errors when check with huntgroup
Bertrand Poulet
bertrand.poulet at pasteur-lille.fr
Fri Mar 15 09:18:43 CET 2013
Hi,
> Subject: Re: errors when check with huntgroup
>
>
> hi,
>
> you've edited a whole lot of stuff out of your debug log...including
> the stuff which actually matters where the failure actually occurs
> (you just kept the part where the end result was recorded).
>
> alan
>
Below the full output (radiusd -X) when user access is rejected.
I compared with the output when successed and it differs from the one below
with "++[files] returns noop "
I put the words " <<<=== FIRST DIFFERENCE" to find it easily.
users file contains :
bp3 Cleartext-Password := "test" , Calling-Station-Id ==
"844b.f5b8.d423" , Cisco-AVPair == "ssid=ipl_dsi" , Huntgroup-Name ==
"wifi"
with : , Huntgroup-Name == "wifi" when the reject occurs.
huntgroup file contains :
wifi NAS-IP-Address == 172.20.100.53
Thanks for any help.
Bertrand.
radiusd -X
FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Mar 11
2013 at 13:51:19
Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/dhcp_sqlippool
including configuration file /usr/local/etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/cache
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/radrelay
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "secret"
nastype = "other"
}
client 172.20.100.53 {
require_message_authenticator = no
secret = "iplradioshared53"
shortname = "net-ap-A1-1-53"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
private_key_password = "donnezmoiunlevier"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /usr/local/etc/raddb/huntgroups
reading pairlist file /usr/local/etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
reading pairlist file /usr/local/etc/raddb/users
reading pairlist file /usr/local/etc/raddb/acct_users
reading pairlist file /usr/local/etc/raddb/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/usr/local/etc/raddb/modules/detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 36347
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.20.100.53 port 1645,
id=52, length=162
User-Name = "bp3"
Framed-MTU = 1400
Called-Station-Id = "0014.1bb6.4be0"
Calling-Station-Id = "844b.f5b8.d423"
Cisco-AVPair = "ssid=ipl_dsi"
Service-Type = Login-User
Message-Authenticator = 0xe401af4dc9f01c6140abfcf4a0c4adf8
EAP-Message = 0x0202000801627033
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "766"
NAS-Port = 766
NAS-IP-Address = 172.20.100.53
NAS-Identifier = "net-ap-A1-1-53"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bp3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry bp3 at line 212
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 52 to 172.20.100.53 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5d0df6005d0eefd992b197fe0a3305b3
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.20.100.53 port 1645,
id=53, length=277
User-Name = "bp3"
Framed-MTU = 1400
Called-Station-Id = "0014.1bb6.4be0"
Calling-Station-Id = "844b.f5b8.d423"
Cisco-AVPair = "ssid=ipl_dsi"
Service-Type = Login-User
Message-Authenticator = 0x51b97c04d114b931a490a5ec503d43be
EAP-Message =
0x0203006919800000005f160301005a0100005603015142d5a914bebec7e6d72f2d81dcaa5b163d71838d4a545e8f6eb7f4c8013a29000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "766"
NAS-Port = 766
State = 0x5d0df6005d0eefd992b197fe0a3305b3
NAS-IP-Address = 172.20.100.53
NAS-Identifier = "net-ap-A1-1-53"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bp3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 06ff], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 53 to 172.20.100.53 port 1645
EAP-Message =
0x0104040019c00000074316030100310200002d03015142d57bdf4bb8967ba80763ed4634e972c7391703143e4499c6b7cf46e8d03d00002f000005ff0100010016030106ff0b0006fb0006f80002fa308202f63082025fa003020102020102300d06092a864886f70d01010405003081b3310b3009060355040613024652310d300b060355040813044e6f7264310e300c060355040713054c696c6c6531223020060355040a1419496e7374697475745f506173746575725f64655f4c696c6c653121301f060355040b13186d617877656c6c2e706173746575722d6c696c6c652e6672311630140603550403130d506173746575722d6c696c6c6531
EAP-Message =
0x26302406092a864886f70d0109011617706f756c657440706173746575722d6c696c6c652e6672301e170d3037303531383136323530375a170d3038303531373136323530375a3081b4310b3009060355040613024652310d300b060355040813044e6f7264310e300c060355040713054c696c6c6531223020060355040a1419496e7374697475745f506173746575725f64655f4c696c6c653121301f060355040b13186d617877656c6c2e706173746575722d6c696c6c652e66723119301706035504031310526f6f742063657274696669636174653124302206092a864886f70d0109011615726f6f7440706173746575722d6c696c6c652e66
EAP-Message =
0x7230819f300d06092a864886f70d010101050003818d0030818902818100c516c8478dfbcb452b98cfc105f321088a9b52820a5ca11f6d107d01c125fb516af5b453b83262c7288d1a1662480674b0d7da18e04019baf4083700bb8356c20ef277813397fa581fdcf439c2d4b146510a0ad815dcb6dc3dec279a123ab1c18d23b826e97d9907d0f9ab5019699a8e8c81f3638113c632095b60be89d80e650203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181002f420fe5e57c5ca79af4145d4ed4fa3a255d57b42cfa753f26d9e00513e5411730d0f2e6ed9b901f711c37763c72
EAP-Message =
0xf406f4c5e54942223cd857ddf60046b87ab62842a6e90c556cf57ac6c9ad3368f94f91066de015c1c92b8d709af2c4031ac8b706253734b10d5d67fb10ba457ed72211e16249d1a5ee4487a915ceab475c100003f8308203f43082035da003020102020100300d06092a864886f70d01010405003081b3310b3009060355040613024652310d300b060355040813044e6f7264310e300c060355040713054c696c6c6531223020060355040a1419496e7374697475745f506173746575725f64655f4c696c6c653121301f060355040b13186d617877656c6c2e706173746575722d6c696c6c652e6672311630140603550403130d506173746575722d
EAP-Message = 0x6c696c6c653126302406092a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5d0df6005c09efd992b197fe0a3305b3
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.20.100.53 port 1645,
id=54, length=178
User-Name = "bp3"
Framed-MTU = 1400
Called-Station-Id = "0014.1bb6.4be0"
Calling-Station-Id = "844b.f5b8.d423"
Cisco-AVPair = "ssid=ipl_dsi"
Service-Type = Login-User
Message-Authenticator = 0xe4da8ee89142ba06f191d43d67b6d5d6
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "766"
NAS-Port = 766
State = 0x5d0df6005c09efd992b197fe0a3305b3
NAS-IP-Address = 172.20.100.53
NAS-Identifier = "net-ap-A1-1-53"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bp3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 54 to 172.20.100.53 port 1645
EAP-Message =
0x010503531900864886f70d0109011617706f756c657440706173746575722d6c696c6c652e6672301e170d3037303531383136323530355a170d3039303531373136323530355a3081b3310b3009060355040613024652310d300b060355040813044e6f7264310e300c060355040713054c696c6c6531223020060355040a1419496e7374697475745f506173746575725f64655f4c696c6c653121301f060355040b13186d617877656c6c2e706173746575722d6c696c6c652e6672311630140603550403130d506173746575722d6c696c6c653126302406092a864886f70d0109011617706f756c657440706173746575722d6c696c6c652e6672
EAP-Message =
0x30819f300d06092a864886f70d010101050003818d0030818902818100acec13f623bd1fef319440b6bae4d5ab83555797e2a452677db05c007d9cf9a05a6cb934d22d8c78a7abad11005b24bed0b046103bf95951a9598ad19d9a3bf76ab24e49661b06d62d4972086aa864a72174d6e647e7ff55b7296acb8ceecc0d0525630edbbf7283fa73812d2e2bf84396835004a50db665cc286c32cfe8f0710203010001a382011430820110301d0603551d0e04160414a644d091476bf920160deaefd598519ca037f7b43081e00603551d230481d83081d58014a644d091476bf920160deaefd598519ca037f7b4a181b9a481b63081b3310b3009060355
EAP-Message =
0x040613024652310d300b060355040813044e6f7264310e300c060355040713054c696c6c6531223020060355040a1419496e7374697475745f506173746575725f64655f4c696c6c653121301f060355040b13186d617877656c6c2e706173746575722d6c696c6c652e6672311630140603550403130d506173746575722d6c696c6c653126302406092a864886f70d0109011617706f756c657440706173746575722d6c696c6c652e6672820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810035284dce9ba4ce6dafaf397fd6360ec8f0977bfa6ca69c3a047e773f1e34a1f4be74c2d84c0739c656dcfa908f
EAP-Message =
0xb6339e7db4bf29e726e62c6a1248d4499676238d797fa0221dac93cc3a0bb16137dd3464cd8efd3e8cc02013755a3f1d01c6108c1609ed3fd80eed2ad3cdaccb074f796a37d3396cf68aafd08a8cdd446ea81c16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5d0df6005f08efd992b197fe0a3305b3
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.20.100.53 port 1645,
id=55, length=380
User-Name = "bp3"
Framed-MTU = 1400
Called-Station-Id = "0014.1bb6.4be0"
Calling-Station-Id = "844b.f5b8.d423"
Cisco-AVPair = "ssid=ipl_dsi"
Service-Type = Login-User
Message-Authenticator = 0x363c88d81d36200aee279a85cd29a0f7
EAP-Message =
0x020500d01980000000c616030100861000008200802bb710cd435bb244e719571aad73ae7dc9adb196f3091764ed9b8c831d431af3fa52fc33d4edbf43fd0a6afb624bfc185da52157ab13896520b28584acf052e656f557d2e1320f3d478a638af1f266a0019241cbf963073efeaa44889ee04b47de9234fb2fb11fa450f7a7064a3f369df717e22102cc96368bf78a248b34301514030100010116030100302ac5d38fa9168176ea2934166b5eb747063e89de89f47f56957bbab13d96c6c7409e6bc78675e7b6daa778b35391d57a
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "766"
NAS-Port = 766
State = 0x5d0df6005f08efd992b197fe0a3305b3
NAS-IP-Address = 172.20.100.53
NAS-Identifier = "net-ap-A1-1-53"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bp3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 55 to 172.20.100.53 port 1645
EAP-Message =
0x01060041190014030100010116030100304ea7885a78c4a44e77c49aa00f0cf0c1bd8c9433a85e049ce363d0739a3c31246b0964a2d3c14fe878ebfbc601c69899
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5d0df6005e0befd992b197fe0a3305b3
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.20.100.53 port 1645,
id=56, length=178
User-Name = "bp3"
Framed-MTU = 1400
Called-Station-Id = "0014.1bb6.4be0"
Calling-Station-Id = "844b.f5b8.d423"
Cisco-AVPair = "ssid=ipl_dsi"
Service-Type = Login-User
Message-Authenticator = 0xd176f3c2fcf37c2b129fbf72ac15f4e3
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "766"
NAS-Port = 766
State = 0x5d0df6005e0befd992b197fe0a3305b3
NAS-IP-Address = 172.20.100.53
NAS-Identifier = "net-ap-A1-1-53"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bp3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 56 to 172.20.100.53 port 1645
EAP-Message =
0x0107002b19001703010020d73ee234564312f0aac58cb5d36bf9f2ce8bf7b0e67f47481a76b66ba323f79c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5d0df600590aefd992b197fe0a3305b3
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.20.100.53 port 1645,
id=57, length=215
User-Name = "bp3"
Framed-MTU = 1400
Called-Station-Id = "0014.1bb6.4be0"
Calling-Station-Id = "844b.f5b8.d423"
Cisco-AVPair = "ssid=ipl_dsi"
Service-Type = Login-User
Message-Authenticator = 0x63a3b90b0132832b0dfa47177f22bffc
EAP-Message =
0x0207002b19001703010020d060e0b23e11b4cb2312d853ec239ceb35ce3c520ec432457e48de8547a54f4b
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "766"
NAS-Port = 766
State = 0x5d0df600590aefd992b197fe0a3305b3
NAS-IP-Address = 172.20.100.53
NAS-Identifier = "net-ap-A1-1-53"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bp3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - bp3
[peap] Got inner identity 'bp3'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0207000801627033
server {
[peap] Setting User-Name to bp3
Sending tunneled request
EAP-Message = 0x0207000801627033
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "bp3"
Framed-MTU = 1400
Called-Station-Id = "0014.1bb6.4be0"
Calling-Station-Id = "844b.f5b8.d423"
Cisco-AVPair = "ssid=ipl_dsi"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "766"
NAS-Port = 766
NAS-IP-Address = 172.20.100.53
NAS-Identifier = "net-ap-A1-1-53"
server inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "bp3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns
noop <<<===
FIRST DIFFERENCE
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x0108001d1a0108001810d2e75f8c502dc884626f434900ca627d627033
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7eccccc17ec4d6654d9cd951e2161559
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x0108001d1a0108001810d2e75f8c502dc884626f434900ca627d627033
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7eccccc17ec4d6654d9cd951e2161559
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 57 to 172.20.100.53 port 1645
EAP-Message =
0x0108003b190017030100304632ad3a92925ae22d91713494cf597ae8c285803f64e9836162622c1448dc06806127143b63496eb4949e1d09c3bc4d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5d0df6005805efd992b197fe0a3305b3
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.20.100.53 port 1645,
id=58, length=263
User-Name = "bp3"
Framed-MTU = 1400
Called-Station-Id = "0014.1bb6.4be0"
Calling-Station-Id = "844b.f5b8.d423"
Cisco-AVPair = "ssid=ipl_dsi"
Service-Type = Login-User
Message-Authenticator = 0xf68e507bb1d7ba85220eea1efd3b8860
EAP-Message =
0x0208005b190017030100509143a1dc15faf890dbaad0062fe688eb49c5e68a662a512030cef139c6a9df2cecfbacfba0e8055cf05b332e4fe29a603547c3f079b70a5f7e3312201dce872cab36dca8a39681feec4e099f1b77b8ab
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "766"
NAS-Port = 766
State = 0x5d0df6005805efd992b197fe0a3305b3
NAS-IP-Address = 172.20.100.53
NAS-Identifier = "net-ap-A1-1-53"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bp3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x0208003e1a020800393144f9bd9926ec2d6fe43c53ef12569056000000000000000067640068a77a256b9fa458ea1e5164714e53b657b522e39d00627033
server {
[peap] Setting User-Name to bp3
Sending tunneled request
EAP-Message =
0x0208003e1a020800393144f9bd9926ec2d6fe43c53ef12569056000000000000000067640068a77a256b9fa458ea1e5164714e53b657b522e39d00627033
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "bp3"
State = 0x7eccccc17ec4d6654d9cd951e2161559
Framed-MTU = 1400
Called-Station-Id = "0014.1bb6.4be0"
Calling-Station-Id = "844b.f5b8.d423"
Cisco-AVPair = "ssid=ipl_dsi"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "766"
NAS-Port = 766
NAS-IP-Address = 172.20.100.53
NAS-Identifier = "net-ap-A1-1-53"
server inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "bp3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 62
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: bp3
[mschap] Client is using MS-CHAPv2 for bp3, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 58 to 172.20.100.53 port 1645
EAP-Message =
0x0109002b190017030100208ae32fccfa52f34b8f7ac8e930fddff5e17154492963a564bf2de64107eaed35
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5d0df6005b04efd992b197fe0a3305b3
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.20.100.53 port 1645,
id=59, length=215
User-Name = "bp3"
Framed-MTU = 1400
Called-Station-Id = "0014.1bb6.4be0"
Calling-Station-Id = "844b.f5b8.d423"
Cisco-AVPair = "ssid=ipl_dsi"
Service-Type = Login-User
Message-Authenticator = 0x926a420b295742cbecd275130c10953b
EAP-Message =
0x0209002b1900170301002081e0b9e52fc870ee671da2029ee88b22106c1aa6e6200820a858b01e7fb2130b
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "766"
NAS-Port = 766
State = 0x5d0df6005b04efd992b197fe0a3305b3
NAS-IP-Address = 172.20.100.53
NAS-Identifier = "net-ap-A1-1-53"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bp3", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the
debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will
tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> bp3
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 59 to 172.20.100.53 port 1645
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 52 with timestamp +19
Cleaning up request 1 ID 53 with timestamp +19
Cleaning up request 2 ID 54 with timestamp +19
Cleaning up request 3 ID 55 with timestamp +19
Cleaning up request 4 ID 56 with timestamp +19
Cleaning up request 5 ID 57 with timestamp +19
Cleaning up request 6 ID 58 with timestamp +19
Waking up in 1.0 seconds.
Cleaning up request 7 ID 59 with timestamp +19
Ready to process requests.
More information about the Freeradius-Users
mailing list