca875bcd9a93c812ecf0e33f9fcbfd9c11ef94b2f730de6d2745976d5c74521cb4628257351c280ec41f32b9311cde2b72d8cb3919a5d6c8dbbee1542d0014b02ba361ac9a156fd03226538d356541c6f6a3412f5db8251c9a5a25de2ee2c81403010001011603010030119978f0e9951fc0d9d6d4850d606edc4b3339ae5452c58db1699e709dfa5d5e3f910008914565a5b8d435aa41888ce3
State = 0xa86480cfad6c997d12828dafc6890954
Message-Authenticator = 0xa0338b8ac9c33aa4898dff4aaff042fc
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) ? if (!User-Name)
(6) ? if (!User-Name) -> FALSE
(6) ? if (User-Name != "%{tolower:%{User-Name}}")
(6) expand: "%{tolower:%{User-Name}}" -> 'dumm'
(6) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(6) ? if (User-Name =~ / /)
(6) ? if (User-Name =~ / /) -> FALSE
(6) ? if (User-Name =~ /@.*@/ )
(6) ? if (User-Name =~ /@.*@/ ) -> FALSE
(6) ? if (User-Name =~ /\\.\\./ )
(6) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(6) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(6) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(6) ? if (User-Name =~ /\\.$/)
(6) ? if (User-Name =~ /\\.$/) -> FALSE
(6) ? if (User-Name =~ /@\\./)
(6) ? if (User-Name =~ /@\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(6) suffix : Found realm "NULL"
(6) suffix : Adding Stripped-User-Name = "dumm"
(6) suffix : Adding Realm = "NULL"
(6) suffix : Authentication realm is LOCAL
(6) [suffix] = ok
(6) eap : EAP packet type response id 8 length 336
(6) eap : Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap : Expiring EAP session with state 0xa86480cfad6c997d
(6) eap : Finished EAP session with state 0xa86480cfad6c997d
(6) eap : Previous EAP request found for state 0xa86480cfad6c997d,
released from the list
(6) eap : Peer sent PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
TLS Length 326
(6) eap_peap : Length Included
(6) eap_peap : eaptls_verify returned 11
(6) eap_peap : <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
(6) eap_peap : TLS_accept: SSLv3 read client key exchange A
(6) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(6) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(6) eap_peap : TLS_accept: SSLv3 read finished A
(6) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(6) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(6) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(6) eap_peap : TLS_accept: SSLv3 write finished A
(6) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session
e467ff943668da672a3a7da5e39dd0f027275656dc6f0b17019d463e6946fd42 to cache
(6) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(6) eap_peap : eaptls_process returned 13
(6) eap_peap : FR_TLS_HANDLED
(6) eap : New EAP session, adding 'State' attribute to reply
0xa86480cfae6d997d
(6) [eap] = handled
(6) } # authenticate = handled
Sending Access-Challenge of id 178 from xxx.xx.x.xx port 1812 to
xxx.xx.xxx.x port 32770
EAP-Message =
0x01090041190014030100010116030100304363285a0957c59d896553101f3d7e4de5404484f6dea4258eca26e9699b520777556fd173f270a97f987c2e7a01394d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa86480cfae6d997d12828dafc6890954
(6) Finished request 6.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770,
id=179, length=228
User-Name = 'dumm'
Calling-Station-Id = 'xx-xx-xx-xx-xx-xx'
Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663'
NAS-IP-Address = xxx.xx.xxx.x
NAS-Identifier = 'cisco'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '219'
EAP-Message = 0x020900061900
State = 0xa86480cfae6d997d12828dafc6890954
Message-Authenticator = 0xba508282c219aea5755f50bf9de8429e
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) ? if (!User-Name)
(7) ? if (!User-Name) -> FALSE
(7) ? if (User-Name != "%{tolower:%{User-Name}}")
(7) expand: "%{tolower:%{User-Name}}" -> 'dumm'
(7) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(7) ? if (User-Name =~ / /)
(7) ? if (User-Name =~ / /) -> FALSE
(7) ? if (User-Name =~ /@.*@/ )
(7) ? if (User-Name =~ /@.*@/ ) -> FALSE
(7) ? if (User-Name =~ /\\.\\./ )
(7) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(7) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(7) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(7) ? if (User-Name =~ /\\.$/)
(7) ? if (User-Name =~ /\\.$/) -> FALSE
(7) ? if (User-Name =~ /@\\./)
(7) ? if (User-Name =~ /@\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(7) suffix : Found realm "NULL"
(7) suffix : Adding Stripped-User-Name = "dumm"
(7) suffix : Adding Realm = "NULL"
(7) suffix : Authentication realm is LOCAL
(7) [suffix] = ok
(7) eap : EAP packet type response id 9 length 6
(7) eap : Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0xa86480cfae6d997d
(7) eap : Finished EAP session with state 0xa86480cfae6d997d
(7) eap : Previous EAP request found for state 0xa86480cfae6d997d,
released from the list
(7) eap : Peer sent PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : Received TLS ACK
(7) eap_peap : Received TLS ACK
(7) eap_peap : ACK handshake is finished
(7) eap_peap : eaptls_verify returned 3
(7) eap_peap : eaptls_process returned 3
(7) eap_peap : FR_TLS_SUCCESS
(7) eap_peap : Session established. Decoding tunneled attributes
(7) eap_peap : Peap state TUNNEL ESTABLISHED
(7) eap : New EAP session, adding 'State' attribute to reply
0xa86480cfaf6e997d
(7) [eap] = handled
(7) } # authenticate = handled
Sending Access-Challenge of id 179 from xxx.xx.x.xx port 1812 to
xxx.xx.xxx.x port 32770
EAP-Message =
0x010a002b19001703010020be713b3d1fc2d5f5b78ada5c59f71d259becb60cfd631484fe72a2b116382a42
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa86480cfaf6e997d12828dafc6890954
(7) Finished request 7.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770,
id=180, length=265
User-Name = 'dumm'
Calling-Station-Id = 'xx-xx-xx-xx-xx-xx'
Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663'
NAS-IP-Address = xxx.xx.xxx.x
NAS-Identifier = 'cisco'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '219'
EAP-Message =
0x020a002b19001703010020d1ef31ba5764aeaecaa4d794b45d9412106b7d2d16fab86405e45bf76a79f9fd
State = 0xa86480cfaf6e997d12828dafc6890954
Message-Authenticator = 0x390272675aad0fd9a3bb808b7e842d1d
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) filter_username filter_username {
(8) ? if (!User-Name)
(8) ? if (!User-Name) -> FALSE
(8) ? if (User-Name != "%{tolower:%{User-Name}}")
(8) expand: "%{tolower:%{User-Name}}" -> 'dumm'
(8) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(8) ? if (User-Name =~ / /)
(8) ? if (User-Name =~ / /) -> FALSE
(8) ? if (User-Name =~ /@.*@/ )
(8) ? if (User-Name =~ /@.*@/ ) -> FALSE
(8) ? if (User-Name =~ /\\.\\./ )
(8) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(8) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(8) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(8) ? if (User-Name =~ /\\.$/)
(8) ? if (User-Name =~ /\\.$/) -> FALSE
(8) ? if (User-Name =~ /@\\./)
(8) ? if (User-Name =~ /@\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(8) suffix : Found realm "NULL"
(8) suffix : Adding Stripped-User-Name = "dumm"
(8) suffix : Adding Realm = "NULL"
(8) suffix : Authentication realm is LOCAL
(8) [suffix] = ok
(8) eap : EAP packet type response id 10 length 43
(8) eap : Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap : Expiring EAP session with state 0xa86480cfaf6e997d
(8) eap : Finished EAP session with state 0xa86480cfaf6e997d
(8) eap : Previous EAP request found for state 0xa86480cfaf6e997d,
released from the list
(8) eap : Peer sent PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes
(8) eap_peap : Peap state WAITING FOR INNER IDENTITY
(8) eap_peap : Identity - dumm
(8) eap_peap : Got inner identity 'dumm'
(8) eap_peap : Setting default EAP type for tunneled EAP session
(8) eap_peap : Got tunneled request
EAP-Message = 0x020a00090164756d6d
server default {
(8) eap_peap : Setting User-Name to dumm
Sending tunneled request
EAP-Message = 0x020a00090164756d6d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'dumm'
server inner-tunnel {
(8) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(8) suffix : Found realm "NULL"
(8) suffix : Adding Stripped-User-Name = "dumm"
(8) suffix : Adding Realm = "NULL"
(8) suffix : Authentication realm is LOCAL
(8) [suffix] = ok
(8) update control {
(8) Proxy-To-Realm := 'LOCAL'
(8) } # update control = noop
(8) eap : EAP packet type response id 10 length 9
(8) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap : Peer sent Identity (1)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : Issuing Challenge
(8) eap : New EAP session, adding 'State' attribute to reply
0xee5b016dee501bdf
(8) [eap] = handled
(8) } # authenticate = handled
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 11
EAP-Message =
0x010b001e1a010b0019109661dbd36e0ae001fea904bee60562ae64756d6d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee5b016dee501bdf8d4c45a0081cd9a7
(8) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x010b001e1a010b0019109661dbd36e0ae001fea904bee60562ae64756d6d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee5b016dee501bdf8d4c45a0081cd9a7
(8) eap_peap : Got tunneled Access-Challenge
(8) eap : New EAP session, adding 'State' attribute to reply
0xa86480cfa06f997d
(8) [eap] = handled
(8) } # authenticate = handled
Sending Access-Challenge of id 180 from xxx.xx.x.xx port 1812 to
xxx.xx.xxx.x port 32770
EAP-Message =
0x010b005b1900170301005073ea643c33410b75bddafebb5c6dfcb84d36924a83410e9111f31a559c3dd1583d191d435a92bab18f28ffe91e6e877127f7ad007cfbfacaead6ab6ba3a224bdad252b5049a926b9031d12e1dfa0f57d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa86480cfa06f997d12828dafc6890954
(8) Finished request 8.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770,
id=181, length=313
User-Name = 'dumm'
Calling-Station-Id = 'xx-xx-xx-xx-xx-xx'
Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663'
NAS-IP-Address = xxx.xx.xxx.x
NAS-Identifier = 'cisco'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '219'
EAP-Message =
0x020b005b190017030100501e92d5aac9bc32d3633a445500b65cf43ba2fafff188597ff64350f659c20099cd4d3cc1b46e10d3af5d214a9117445e49ff1d0117cded672220a5889795b4b0a148f0bd43b5e703cec7f0a4271868a7
State = 0xa86480cfa06f997d12828dafc6890954
Message-Authenticator = 0xd1a70dbde1b61df2d5cb92820834b904
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) filter_username filter_username {
(9) ? if (!User-Name)
(9) ? if (!User-Name) -> FALSE
(9) ? if (User-Name != "%{tolower:%{User-Name}}")
(9) expand: "%{tolower:%{User-Name}}" -> 'dumm'
(9) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(9) ? if (User-Name =~ / /)
(9) ? if (User-Name =~ / /) -> FALSE
(9) ? if (User-Name =~ /@.*@/ )
(9) ? if (User-Name =~ /@.*@/ ) -> FALSE
(9) ? if (User-Name =~ /\\.\\./ )
(9) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(9) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(9) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(9) ? if (User-Name =~ /\\.$/)
(9) ? if (User-Name =~ /\\.$/) -> FALSE
(9) ? if (User-Name =~ /@\\./)
(9) ? if (User-Name =~ /@\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(9) suffix : Found realm "NULL"
(9) suffix : Adding Stripped-User-Name = "dumm"
(9) suffix : Adding Realm = "NULL"
(9) suffix : Authentication realm is LOCAL
(9) [suffix] = ok
(9) eap : EAP packet type response id 11 length 91
(9) eap : Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap : Expiring EAP session with state 0xee5b016dee501bdf
(9) eap : Finished EAP session with state 0xa86480cfa06f997d
(9) eap : Previous EAP request found for state 0xa86480cfa06f997d,
released from the list
(9) eap : Peer sent PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes
(9) eap_peap : Peap state phase2
(9) eap_peap : EAP type MSCHAPv2 (26)
(9) eap_peap : Got tunneled request
EAP-Message =
0x020b003f1a020b003a313eb867d7b4cd2ac386791c7fcbb3317400000000000000003772c1653fd3f345180b5ba9bd0c862349062d4fa8c63d530064756d6d
server default {
(9) eap_peap : Setting User-Name to dumm
Sending tunneled request
EAP-Message =
0x020b003f1a020b003a313eb867d7b4cd2ac386791c7fcbb3317400000000000000003772c1653fd3f345180b5ba9bd0c862349062d4fa8c63d530064756d6d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'dumm'
State = 0xee5b016dee501bdf8d4c45a0081cd9a7
server inner-tunnel {
(9) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(9) suffix : Found realm "NULL"
(9) suffix : Adding Stripped-User-Name = "dumm"
(9) suffix : Adding Realm = "NULL"
(9) suffix : Authentication realm is LOCAL
(9) [suffix] = ok
(9) update control {
(9) Proxy-To-Realm := 'LOCAL'
(9) } # update control = noop
(9) eap : EAP packet type response id 11 length 63
(9) eap : No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) [files] = noop
rlm_ldap (ldap): Reserved connection (2)
(9) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" ->
'(cn=dumm)'
(9) ldap : expand: "o=org" -> 'o=org'
(9) ldap : Performing search in 'o=org' with filter '(cn=dumm)'
(9) ldap : Waiting for search result...
(9) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org"
(9) ldap : Added eDirectory password in check items as
Cleartext-Password = pwddummy
(9) ldap : Binding as user for eDirectory authorization checks
(9) ldap : Waiting for bind result...
(9) ldap : Bind successful
(9) ldap : Bind as user "cn=dumm,ou=test1,ou=test,o=org" was successful
rlm_ldap (ldap): Released connection (2)
(9) [ldap] = ok
(9) [expiration] = noop
(9) [logintime] = noop
(9) WARNING: pap : Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap : Expiring EAP session with state 0xee5b016dee501bdf
(9) eap : Finished EAP session with state 0xee5b016dee501bdf
(9) eap : Previous EAP request found for state 0xee5b016dee501bdf,
released from the list
(9) eap : Peer sent MSCHAPv2 (26)
(9) eap : EAP MSCHAPv2 (26)
(9) eap : Calling eap_mschapv2 to process EAP data
(9) eap_mschapv2 : # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(9) eap_mschapv2 : Auth-Type MS-CHAP {
(9) mschap : Creating challenge hash with username: dumm
(9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password
(9) mschap : adding MS-CHAPv2 MPPE keys
(9) [mschap] = ok
(9) } # Auth-Type MS-CHAP = ok
MSCHAP Success
(9) eap : New EAP session, adding 'State' attribute to reply
0xee5b016def571bdf
(9) [eap] = handled
(9) } # authenticate = handled
} # server inner-tunnel
(9) eap_peap : Got tunneled reply code 11
EAP-Message =
0x010c00331a030b002e533d33393932423341383241334531364636313133364145443537463742314531383142423232323739
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee5b016def571bdf8d4c45a0081cd9a7
(9) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x010c00331a030b002e533d33393932423341383241334531364636313133364145443537463742314531383142423232323739
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee5b016def571bdf8d4c45a0081cd9a7
(9) eap_peap : Got tunneled Access-Challenge
(9) eap : New EAP session, adding 'State' attribute to reply
0xa86480cfa168997d
(9) [eap] = handled
(9) } # authenticate = handled
Sending Access-Challenge of id 181 from xxx.xx.x.xx port 1812 to
xxx.xx.xxx.x port 32770
EAP-Message =
0x010c008b1900170301008046339821146757e1169814d336fa5f44c5ce7a0e601f78caedb3fd62a4fa62b2f7d8d34cc19780af80a57723dadd2585f7fa37d7cdca90f4cdb16b2d35e36f36c6a4bcb7638a02e9dd200cde370816f25c171bc348b6a5282ae214face960bd0eede6e44d5006125861933e0fdc966b82a9a03e63641d184d1c5244f6023ecae
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa86480cfa168997d12828dafc6890954
(9) Finished request 9.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770,
id=182, length=265
User-Name = 'dumm'
Calling-Station-Id = 'xx-xx-xx-xx-xx-xx'
Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663'
NAS-IP-Address = xxx.xx.xxx.x
NAS-Identifier = 'cisco'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '219'
EAP-Message =
0x020c002b19001703010020b0ac95690bead98890fb01b1789e3dcdc33e358f214f171ebe643ab87330ea1a
State = 0xa86480cfa168997d12828dafc6890954
Message-Authenticator = 0x7c14084404119159c3d9e6416e0a8110
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10) authorize {
(10) filter_username filter_username {
(10) ? if (!User-Name)
(10) ? if (!User-Name) -> FALSE
(10) ? if (User-Name != "%{tolower:%{User-Name}}")
(10) expand: "%{tolower:%{User-Name}}" -> 'dumm'
(10) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(10) ? if (User-Name =~ / /)
(10) ? if (User-Name =~ / /) -> FALSE
(10) ? if (User-Name =~ /@.*@/ )
(10) ? if (User-Name =~ /@.*@/ ) -> FALSE
(10) ? if (User-Name =~ /\\.\\./ )
(10) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(10) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(10) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(10) ? if (User-Name =~ /\\.$/)
(10) ? if (User-Name =~ /\\.$/) -> FALSE
(10) ? if (User-Name =~ /@\\./)
(10) ? if (User-Name =~ /@\\./) -> FALSE
(10) } # filter_username filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(10) suffix : Found realm "NULL"
(10) suffix : Adding Stripped-User-Name = "dumm"
(10) suffix : Adding Realm = "NULL"
(10) suffix : Authentication realm is LOCAL
(10) [suffix] = ok
(10) eap : EAP packet type response id 12 length 43
(10) eap : Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap : Expiring EAP session with state 0xee5b016def571bdf
(10) eap : Finished EAP session with state 0xa86480cfa168997d
(10) eap : Previous EAP request found for state 0xa86480cfa168997d,
released from the list
(10) eap : Peer sent PEAP (25)
(10) eap : EAP PEAP (25)
(10) eap : Calling eap_peap to process EAP data
(10) eap_peap : processing EAP-TLS
(10) eap_peap : eaptls_verify returned 7
(10) eap_peap : Done initial handshake
(10) eap_peap : eaptls_process returned 7
(10) eap_peap : FR_TLS_OK
(10) eap_peap : Session established. Decoding tunneled attributes
(10) eap_peap : Peap state phase2
(10) eap_peap : EAP type MSCHAPv2 (26)
(10) eap_peap : Got tunneled request
EAP-Message = 0x020c00061a03
server default {
(10) eap_peap : Setting User-Name to dumm
Sending tunneled request
EAP-Message = 0x020c00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'dumm'
State = 0xee5b016def571bdf8d4c45a0081cd9a7
server inner-tunnel {
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(10) authorize {
(10) [chap] = noop
(10) [mschap] = noop
(10) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(10) suffix : Found realm "NULL"
(10) suffix : Adding Stripped-User-Name = "dumm"
(10) suffix : Adding Realm = "NULL"
(10) suffix : Authentication realm is LOCAL
(10) [suffix] = ok
(10) update control {
(10) Proxy-To-Realm := 'LOCAL'
(10) } # update control = noop
(10) eap : EAP packet type response id 12 length 6
(10) eap : EAP-MSCHAPV2 success, returning short-circuit ok
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(10) authenticate {
(10) eap : Expiring EAP session with state 0xee5b016def571bdf
(10) eap : Finished EAP session with state 0xee5b016def571bdf
(10) eap : Previous EAP request found for state 0xee5b016def571bdf,
released from the list
(10) eap : Peer sent MSCHAPv2 (26)
(10) eap : EAP MSCHAPv2 (26)
(10) eap : Calling eap_mschapv2 to process EAP data
(10) eap : Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) Login OK: [dumm/<via Auth-Type = EAP>] (from client uni port 0 via
TLS tunnel)
(10) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(10) post-auth {
(10) reply_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
-> '/var/log/radacct/xxx.xx.xxx.x/reply-detail-20131218'
(10) reply_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radacct/xxx.xx.xxx.x/reply-detail-20131218
(10) reply_log : expand: "%t" -> 'Wed Dec 18 13:34:42 2013'
(10) [reply_log] = ok
(10) ldap : expand: "." -> '.'
(10) ldap : expand: "Authenticated at %S" -> 'Authenticated at
2013-12-18 13:34:42'
rlm_ldap (ldap): Reserved connection (2)
(10) ldap : Waiting for bind result...
(10) ldap : Bind successful
(10) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" ->
'(cn=dumm)'
(10) ldap : expand: "o=org" -> 'o=org'
(10) ldap : Performing search in 'o=org' with filter '(cn=dumm)'
(10) ldap : Waiting for search result...
(10) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org"
(10) ldap : Modifying object with DN "cn=dumm,ou=test1,ou=test,o=org"
(10) ldap : Waiting for modify result...
rlm_ldap (ldap): Released connection (2)
(10) [ldap] = reject
(10) } # post-auth = reject
} # server inner-tunnel
(10) eap_peap : Got tunneled reply code 3
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0x30a31126813a40c345aeaa9b3c725a4f
MS-MPPE-Recv-Key = 0x3d6d7a5365ac052cd38b9f526e56747d
EAP-Message = 0x030c0004
Message-Authenticator = 0x00000000000000000000000000000000
Stripped-User-Name = 'dumm'
(10) eap_peap : Got tunneled reply RADIUS code 3
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0x30a31126813a40c345aeaa9b3c725a4f
MS-MPPE-Recv-Key = 0x3d6d7a5365ac052cd38b9f526e56747d
EAP-Message = 0x030c0004
Message-Authenticator = 0x00000000000000000000000000000000
Stripped-User-Name = 'dumm'
(10) eap_peap : Tunneled authentication was rejected
(10) eap_peap : FAILURE
(10) eap : New EAP session, adding 'State' attribute to reply
0xa86480cfa269997d
(10) [eap] = handled
(10) } # authenticate = handled
Sending Access-Challenge of id 182 from xxx.xx.x.xx port 1812 to
xxx.xx.xxx.x port 32770
EAP-Message =
0x010d002b19001703010020b5173c1b2cec565ddf2100e27bc0bea6358257604cbf176f1e6b006c028fccb9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa86480cfa269997d12828dafc6890954
(10) Finished request 10.
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host xxx.xx.xxx.x port 32770,
id=183, length=265
User-Name = 'dumm'
Calling-Station-Id = 'xx-xx-xx-xx-xx-xx'
Called-Station-Id = 'xx-xx-xx-xx-xx-xx:test'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=8b0ec8060004498d52b19663'
NAS-IP-Address = xxx.xx.xxx.x
NAS-Identifier = 'cisco'
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '219'
EAP-Message =
0x020d002b19001703010020c712a6ac4a0db2089c88254691e2fc91f9efdff20bffff880f830a5a22706162
State = 0xa86480cfa269997d12828dafc6890954
Message-Authenticator = 0xdfd550bec019140e91d79fe8c9eb081a
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11) authorize {
(11) filter_username filter_username {
(11) ? if (!User-Name)
(11) ? if (!User-Name) -> FALSE
(11) ? if (User-Name != "%{tolower:%{User-Name}}")
(11) expand: "%{tolower:%{User-Name}}" -> 'dumm'
(11) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11) ? if (User-Name =~ / /)
(11) ? if (User-Name =~ / /) -> FALSE
(11) ? if (User-Name =~ /@.*@/ )
(11) ? if (User-Name =~ /@.*@/ ) -> FALSE
(11) ? if (User-Name =~ /\\.\\./ )
(11) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(11) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(11) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(11) ? if (User-Name =~ /\\.$/)
(11) ? if (User-Name =~ /\\.$/) -> FALSE
(11) ? if (User-Name =~ /@\\./)
(11) ? if (User-Name =~ /@\\./) -> FALSE
(11) } # filter_username filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(11) suffix : Found realm "NULL"
(11) suffix : Adding Stripped-User-Name = "dumm"
(11) suffix : Adding Realm = "NULL"
(11) suffix : Authentication realm is LOCAL
(11) [suffix] = ok
(11) eap : EAP packet type response id 13 length 43
(11) eap : Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = EAP
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap : Expiring EAP session with state 0xa86480cfa269997d
(11) eap : Finished EAP session with state 0xa86480cfa269997d
(11) eap : Previous EAP request found for state 0xa86480cfa269997d,
released from the list
(11) eap : Peer sent PEAP (25)
(11) eap : EAP PEAP (25)
(11) eap : Calling eap_peap to process EAP data
(11) eap_peap : processing EAP-TLS
(11) eap_peap : eaptls_verify returned 7
(11) eap_peap : Done initial handshake
(11) eap_peap : eaptls_process returned 7
(11) eap_peap : FR_TLS_OK
(11) eap_peap : Session established. Decoding tunneled attributes
(11) eap_peap : Peap state send tlv failure
(11) eap_peap : Received EAP-TLV response
(11) eap_peap : The users session was previously rejected: returning
reject (again.)
(11) eap_peap : *** This means you need to read the PREVIOUS messages
in the debug output
(11) eap_peap : *** to find out the reason why the user was rejected
(11) eap_peap : *** Look for "reject" or "fail". Those earlier
messages will tell you
(11) eap_peap : *** what went wrong, and how to fix the problem
SSL: Removing session
e467ff943668da672a3a7da5e39dd0f027275656dc6f0b17019d463e6946fd42 from
the cache
(11) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP
sub-module failed
(11) eap : Failed in EAP select
(11) [eap] = invalid
(11) } # authenticate = invalid
(11) Failed to authenticate the user
(11) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP
sub-module failed): [dumm/<via Auth-Type = EAP>] (from client uni port 1
cli xx-xx-xx-xx-xx-xx)
(11) Using Post-Auth-Type Reject
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Post-Auth-Type REJECT {
(11) attr_filter.access_reject : expand: "%{User-Name}" -> 'dumm'
(11) attr_filter.access_reject : Matched entry DEFAULT at line 11
(11) [attr_filter.access_reject] = updated
(11) ldap : expand: "." -> '.'
(11) ldap : expand: "Authenticated at %S" -> 'Authenticated at
2013-12-18 13:34:42'
rlm_ldap (ldap): Reserved connection (2)
(11) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" ->
'(cn=dumm)'
(11) ldap : expand: "o=org" -> 'o=org'
(11) ldap : Performing search in 'o=org' with filter '(cn=dumm)'
(11) ldap : Waiting for search result...
(11) ldap : User object found at DN "cn=dumm,ou=test1,ou=test,o=org"
(11) ldap : Modifying object with DN "cn=dumm,ou=test1,ou=test,o=org"
(11) ldap : Waiting for modify result...
rlm_ldap (ldap): Released connection (2)
(11) [ldap] = reject
(11) } # Post-Auth-Type REJECT = reject
(11) Finished request 11.
Waking up in 0.1 seconds.
Waking up in 0.6 seconds.
(11) Sending delayed reject
Sending Access-Reject of id 183 from xxx.xx.x.xx port 1812 to
xxx.xx.xxx.x port 32770
EAP-Message = 0x040d0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(0) Cleaning up request packet ID 172 with timestamp +22
(1) Cleaning up request packet ID 173 with timestamp +22
(2) Cleaning up request packet ID 174 with timestamp +22
(3) Cleaning up request packet ID 175 with timestamp +22
(4) Cleaning up request packet ID 176 with timestamp +22
(5) Cleaning up request packet ID 177 with timestamp +22
(6) Cleaning up request packet ID 178 with timestamp +22
(7) Cleaning up request packet ID 179 with timestamp +22
(8) Cleaning up request packet ID 180 with timestamp +22
(9) Cleaning up request packet ID 181 with timestamp +22
(10) Cleaning up request packet ID 182 with timestamp +22
Waking up in 1.0 seconds.
(11) Cleaning up request packet ID 183 with timestamp +22
Ready to process requests
Signalled to terminate
Exiting normally
rlm_ldap (ldap): Removing connection pool
rlm_ldap (ldap): Closing connection (2)
rlm_ldap (ldap): Closing connection (1)
rlm_ldap (ldap): Closing connection (0)
More information about the Freeradius-Users
mailing list