TTLS w/MSCHAPv2 over Ubuntu 13.10 WiFi client failing

Mailing Lists balabaster.freeradius at outlook.com
Wed Oct 30 18:59:03 CET 2013


Problem
=======

I've gone through the documentation for the setup and configuration of FreeRADIUS 2.2 to use Tunnelled TLS with MSCHAPv2 on my DD-WRT (Mega) router. All seems to be in good shape on the router end of things, kinda. In that artificial testing says that it's correctly configured and working correctly, but real world usage fails. So I'm a bit confused and could do with some other eyes to point me in the right direction.

I'm having some issues connecting via the Ubuntu 13.10 WiFi client specifically when trying to connect using TTLS - other
configurations (i.e. TLS, PEAP etc.) appear to function okay.

Tests
=====

1). I've run radtest, both locally on the router and over the wire from my computer using:

radtest MyTestUser MyTestPassword 192.168.1.1 1812 -sSharedSecretKey

Result: Access-Accept for both tests.

2). I've run eapol_test over the wire from my computer using various configuration sets for peap-mschapv2, eap-tls, ttls-pap and ttls-eap-mschapv2 along with the certificates I'd generated and copied to the router. The following command and variations of the following configuration show SUCCESS:

eapol_test -a192.168.1.1 -p1812 -c/path/to/eapol_test/eapol_test.conf -sSharedSecretKey


Content of eapol_test.conf:

network={
        ssid="MyTestNetwork"
        key_mgmt=WPA-EAP
        eap=TTLS
        identity="MyTestUser"
        anonymous_identity="anonymous"
        password="MyTestUserPassword"
        phase2="autheap=MSCHAPv2"
        ca_cert="/etc/freeradius/certs/ca.pem"
}


Observations
============

If I attempt to connect using Ubuntu's built in Wi-Fi client using TLS or PEAP, everything is fine. However, if I attempt to connect using Tunnelled TLS, which is the protocol I'd prefer to use, that's when I get hit with the failure. It doesn't work at all, for PAP, CHAP, MSCHAPv1 or MSCHAPv2.

Looking through the log to compare the ttls-eap-mschapv2 output from the eapol_test against the log generated by Ubuntu's wifi client, I notice that one of the requests (3 in log attached) appears to pass a dynamically generated username and the shared secret that I defined in my clients.conf file which gets summarily rejected (as detailed in the log attached) whereas looking at the eapol_test log the User-Name parameter in every Access-Request packet is *always* "Anonymous"; does that matter(?)...

Questions
=========

1). Is there anything specific that needs to be done with FreeRADIUS in order for Ubuntu to connect using Tunnelled TLS and MSCHAPv2? i.e. are there any settings in FreeRADIUS that don't play well with Ubuntu - particularly 13.10

2). Do the certificates need the same grooming that Windows Certificates would need? Or would generating them from the command
line on Ubuntu using OpenSSL suffice? i.e. Could I assume that Ubuntu's Wi-Fi client utilizes the same process as eapol_test when using the target configuration?

3). Is it a fair assumption that if the eapol_test results in SUCCESS using my targeted configuration (TTLS-EAP-MSCHAPv2) that the FreeRADIUS server is indeed set up correctly and that something else may be causing the problem? i.e. The router's Wi-Fi/RADIUS proxy, Ubuntu's Wi-Fi client etc.

Log Output from radiusd -X
==========================

root at DD-WRT:/jffs/etc/freeradius# radiusd -d /jffs/etc/freeradius -X
FreeRADIUS Version 2.2.0, for host mipsel-unknown-linux-uclibc, built
on May 11 2013 at 15:59:13
Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /jffs/etc/freeradius/radiusd.conf
including configuration file /jffs/etc/freeradius/clients.conf
including configuration file /jffs/etc/freeradius/clients.manual
including files in directory /jffs/etc/freeradius/modules/
including configuration file /jffs/etc/freeradius/modules/cui
including configuration file /jffs/etc/freeradius/modules/pam
including configuration file /jffs/etc/freeradius/modules/pap
including configuration file /jffs/etc/freeradius/modules/otp
including configuration file /jffs/etc/freeradius/modules/soh
including configuration file /jffs/etc/freeradius/modules/chap
including configuration file /jffs/etc/freeradius/modules/echo
including configuration file /jffs/etc/freeradius/modules/exec
including configuration file /jffs/etc/freeradius/modules/expr
including configuration file /jffs/etc/freeradius/modules/ldap
including configuration file /jffs/etc/freeradius/modules/krb5
including configuration file /jffs/etc/freeradius/modules/perl
including configuration file /jffs/etc/freeradius/modules/unix
including configuration file /jffs/etc/freeradius/modules/radutmp
including configuration file /jffs/etc/freeradius/modules/counter
including configuration file /jffs/etc/freeradius/modules/opendirectory
including configuration file /jffs/etc/freeradius/modules/cache
including configuration file /jffs/etc/freeradius/modules/files
including configuration file /jffs/etc/freeradius/modules/realm
including configuration file /jffs/etc/freeradius/modules/redis
including configuration file /jffs/etc/freeradius/modules/wimax
including configuration file /jffs/etc/freeradius/modules/mac2vlan
including configuration file /jffs/etc/freeradius/modules/replicate
including configuration file /jffs/etc/freeradius/modules/ntlm_auth
including configuration file /jffs/etc/freeradius/modules/logintime
including configuration file /jffs/etc/freeradius/modules/radrelay
including configuration file /jffs/etc/freeradius/modules/sql_log
including configuration file /jffs/etc/freeradius/modules/sradutmp
including configuration file /jffs/etc/freeradius/modules/attr_rewrite
including configuration file /jffs/etc/freeradius/modules/smbpasswd
including configuration file /jffs/etc/freeradius/modules/etc_group
including configuration file /jffs/etc/freeradius/modules/preprocess
including configuration file /jffs/etc/freeradius/modules/attr_filter
including configuration file /jffs/etc/freeradius/modules/rediswho
including configuration file /jffs/etc/freeradius/modules/expiration
including configuration file /jffs/etc/freeradius/modules/inner-eap
including configuration file /jffs/etc/freeradius/modules/acct_unique
including configuration file /jffs/etc/freeradius/modules/dhcp_sqlippool
including configuration file /jffs/etc/freeradius/sql/mysql/ippool-dhcp.conf
including configuration file /jffs/etc/freeradius/modules/linelog
including configuration file /jffs/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /jffs/etc/freeradius/modules/detail.example.com
including configuration file /jffs/etc/freeradius/modules/checkval
including configuration file /jffs/etc/freeradius/modules/always
including configuration file /jffs/etc/freeradius/modules/detail
including configuration file /jffs/etc/freeradius/modules/digest
including configuration file /jffs/etc/freeradius/modules/dynamic_clients
including configuration file /jffs/etc/freeradius/modules/ippool
including configuration file /jffs/etc/freeradius/modules/mac2ip
including configuration file /jffs/etc/freeradius/modules/mschap
including configuration file /jffs/etc/freeradius/modules/passwd
including configuration file /jffs/etc/freeradius/modules/policy
including configuration file /jffs/etc/freeradius/modules/smsotp
including configuration file /jffs/etc/freeradius/modules/detail.log
including configuration file /jffs/etc/freeradius/eap.conf
including files in directory /jffs/etc/freeradius/sites-enabled/
including configuration file /jffs/etc/freeradius/sites-enabled/default
including configuration file /jffs/etc/freeradius/sites-enabled/control-socket
including configuration file /jffs/etc/freeradius/sites-enabled/inner-tunnel
main {
allow_core_dumps = no
}
including dictionary file /jffs/etc/freeradius/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log"
run_dir = "/var/run"
libdir = "/usr/lib"
radacctdir = "/var/db/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
 log {
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
 client 127.0.0.1 {
ipaddr = 127.0.0.1
netmask = 32
require_message_authenticator = no
secret = "SharedSecretKey"
shortname = "localhost"
 }
 client 192.168.1.0 {
ipaddr = 192.168.1.0
netmask = 24
require_message_authenticator = no
secret = "SharedSecretKey"
shortname = "private-network"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file
/jffs/etc/freeradius/modules/expiration
  expiration {
reply-message = "Password Has Expired  "
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /jffs/etc/freeradius/radiusd.conf
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /jffs/etc/freeradius/modules/pap
  pap {
encryption_scheme = "auto"
auto_header = yes
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /jffs/etc/freeradius/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file
/jffs/etc/freeradius/modules/mschap
  mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
allow_retry = yes
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /jffs/etc/freeradius/eap.conf
  eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/jffs/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/jffs/etc/freeradius/keys/server.key"
certificate_file = "/jffs/etc/freeradius/certs/server.pem"
CA_file = "/jffs/etc/freeradius/certs/ca.pem"
private_key_password = "ServerKeyPrivatePassword"
dh_file = "/jffs/etc/freeradius/certs/dh"
random_file = "/jffs/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
    verify {
    }
    ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
with_ntdomain_hack = no
send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file
/jffs/etc/freeradius/modules/files
  files {
usersfile = "/jffs/etc/freeradius/users"
acctusersfile = "/jffs/etc/freeradius/acct_users"
preproxy_usersfile = "/jffs/etc/freeradius/preproxy_users"
compat = "no"
  }
reading pairlist file /jffs/etc/freeradius/users
reading pairlist file /jffs/etc/freeradius/acct_users
reading pairlist file /jffs/etc/freeradius/preproxy_users
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /jffs/etc/freeradius/modules/exec
  exec {
wait = no
input_pairs = "request"
shell_escape = yes
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file
/jffs/etc/freeradius/modules/radutmp
  radutmp {
filename = "/var/db/radacct/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
  }
 } # modules
} # server
server inner-tunnel { # from file
/jffs/etc/freeradius/sites-enabled/inner-tunnel
 modules {
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /jffs/etc/freeradius/modules/unix
  unix {
radwtmp = "/var/log/radwtmp"
  }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file
/jffs/etc/freeradius/modules/realm
  realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file
/jffs/etc/freeradius/modules/logintime
  logintime {
reply-message = "You are calling outside your allowed timespan  "
minimum-timeout = 60
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.access_reject" from file
/jffs/etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_reject {
attrsfile = "/jffs/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
  }
reading pairlist file /jffs/etc/freeradius/attrs.access_reject
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
}
listen {
type = "control"
 listen {
socket = "/var/run/radiusd.sock"
 }
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on command file /var/run/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.1 port 49754,
id=0, length=131
User-Name = "anonymous"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "20e52a2a793a"
Calling-Station-Id = "c48508cf0a6c"
NAS-Identifier = "20e52a2a793a"
NAS-Port = 41
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0xc70c9e74f630a26989839d46dae518d4
# Executing section authorize from file
/jffs/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[mschap] returns noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /jffs/etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 49754
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1adf95c31ade8ccbe71eeea3b01778ba
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 49754,
id=0, length=141
Cleaning up request 0 ID 0 with timestamp +23
User-Name = "anonymous"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "20e52a2a793a"
Calling-Station-Id = "c48508cf0a6c"
NAS-Identifier = "20e52a2a793a"
NAS-Port = 41
Framed-MTU = 1400
State = 0x1adf95c31ade8ccbe71eeea3b01778ba
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100060315
Message-Authenticator = 0x70787601f401ba18203452a341d36ce6
# Executing section authorize from file
/jffs/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[mschap] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /jffs/etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 49754
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1adf95c31bdd80cbe71eeea3b01778ba
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 49754,
id=0, length=362
Cleaning up request 1 ID 0 with timestamp +23
User-Name = "anonymous"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "20e52a2a793a"
Calling-Station-Id = "c48508cf0a6c"
NAS-Identifier = "20e52a2a793a"
NAS-Port = 41
Framed-MTU = 1400
State = 0x1adf95c31bdd80cbe71eeea3b01778ba
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200e3150016030100d8010000d4030152701e5945f504b1715698b334a194cf4a238da9f242f1def3c17fc8bb108cc3000066c014c00ac022c0210039003800880087c00fc00500350084c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000045000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011000f000101
Message-Authenticator = 0x27639a839218b4b6da378a05bb2ed49d
# Executing section authorize from file
/jffs/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[mschap] returns noop
[eap] EAP packet type response id 2 length 227
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /jffs/etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 00d8], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls]>>> TLS 1.0 Handshake [length 0036], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls]>>> TLS 1.0 Handshake [length 0916], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls]>>> TLS 1.0 Handshake [length 030d], ServerKeyExchange
[ttls]     TLS_accept: SSLv3 write key exchange A
[ttls]>>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 49754
EAP-Message = 0x0103040015c000000c71160301003602000032030152701e5a14a4a10dfae714e8cb8b3579bb15e7c6ed443fba26290e659171b3e500003900000aff01000100000f00010116030109160b00091200090f0004d6308204d2308203ba020101300d06092a864886f70d01010505003081ad310b30090603550406130243413110300e06035504080c074f6e746172696f3110300e06035504070c07546f726f6e746f31173015060355040a0c0e54686520416c616261737465727331193017060355040b0c104e6574776f726b205365637572697479311f301d06035504030c166e7365632e746865616c61626173746572732e636f6d312530230609
EAP-Message = 0x2a864886f70d01090116166e73656340746865616c61626173746572732e636f6d301e170d3133313032373231313431315a170d3133313132363231313431315a3081af310b30090603550406130243413110300e06035504080c074f6e746172696f3110300e06035504070c07546f726f6e746f31173015060355040a0c0e54686520416c616261737465727331193017060355040b0c104e6574776f726b2053656375726974793121301f06035504030c187261646975732e746865616c61626173746572732e636f6d3125302306092a864886f70d01090116166e73656340746865616c61626173746572732e636f6d30820222300d06092a86
EAP-Message = 0x4886f70d01010105000382020f003082020a02820201009b2737ac47ee37f8389bd8af0a145ff290e7c08ebe054ec9b01c63e3370e0270d67d81bfe8cad72ace89b11e32024f84c43cbc82c6b96b307c9034446a77ad0d22d84ce1474d3fe2e90d07b300f3c694d2d4d87f5819ae16a0ea56fd3eed73d351785dbebbab81c927f583764c524c946097f85e5cf8e57acff474b2ca1128e894badfa645ce2c079912f34cfdb41c11b13fe20ff67110388b808e8e0b45a7277cee00f3a7ccfbf60c134e1511f4221a76d073a547bf3f68a4815c9c3decdb18d29450375517d9293b3fbbac42332a85d8cbf8fb9000912c0c12a09a59ed76b5b915cf8a3586
EAP-Message = 0x6021559f7d4a664b0769d228d75c04e854bbbe1d808d8db275c6bca0d29527539b8ac0e1aab52a24d303a930f83d1cdbee50431b70ab490297db3a46e08413956a00bdeee059583fe2f7c7cc367b2099d48522707d487c0319ccd8fdf5d9bb6f2fdedca571a93f490f505e376a038d59bd4f38712701811025bb84ee8c940201d885523bf87b8f35952650095c9eb7a0f5fd4326da26ccb8c68cde3bffe20d940373ccd50849e76d69f48f3e449ca2e187feedb74d3a98305629abf1570b760a2bf8b470853b1d9bcb07b599560ee902e336f78398ab712b6abae0422aa56280b8faa8d7c5de1bb178c2e55f39dfe0023d5bd280d650930b23359c84ee
EAP-Message = 0x77d7df97d4375e9a00c5c8ac
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1adf95c318dc80cbe71eeea3b01778ba
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 58076,
id=11, length=80
User-Name = "c48508cf0a6c"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
User-Password = "SharedSecretKey"
# Executing section authorize from file
/jffs/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[mschap] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [c48508cf0a6c/SharedSecretKey] (from client
private-network port 1)
Using Post-Auth-Type REJECT
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform
requested action.
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 49754,
id=0, length=141
Cleaning up request 2 ID 0 with timestamp +23
User-Name = "anonymous"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "20e52a2a793a"
Calling-Station-Id = "c48508cf0a6c"
NAS-Identifier = "20e52a2a793a"
NAS-Port = 41
Framed-MTU = 1400
State = 0x1adf95c318dc80cbe71eeea3b01778ba
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061500
Message-Authenticator = 0xefd93e4a71ef938a86a2fc810f7cde7d
# Executing section authorize from file
/jffs/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[mschap] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /jffs/etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 49754
EAP-Message = 0x0104040015c000000c719d6a3c286c5514c06fcfb4a6bbe064e5350203010001300d06092a864886f70d01010505000382010100d10b16b34b288091b53f489858be958db7a57fd0c2073fad37955ff0267ca937159207f0c55b068caff3b01b81b457c272902249c54907a788c6a356eb952e8a30c535ecd5ea2aea0d32a4b221ba271123d954ca70cbce8e15fde7a7e55518c3be3aa3af302c2603fc93548f51fd372b13be14dcf0988ee0cb2a33fd28b0fe61ad648b49961895e30dfb36e8afb0e76a348843972bbb1bb742ecd28779129067a4020e66c28d32189f596870a5cb68e4d3ef29c30d5ee989acdfbe1a0e31daac5545d65b7a9a1c851f
EAP-Message = 0xf67cdf215b0262bac65181baba695aade5fa0e6ae5b90ff13812364c59ac75fd17e9ba58914a9777096a6f2c23c97fa175d5195e1f98bc0004333082042f30820317a0030201020209008c4552f6b737955e300d06092a864886f70d01010505003081ad310b30090603550406130243413110300e06035504080c074f6e746172696f3110300e06035504070c07546f726f6e746f31173015060355040a0c0e54686520416c616261737465727331193017060355040b0c104e6574776f726b205365637572697479311f301d06035504030c166e7365632e746865616c61626173746572732e636f6d3125302306092a864886f70d01090116166e73
EAP-Message = 0x656340746865616c61626173746572732e636f6d301e170d3133313032373231303834325a170d3133313132363231303834325a3081ad310b30090603550406130243413110300e06035504080c074f6e746172696f3110300e06035504070c07546f726f6e746f31173015060355040a0c0e54686520416c616261737465727331193017060355040b0c104e6574776f726b205365637572697479311f301d06035504030c166e7365632e746865616c61626173746572732e636f6d3125302306092a864886f70d01090116166e73656340746865616c61626173746572732e636f6d30820122300d06092a864886f70d01010105000382010f0030
EAP-Message = 0x82010a0282010100d1f36f8ab2748661c1775f4d50efcba339e695bbf6d331c384e2617d4cf5cc1e85e39877a5e053717b53729e3c327dda877d8622e249938bd61768d81e7f395beb92f542c58f38863d63d1c5a98f774d27d719ab9aa41b50d619bb3d773449d4429c4fe3d797e912ec13222cc3a6e8727b367355f6fe2006a4b4d4cd32b66f163c5fb2452946adedb05e6207a92496f5a985ad072fd580a51e3f975ab62ef9135d7c51201782a224f003b1341f7b5785a466ce1a93646c29a2b84715c5dcd5cce47376fa2cece76400d248bda6b7c60b36d56cc13964110c58fcf60b4a03045a3ab04e14e71ccee09e93f4d331cdf1ded2e7118ea6
EAP-Message = 0xc40e1988e87cd2ee9c04bb02
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1adf95c319db80cbe71eeea3b01778ba
Finished request 4.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 49754,
id=0, length=141
Cleaning up request 4 ID 0 with timestamp +24
User-Name = "anonymous"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "20e52a2a793a"
Calling-Station-Id = "c48508cf0a6c"
NAS-Identifier = "20e52a2a793a"
NAS-Port = 41
Framed-MTU = 1400
State = 0x1adf95c319db80cbe71eeea3b01778ba
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061500
Message-Authenticator = 0x90f7afd16242e369e84021f0ccf71b3f
# Executing section authorize from file
/jffs/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[mschap] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /jffs/etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 49754
EAP-Message = 0x0105040015c000000c7103010001a350304e301d0603551d0e0416041481f46bfa968cfcbbed8330ae18132e215cd5399e301f0603551d2304183016801481f46bfa968cfcbbed8330ae18132e215cd5399e300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010074e952157ebb701eba65d1865806a41de3ece08c320d8c08e6158e5e00d458536f362ee687f848e7062415658337a5dcb8c51bd680bfa72f34e8f9d46d5601a913ea79c5669606762c353662528b541d503aeb42b954ae5f38f9fb044e221fc8f2702d984694ba082a7a26fc236101ac8ee6b4f96953e6635cc2ef613f0e43678e3881e7840c86e1d7
EAP-Message = 0x9c61f2f4bec58db2da7f735e0dee94d7cb04fda169f8bc3ef10d9424df4b69464ff7f9287852c3dc13d95b1e6ed7e86e6c3083a23704b1cea0bff6b9d09851300ccc45b6c93ab36b2b6506d4724585a6977ad4967d6d3b75fec09f17e19166b3c79ebd3e9ae9ca591b3ff14737903ad3aa8e9305747fe1160301030d0c0003090080854d39aee87745ea2a107a239e31f16cf0b5c3e1c48b72e15a85d76c7eaa4e026770747cbcb0a278426c873d4047494d4b37a2aafb600cece45d163ec6065e6627d50925abfa4aa1b05055b247ac06396542e08dd5a80cec3138340850c8acbfe72893b9344535a68e77ebe19d5203be97c3d8d937b98d7894be12
EAP-Message = 0x340ff219b3000102008042be0fe72bc5e9812855bc188c9a16a8d4a62096b8a50c8f672200a5750dd3269a412cfd0f0160afc14795500ab6990a3c306896071d7dd5020d79bba8b60835cd71c6915e2e0d81fc1b902aab46a2bfd56fdd6db1f2e43886d5d854b1925817e12175ea38e8f6843e8b1b4c79464b877a289ab76f31cc5144febc8a1050963302004b15d75faea9b427495eab5da8ba060f3d9abfb2af66f80697ff9a99e920f5ddb04c9cb96b4ed7e0abeb40ce3373f9c159dbbf140bb1aec0cfaa6cb20d400a43e166a59dc8c89326184adcb33db6d54d701358827d80179ed3ef53d22bdba62fe8ae4c848c49d837eccf2fb8e0f4f55cab
EAP-Message = 0xed4b78b5757f5548d010e73dad5b3115145b03464bce84f2457445d617ecd7422c12235a80d8a0a3409e58cac9771af702ecd6698404c9aab53fa67f9035ce6391b5dd7610c40e4127bf52dfa49b5f7a0ce53defced4961cbd9c0143874444489a722402e4be9d8e3efff68d6ec4a2aeb92fa9978bf1dbe06afb60690638349966836169e1331a6b30e661f72dd8d12c06eac4dad7f452d1866a016b367e9f5b943b126c1f7b4d8f77ffb535c748537d2bc81751b052d2e5d3299ee16d585e3b7a7b289b6baf88789494071cfca7e8ca0c99831fbdb8a5d1f12f6aed5e421a1135c7b6f5f4cffb0a0c8866d8882a428361de19d915b858eb407c194f95
EAP-Message = 0xc2a56f964c63cb568664b0c8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1adf95c31eda80cbe71eeea3b01778ba
Finished request 5.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 49754,
id=0, length=141
Cleaning up request 5 ID 0 with timestamp +24
User-Name = "anonymous"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "20e52a2a793a"
Calling-Station-Id = "c48508cf0a6c"
NAS-Identifier = "20e52a2a793a"
NAS-Port = 41
Framed-MTU = 1400
State = 0x1adf95c31eda80cbe71eeea3b01778ba
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061500
Message-Authenticator = 0x72932bf113a5c9002ecdcb5c17016f73
# Executing section authorize from file
/jffs/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[mschap] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /jffs/etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 49754
EAP-Message = 0x01060099158000000c71c24732acb37286d316120e1f97ac15f9488c69e1e0a6291455e74073ad8c2f26f1b40a446a660d3043620ca020ef7be1c5365c8e88a77f35b302ab4613fc4fe2316e22eb36c1d09d01ed0149fe8f56be9874ecfff02dc85ccf42d1c24b3d236fa946b0a8e4d5f2ec26f3ffba88f1e5881b07a88f8e1b5b74ec289537acbb7694f4859ae211f216030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1adf95c31fd980cbe71eeea3b01778ba
Finished request 6.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 49754,
id=0, length=339
Cleaning up request 6 ID 0 with timestamp +24
User-Name = "anonymous"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "20e52a2a793a"
Calling-Station-Id = "c48508cf0a6c"
NAS-Identifier = "20e52a2a793a"
NAS-Port = 41
Framed-MTU = 1400
State = 0x1adf95c31fd980cbe71eeea3b01778ba
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020600cc150016030100861000008200800f5091091fbeaab2cfe280451883911d498e9910ff6f4c593deb48b646df05d5830fd079e6e6e9c1c07dd20effb975a23975962a23a83564dd6d40255b8322959e779395687e51cc85ec4ec6fba4153cb5aea31d4aab17b2d8e925f5c930c712934c9d2bf6e9a0ffb4b339b4f431248cba01acb9d443d77a4a5eddbc4df1c6261403010001011603010030a3fffc11ed28f49e3345093a54fb00d6c839b7143902555a81b3a384250d64816bbd40411fa52547c00c35fa536560e9
Message-Authenticator = 0x50f0866ef17b77061e7d20bf78febff4
# Executing section authorize from file
/jffs/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[mschap] returns noop
[eap] EAP packet type response id 6 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /jffs/etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 read finished A
[ttls]>>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls]>>> TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 49754
EAP-Message = 0x0107004515800000003b1403010001011603010030080642e3113c98e7678f8398c3a27b985ba0244f737e2f74e650df6653468c7008e5050878966bdb5c9a00d6148afcdf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1adf95c31cd880cbe71eeea3b01778ba
Finished request 7.
Going to the next request
Waking up in 0.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 49754,
id=0, length=327
Cleaning up request 7 ID 0 with timestamp +24
User-Name = "anonymous"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "20e52a2a793a"
Calling-Station-Id = "c48508cf0a6c"
NAS-Identifier = "20e52a2a793a"
NAS-Port = 41
Framed-MTU = 1400
State = 0x1adf95c31cd880cbe71eeea3b01778ba
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020700c015001703010020436b3861d680d218559d40b40b8c86afc39b52e04568b34f57bc35bfb423f6591703010090859716887d09b035c922e2bbd7148d91c7bf6b985a71954cbe70ff7a931241e9c34a6d131bab5548dca13e8766f3bef97952fd732f3e55c4765c1326d23ebf827c58f852d595fd383c3a04bf46ac3e85fe1d5b9312cf61cca3e66380245debca48f589d6b39ec9acba7ee8bc1eb514d1d55ccc5fef6ac1cf052e512ad2cc8cc5b2b27af8444fdd45f840c7ee591054ea
Message-Authenticator = 0x2ba000d8cd9824a97525413fd368bfea
# Executing section authorize from file
/jffs/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[mschap] returns noop
[eap] EAP packet type response id 7 length 192
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /jffs/etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "MyTestUser"
MS-CHAP-Challenge = 0xcafa30c4547fe57b00e923a19388afd8
MS-CHAP2-Response =
0x900098f355d7bcbb5d0861893e660022759b000000000000000085ce464eda88f0c15d3eedbf01367d97804dc62aeb7aad4d
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "MyTestUser"
MS-CHAP-Challenge = 0xcafa30c4547fe57b00e923a19388afd8
MS-CHAP2-Response =
0x900098f355d7bcbb5d0861893e660022759b000000000000000085ce464eda88f0c15d3eedbf01367d97804dc62aeb7aad4d
FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file
/jffs/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "MyTestUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 2
[files] expand: %{User-Name} -> MyTestUser
[files] users: Matched entry MyTestUser at line 8
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist!
 Cancelling invalid proxy request.
Found Auth-Type = MSCHAP
# Executing group from file /jffs/etc/freeradius/sites-enabled/inner-tunnel
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: MyTestUser
[mschap] Client is using MS-CHAPv2 for MyTestUser, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
Login OK: [MyTestUser] (from client private-network port 0 via TLS tunnel)
  WARNING: Empty post-auth section.  Using default return values.
# Executing section post-auth from file
/jffs/etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[ttls] Got tunneled reply code 2
Session-Timeout := 3600
User-Name := "MyTestUser"
Acct-Interim-Interval := 300
MS-CHAP2-Success =
0x90533d38323138413832323034463143454439433936394536393133363534323037424646433841304642
MS-MPPE-Recv-Key = 0x8ce0cc626543b14adead1abfb93ed5cf
MS-MPPE-Send-Key = 0x005ba204b07f699046f4ac1c3a188076
MS-MPPE-Encryption-Policy = 0x00000002
MS-MPPE-Encryption-Types = 0x00000004
[ttls] Got tunneled Access-Accept
[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 49754
EAP-Message = 0x0108005f1580000000551703010050d1ef8159c074e3e88c6816a20d2d622234f56ccdbeb0eafdf8de56b85a8d897de8e6f98dbb945ea941cef9c8bcb0d4d3c4b7f0b48b756fff97a2ab4355d98a8c277eda652de295baca8fd5b3623c4c74
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1adf95c31dd780cbe71eeea3b01778ba
Finished request 8.
Going to the next request
Waking up in 0.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 49754,
id=0, length=141
Cleaning up request 8 ID 0 with timestamp +24
User-Name = "anonymous"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "20e52a2a793a"
Calling-Station-Id = "c48508cf0a6c"
NAS-Identifier = "20e52a2a793a"
NAS-Port = 41
Framed-MTU = 1400
State = 0x1adf95c31dd780cbe71eeea3b01778ba
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020800061500
Message-Authenticator = 0xd9169c88982c8ba1456566add1d260e4
# Executing section authorize from file
/jffs/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[mschap] returns noop
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /jffs/etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake is finished
[ttls] eaptls_verify returned 3
[ttls] eaptls_process returned 3
[ttls] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
Login OK: [anonymous] (from client private-network port 41 cli c48508cf0a6c)
  WARNING: Empty post-auth section.  Using default return values.
Sending Access-Accept of id 0 to 192.168.1.1 port 49754
MS-MPPE-Recv-Key =
0x00e38d49949eda0340ea8188cfec315208941fc6e99f6b627f2aea410c25dcb4
MS-MPPE-Send-Key =
0xa45d9bbc09a890de1bc2cc509ccc48b00a2eebfeb812eab8b5cbc4f9a97cd303
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "anonymous"
Finished request 9.
Going to the next request
Waking up in 0.7 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 11 to 192.168.1.1 port 58076
Waking up in 4.2 seconds.
Cleaning up request 9 ID 0 with timestamp +24
Waking up in 0.7 seconds.
Cleaning up request 3 ID 11 with timestamp +24
Ready to process requests. 		 	   		  


More information about the Freeradius-Users mailing list