PEAP Inner Tunnel Question
Casey Daniels
mailinglist at cd.kcfam.net
Thu Apr 24 00:56:36 CEST 2014
Sorry if this is a stupid question, but is there a way to control the
Phase 2 Authentication method when doing PEAP?
My aim is to only allow MSCHAPV2, however, I also get a good reply from
the Server if I select
None, PAP, MD5, MSCHAP, or MSCHAPv2 on the supplicant.
Or is phase 2 Authentication the prerogative of the supplicant?
I've attached the Debug output for When I tried to long on via no Phase
2 Authentication, though there was an interesting line that Appears in
my debug output for many different modes (None, PAP, MD5, MSCHAP,
MSCHAPv2) that worked. Is freeradius forcing the supplicant into a
MSCHAPv2 for the 2nd Phase ignoring what was selected?
(8) eap_peap : EAP type MSCHAPv2 (26)
However when I tried using GTC as the Phase 2 Authentication method it
fails out (as expected) and I get
(7) eap_peap : EAP type NAK (3)
I've tried this or two different two of Supplicants (Android Phone, and
Linux PC)
I've commented out any reference to pap, etc in config files and removed
the link from mods-enabled.
Thank You,
Casey
Starting FreeRadius Daemon (Test Mode)...�[1mradiusd: FreeRADIUS
Version 3.0.0, for host x86_64-unknown-linux-gnu, built on Oct 26 2013
at 18:29:10�[0m
�[1mCopyright (C) 1999-2013 The FreeRADIUS server project and
contributors.�[0m
�[1mThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A�[0m
�[1mPARTICULAR PURPOSE.�[0m
�[1mYou may redistribute copies of FreeRADIUS under the terms of the�[0m
�[1mGNU General Public License.�[0m
�[1mFor more information about these matters, see the file named
COPYRIGHT.�[0m
�[1mStarting - reading configuration files ...�[0m
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/logintime
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/filter
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/wifi
main {
security {
user = "radius"
group = "radius"
chroot = "/srv/freeradius"
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log"
run_dir = "/var/run"
libdir = "/lib"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 5096
pidfile = "/var/run/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = no
colourise = yes
}
security {
max_attributes = 200
reject_delay = 3
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client localhost {
ipv6addr = ::1 IPv6 address [::1]
netmask = 128
require_message_authenticator = yes
secret = "testing123"
proto = "udp"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client wlan-west {
ipaddr = 10.50.1.2
netmask = 32
require_message_authenticator = yes
secret = "test123"
proto = "udp"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_radutmp
# Instantiating module "sradutmp" from file
/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_expiration
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 4096
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/prouter-radius.pem"
certificate_file = "/etc/raddb/certs/prouter-radius_crt.pem"
ca_file = "/etc/raddb/certs/cacert.pem"
private_key_password = "2rU36=L-mdKYVbG"
dh_file = "/etc/raddb/certs/dh_radius"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "radutmp" from file
/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_detail
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Loaded module rlm_always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file
/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
preprocess {
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_linelog
# Instantiating module "linelog" from file
/etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "%{%{Packet-Type}:-format}"
}
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Loaded module rlm_files
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
compat = "no"
}
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-auth {...}
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading virtual module filter_username
# Loading preacct {...}
# Loading virtual module acct_unique
# Loading accounting {...}
# Loading post-auth {...}
# Loading virtual module remove_reply_message_if_eap
# Loading virtual module remove_reply_message_if_eap
} # server
server wifi { # from file /etc/raddb/sites-enabled/wifi
# Loading authenticate {...}
# Loading authorize {...}
# Loading virtual module filter_username
# Loading preacct {...}
# Loading virtual module acct_unique
# Loading accounting {...}
# Loading post-auth {...}
# Loading virtual module remove_reply_message_if_eap
# Loading virtual module remove_reply_message_if_eap
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipv6addr = ::1 IPv6 address [::1]
port = 18120
}
listen {
type = "auth"
ipaddr = 10.50.1.1
port = 0
}
listen {
type = "acct"
ipaddr = 10.50.1.1
port = 0
}
listen {
type = "auth"
ipv6addr = ::1 IPv6 address [::1]
port = 1812
}
listen {
type = "acct"
ipv6addr = ::1 IPv6 address [::1]
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address ::1 port 18120 as server inner-tunnel
Listening on auth interface br0 address 10.50.1.1 port 1812 as server
default
Listening on acct interface br0 address 10.50.1.1 port 1813 as server
default
Listening on auth interface lo address ::1 port 1812 as server wifi
Listening on acct interface lo address ::1 port 1813 as server wifi
�[1mReady to process requests.�[0m
rad_recv: Access-Request packet from host ::1 port 48165, id=0, length=180
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message = 0x0267000a017374657665
Message-Authenticator = 0xd79bddbc4667890f34d4075e791ad2a4
(0) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(0) authorize {
(0) filter_username filter_username {
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'steve'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /@\\./)
(0) ? if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(0) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(0) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(0) [auth_log] = ok
(0) files : users: Matched entry steve at line 73
(0) [files] = ok
(0) ? if (control:wifi_key != "true")
(0) expand: "true" -> 'true'
(0) ? if (control:wifi_key != "true") -> FALSE
(0) eap : EAP packet type response id 103 length 10
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/wifi
(0) authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_peap to process EAP data
(0) eap_peap : Flushing SSL sessions (of #0)
(0) eap_peap : Initiate
(0) eap_peap : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918a8c56083
(0) [eap] = handled
(0) } # authenticate = handled
Sending Access-Challenge of id 0 from ::1 port 1812 to ::1 port 48165
EAP-Message = 0x016800061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918a8c560834e7c8f387fecd2a4
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=1, length=396
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message =
0x026800d01980000000c616030100c1010000bd030153583d21bd49160c44cfa32bf122061d9455306e0281a1d48613ca7be42cdb68000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011
State = 0xa8ad7918a8c560834e7c8f387fecd2a4
Message-Authenticator = 0x97948d30a20d05e55e7847bef6bb35ef
(1) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(1) authorize {
(1) filter_username filter_username {
(1) ? if (User-Name != "%{tolower:%{User-Name}}")
(1) expand: "%{tolower:%{User-Name}}" -> 'steve'
(1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) ? if (User-Name =~ / /)
(1) ? if (User-Name =~ / /) -> FALSE
(1) ? if (User-Name =~ /@.*@/ )
(1) ? if (User-Name =~ /@.*@/ ) -> FALSE
(1) ? if (User-Name =~ /\\.\\./ )
(1) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(1) ? if (User-Name =~ /\\.$/)
(1) ? if (User-Name =~ /\\.$/) -> FALSE
(1) ? if (User-Name =~ /@\\./)
(1) ? if (User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(1) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(1) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(1) [auth_log] = ok
(1) files : users: Matched entry steve at line 73
(1) [files] = ok
(1) ? if (control:wifi_key != "true")
(1) expand: "true" -> 'true'
(1) ? if (control:wifi_key != "true") -> FALSE
(1) eap : EAP packet type response id 104 length 208
(1) eap : Continuing tunnel setup.
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/wifi
(1) authenticate {
(1) eap : Expiring EAP session with state 0xa8ad7918a8c56083
(1) eap : Finished EAP session with state 0xa8ad7918a8c56083
(1) eap : Previous EAP request found for state 0xa8ad7918a8c56083,
released from the list
(1) eap : Peer sent PEAP (25)
(1) eap : EAP PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : processing EAP-TLS
TLS Length 198
(1) eap_peap : Length Included
(1) eap_peap : eaptls_verify returned 11
(1) eap_peap : (other): before/accept initialization
(1) eap_peap : TLS_accept: before/accept initialization
(1) eap_peap : <<< TLS 1.0 Handshake [length 00c1], ClientHello
(1) eap_peap : TLS_accept: SSLv3 read client hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
(1) eap_peap : TLS_accept: SSLv3 write server hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 06cd], Certificate
(1) eap_peap : TLS_accept: SSLv3 write certificate A
(1) eap_peap : >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange
(1) eap_peap : TLS_accept: SSLv3 write key exchange A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap : TLS_accept: SSLv3 write server done A
(1) eap_peap : TLS_accept: SSLv3 flush data
(1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_peap : eaptls_process returned 13
(1) eap_peap : FR_TLS_HANDLED
(1) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918a9c46083
(1) [eap] = handled
(1) } # authenticate = handled
Sending Access-Challenge of id 1 from ::1 port 1812 to ::1 port 48165
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918a9c460834e7c8f387fecd2a4
(1) Finished request 1.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=2, length=194
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message = 0x026900061900
State = 0xa8ad7918a9c460834e7c8f387fecd2a4
Message-Authenticator = 0x98d32114182bbaf058b8ef095dd350f6
(2) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(2) authorize {
(2) filter_username filter_username {
(2) ? if (User-Name != "%{tolower:%{User-Name}}")
(2) expand: "%{tolower:%{User-Name}}" -> 'steve'
(2) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) ? if (User-Name =~ / /)
(2) ? if (User-Name =~ / /) -> FALSE
(2) ? if (User-Name =~ /@.*@/ )
(2) ? if (User-Name =~ /@.*@/ ) -> FALSE
(2) ? if (User-Name =~ /\\.\\./ )
(2) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(2) ? if (User-Name =~ /\\.$/)
(2) ? if (User-Name =~ /\\.$/) -> FALSE
(2) ? if (User-Name =~ /@\\./)
(2) ? if (User-Name =~ /@\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(2) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(2) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(2) [auth_log] = ok
(2) files : users: Matched entry steve at line 73
(2) [files] = ok
(2) ? if (control:wifi_key != "true")
(2) expand: "true" -> 'true'
(2) ? if (control:wifi_key != "true") -> FALSE
(2) eap : EAP packet type response id 105 length 6
(2) eap : Continuing tunnel setup.
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/wifi
(2) authenticate {
(2) eap : Expiring EAP session with state 0xa8ad7918a9c46083
(2) eap : Finished EAP session with state 0xa8ad7918a9c46083
(2) eap : Previous EAP request found for state 0xa8ad7918a9c46083,
released from the list
(2) eap : Peer sent PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
(2) eap_peap : Received TLS ACK
(2) eap_peap : Received TLS ACK
(2) eap_peap : ACK handshake fragment handler
(2) eap_peap : eaptls_verify returned 1
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918aac76083
(2) [eap] = handled
(2) } # authenticate = handled
Sending Access-Challenge of id 2 from ::1 port 1812 to ::1 port 48165
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918aac760834e7c8f387fecd2a4
(2) Finished request 2.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=3, length=194
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message = 0x026a00061900
State = 0xa8ad7918aac760834e7c8f387fecd2a4
Message-Authenticator = 0xddba5abc747ee013a391120cd5aaf0eb
(3) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(3) authorize {
(3) filter_username filter_username {
(3) ? if (User-Name != "%{tolower:%{User-Name}}")
(3) expand: "%{tolower:%{User-Name}}" -> 'steve'
(3) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(3) ? if (User-Name =~ / /)
(3) ? if (User-Name =~ / /) -> FALSE
(3) ? if (User-Name =~ /@.*@/ )
(3) ? if (User-Name =~ /@.*@/ ) -> FALSE
(3) ? if (User-Name =~ /\\.\\./ )
(3) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(3) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(3) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(3) ? if (User-Name =~ /\\.$/)
(3) ? if (User-Name =~ /\\.$/) -> FALSE
(3) ? if (User-Name =~ /@\\./)
(3) ? if (User-Name =~ /@\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(3) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(3) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(3) [auth_log] = ok
(3) files : users: Matched entry steve at line 73
(3) [files] = ok
(3) ? if (control:wifi_key != "true")
(3) expand: "true" -> 'true'
(3) ? if (control:wifi_key != "true") -> FALSE
(3) eap : EAP packet type response id 106 length 6
(3) eap : Continuing tunnel setup.
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/wifi
(3) authenticate {
(3) eap : Expiring EAP session with state 0xa8ad7918aac76083
(3) eap : Finished EAP session with state 0xa8ad7918aac76083
(3) eap : Previous EAP request found for state 0xa8ad7918aac76083,
released from the list
(3) eap : Peer sent PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918abc66083
(3) [eap] = handled
(3) } # authenticate = handled
Sending Access-Challenge of id 3 from ::1 port 1812 to ::1 port 48165
EAP-Message =
0x016b0023190027d0ad5942b830c50f432697e5a588b8afbade4516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918abc660834e7c8f387fecd2a4
(3) Finished request 3.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=4, length=332
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message =
0x026b0090198000000086160301004610000042410492d0d71260ecb28182a7a04abf0fe0f9252a84a956e2fd903a8e13836d460b23c9296726d0c1f971f367cc6cfbc11285f0e60a40513b2ab6bfbab088dd618419140301000101160301003095e5112ba7cdc234ff9508a9549e3b4941505303a3dc9e9e4bea804c11040dd25efaba55305c75573e27f82cc0ce4a0f
State = 0xa8ad7918abc660834e7c8f387fecd2a4
Message-Authenticator = 0x2f89a733b9060aac852a3bc51ca6da47
(4) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(4) authorize {
(4) filter_username filter_username {
(4) ? if (User-Name != "%{tolower:%{User-Name}}")
(4) expand: "%{tolower:%{User-Name}}" -> 'steve'
(4) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(4) ? if (User-Name =~ / /)
(4) ? if (User-Name =~ / /) -> FALSE
(4) ? if (User-Name =~ /@.*@/ )
(4) ? if (User-Name =~ /@.*@/ ) -> FALSE
(4) ? if (User-Name =~ /\\.\\./ )
(4) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(4) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(4) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(4) ? if (User-Name =~ /\\.$/)
(4) ? if (User-Name =~ /\\.$/) -> FALSE
(4) ? if (User-Name =~ /@\\./)
(4) ? if (User-Name =~ /@\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(4) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(4) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(4) [auth_log] = ok
(4) files : users: Matched entry steve at line 73
(4) [files] = ok
(4) ? if (control:wifi_key != "true")
(4) expand: "true" -> 'true'
(4) ? if (control:wifi_key != "true") -> FALSE
(4) eap : EAP packet type response id 107 length 144
(4) eap : Continuing tunnel setup.
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/wifi
(4) authenticate {
(4) eap : Expiring EAP session with state 0xa8ad7918abc66083
(4) eap : Finished EAP session with state 0xa8ad7918abc66083
(4) eap : Previous EAP request found for state 0xa8ad7918abc66083,
released from the list
(4) eap : Peer sent PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
TLS Length 134
(4) eap_peap : Length Included
(4) eap_peap : eaptls_verify returned 11
(4) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(4) eap_peap : TLS_accept: SSLv3 read client key exchange A
(4) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap : TLS_accept: SSLv3 read finished A
(4) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap : TLS_accept: SSLv3 write finished A
(4) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session
63a4c7ded1e2923518111d54f2f3b342ce1254b65d63095b6c09615c3be6a78a to cache
(4) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918acc16083
(4) [eap] = handled
(4) } # authenticate = handled
Sending Access-Challenge of id 4 from ::1 port 1812 to ::1 port 48165
EAP-Message =
0x016c00411900140301000101160301003009545d7f94b5e5e3e8f070d78a9404478773a978dda13146eed6d71884901a1d04dc032f3554330c8e2d60ea23524163
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918acc160834e7c8f387fecd2a4
(4) Finished request 4.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=5, length=194
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message = 0x026c00061900
State = 0xa8ad7918acc160834e7c8f387fecd2a4
Message-Authenticator = 0xae54d80b044b43fa45d718577351a2d3
(5) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(5) authorize {
(5) filter_username filter_username {
(5) ? if (User-Name != "%{tolower:%{User-Name}}")
(5) expand: "%{tolower:%{User-Name}}" -> 'steve'
(5) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(5) ? if (User-Name =~ / /)
(5) ? if (User-Name =~ / /) -> FALSE
(5) ? if (User-Name =~ /@.*@/ )
(5) ? if (User-Name =~ /@.*@/ ) -> FALSE
(5) ? if (User-Name =~ /\\.\\./ )
(5) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(5) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(5) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(5) ? if (User-Name =~ /\\.$/)
(5) ? if (User-Name =~ /\\.$/) -> FALSE
(5) ? if (User-Name =~ /@\\./)
(5) ? if (User-Name =~ /@\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(5) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(5) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(5) [auth_log] = ok
(5) files : users: Matched entry steve at line 73
(5) [files] = ok
(5) ? if (control:wifi_key != "true")
(5) expand: "true" -> 'true'
(5) ? if (control:wifi_key != "true") -> FALSE
(5) eap : EAP packet type response id 108 length 6
(5) eap : Continuing tunnel setup.
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/wifi
(5) authenticate {
(5) eap : Expiring EAP session with state 0xa8ad7918acc16083
(5) eap : Finished EAP session with state 0xa8ad7918acc16083
(5) eap : Previous EAP request found for state 0xa8ad7918acc16083,
released from the list
(5) eap : Peer sent PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
(5) eap_peap : Received TLS ACK
(5) eap_peap : Received TLS ACK
(5) eap_peap : ACK handshake is finished
(5) eap_peap : eaptls_verify returned 3
(5) eap_peap : eaptls_process returned 3
(5) eap_peap : FR_TLS_SUCCESS
(5) eap_peap : Session established. Decoding tunneled attributes.
(5) eap_peap : Peap state TUNNEL ESTABLISHED
(5) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918adc06083
(5) [eap] = handled
(5) } # authenticate = handled
Sending Access-Challenge of id 5 from ::1 port 1812 to ::1 port 48165
EAP-Message =
0x016d002b1900170301002059df3c16dae8dc16851faddfa9adf66b5d377c8d77d4a94b8ddb3dd641a7ff7f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918adc060834e7c8f387fecd2a4
(5) Finished request 5.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=6, length=268
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message =
0x026d0050190017030100204cbd0844571c6a95c351b861ffeb20871e1a268e30eade06b683ab8d37f6b0681703010020a0f7d4d3cb51269adedeebc1a2c50ab9ce06544aa25177e6c47420e308459d98
State = 0xa8ad7918adc060834e7c8f387fecd2a4
Message-Authenticator = 0xc6f194f2722da7c403d8d2b1f3e30e82
(6) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(6) authorize {
(6) filter_username filter_username {
(6) ? if (User-Name != "%{tolower:%{User-Name}}")
(6) expand: "%{tolower:%{User-Name}}" -> 'steve'
(6) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(6) ? if (User-Name =~ / /)
(6) ? if (User-Name =~ / /) -> FALSE
(6) ? if (User-Name =~ /@.*@/ )
(6) ? if (User-Name =~ /@.*@/ ) -> FALSE
(6) ? if (User-Name =~ /\\.\\./ )
(6) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(6) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(6) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(6) ? if (User-Name =~ /\\.$/)
(6) ? if (User-Name =~ /\\.$/) -> FALSE
(6) ? if (User-Name =~ /@\\./)
(6) ? if (User-Name =~ /@\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(6) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(6) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(6) [auth_log] = ok
(6) files : users: Matched entry steve at line 73
(6) [files] = ok
(6) ? if (control:wifi_key != "true")
(6) expand: "true" -> 'true'
(6) ? if (control:wifi_key != "true") -> FALSE
(6) eap : EAP packet type response id 109 length 80
(6) eap : Continuing tunnel setup.
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/wifi
(6) authenticate {
(6) eap : Expiring EAP session with state 0xa8ad7918adc06083
(6) eap : Finished EAP session with state 0xa8ad7918adc06083
(6) eap : Previous EAP request found for state 0xa8ad7918adc06083,
released from the list
(6) eap : Peer sent PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
(6) eap_peap : eaptls_verify returned 7
(6) eap_peap : Done initial handshake
(6) eap_peap : eaptls_process returned 7
(6) eap_peap : FR_TLS_OK
(6) eap_peap : Session established. Decoding tunneled attributes.
(6) eap_peap : Peap state WAITING FOR INNER IDENTITY
(6) eap_peap : Identity - steve
(6) eap_peap : Got inner identity 'steve'
(6) eap_peap : Setting default EAP type for tunneled EAP session.
(6) eap_peap : Got tunneled request
EAP-Message = 0x026d000a017374657665
server wifi {
(6) eap_peap : Setting User-Name to steve
Sending tunneled request
EAP-Message = 0x026d000a017374657665
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'steve'
server inner-tunnel {
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) update control {
(6) Proxy-To-Realm := 'LOCAL'
(6) } # update control = noop
(6) eap : EAP packet type response id 109 length 10
(6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
�[1m�[33m(6) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does
not exist! Cancelling invalid proxy request.�[0m
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap : Peer sent Identity (1)
(6) eap : Calling eap_mschapv2 to process EAP data
(6) eap_mschapv2 : Issuing Challenge
(6) eap : New EAP session, adding 'State' attribute to reply
0x7fd644537fb85e09
(6) [eap] = handled
(6) } # authenticate = handled
} # server inner-tunnel
(6) eap_peap : Got tunneled reply code 11
EAP-Message =
0x016e001f1a016e001a1099100e6ba285ffc3d073d4e27ed041457374657665
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7fd644537fb85e0993bf77b0297ba359
(6) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x016e001f1a016e001a1099100e6ba285ffc3d073d4e27ed041457374657665
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7fd644537fb85e0993bf77b0297ba359
(6) eap_peap : Got tunneled Access-Challenge
(6) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918aec36083
(6) [eap] = handled
(6) } # authenticate = handled
Sending Access-Challenge of id 6 from ::1 port 1812 to ::1 port 48165
EAP-Message =
0x016e005b19001703010050be2d19115eeec52f8ef7f3924d3e06b1414ac02b93abeabf9b93868a35a635cd8103f213946df5b276e49ebc329d332c3a8b0ea3910c655fe4cb333e2119dd2f87e0c0c816ea7a97744a0e1163a2c8c8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918aec360834e7c8f387fecd2a4
(6) Finished request 6.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=7, length=332
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message =
0x026e009019001703010020c6ef33f59aafabdcbc8e0606fce5b8186e58ff23be26cffd63bc3a9aaba245b61703010060ac4916496f2d9fc82d01c90f2a384f495bc5cad349a90215e8982b81e51084189924a9a22e85ab15c85bf058b0a8742ef055876f95cc446a8dcb0c20160408687c2f1b26e4badf300c802f146318c1cb1c9b2d5ed72aac629b0e3c411aa0aeb5
State = 0xa8ad7918aec360834e7c8f387fecd2a4
Message-Authenticator = 0xe81eb90fcfa5aaf86bf6c12d41a0fb73
(7) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(7) authorize {
(7) filter_username filter_username {
(7) ? if (User-Name != "%{tolower:%{User-Name}}")
(7) expand: "%{tolower:%{User-Name}}" -> 'steve'
(7) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(7) ? if (User-Name =~ / /)
(7) ? if (User-Name =~ / /) -> FALSE
(7) ? if (User-Name =~ /@.*@/ )
(7) ? if (User-Name =~ /@.*@/ ) -> FALSE
(7) ? if (User-Name =~ /\\.\\./ )
(7) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(7) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(7) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(7) ? if (User-Name =~ /\\.$/)
(7) ? if (User-Name =~ /\\.$/) -> FALSE
(7) ? if (User-Name =~ /@\\./)
(7) ? if (User-Name =~ /@\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(7) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(7) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(7) [auth_log] = ok
(7) files : users: Matched entry steve at line 73
(7) [files] = ok
(7) ? if (control:wifi_key != "true")
(7) expand: "true" -> 'true'
(7) ? if (control:wifi_key != "true") -> FALSE
(7) eap : EAP packet type response id 110 length 144
(7) eap : Continuing tunnel setup.
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/wifi
(7) authenticate {
(7) eap : Expiring EAP session with state 0x7fd644537fb85e09
(7) eap : Finished EAP session with state 0xa8ad7918aec36083
(7) eap : Previous EAP request found for state 0xa8ad7918aec36083,
released from the list
(7) eap : Peer sent PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : eaptls_verify returned 7
(7) eap_peap : Done initial handshake
(7) eap_peap : eaptls_process returned 7
(7) eap_peap : FR_TLS_OK
(7) eap_peap : Session established. Decoding tunneled attributes.
(7) eap_peap : Peap state phase2
(7) eap_peap : EAP type MSCHAPv2 (26)
(7) eap_peap : Got tunneled request
EAP-Message =
0x026e00401a026e003b31428de007ac0fdd2b2cceb02df8b1a42f0000000000000000fbc267c343bceaf89088ea12252a9bb2dcd001fc2d44b63b007374657665
server wifi {
(7) eap_peap : Setting User-Name to steve
Sending tunneled request
EAP-Message =
0x026e00401a026e003b31428de007ac0fdd2b2cceb02df8b1a42f0000000000000000fbc267c343bceaf89088ea12252a9bb2dcd001fc2d44b63b007374657665
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'steve'
State = 0x7fd644537fb85e0993bf77b0297ba359
server inner-tunnel {
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) update control {
(7) Proxy-To-Realm := 'LOCAL'
(7) } # update control = noop
(7) eap : EAP packet type response id 110 length 64
(7) eap : No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) files : users: Matched entry steve at line 73
(7) [files] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) } # authorize = updated
�[1m�[33m(7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does
not exist! Cancelling invalid proxy request.�[0m
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap : Expiring EAP session with state 0x7fd644537fb85e09
(7) eap : Finished EAP session with state 0x7fd644537fb85e09
(7) eap : Previous EAP request found for state 0x7fd644537fb85e09,
released from the list
(7) eap : Peer sent MSCHAPv2 (26)
(7) eap : EAP MSCHAPv2 (26)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2 : Auth-Type MS-CHAP {
(7) mschap : Creating challenge hash with username: steve
(7) mschap : Client is using MS-CHAPv2 for steve, we need NT-Password
(7) mschap : adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) } # Auth-Type MS-CHAP = ok
MSCHAP Success
(7) eap : New EAP session, adding 'State' attribute to reply
0x7fd644537eb95e09
(7) [eap] = handled
(7) } # authenticate = handled
} # server inner-tunnel
(7) eap_peap : Got tunneled reply code 11
EAP-Message =
0x016f00331a036e002e533d31383634364643383531363741383643463942363038383739423942413331364333353331394638
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7fd644537eb95e0993bf77b0297ba359
(7) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message =
0x016f00331a036e002e533d31383634364643383531363741383643463942363038383739423942413331364333353331394638
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7fd644537eb95e0993bf77b0297ba359
(7) eap_peap : Got tunneled Access-Challenge
(7) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918afc26083
(7) [eap] = handled
(7) } # authenticate = handled
Sending Access-Challenge of id 7 from ::1 port 1812 to ::1 port 48165
EAP-Message =
0x016f008b19001703010080c56df7652dbf41fee6b4832b29090561a9fd805201afb233e16d79603cbaeb60b8a3f94a479bce399c00c3e88102df06050b5323c9a637591e8ba44a5432d66405fcb8defc54563ee88021742024f1db54b1563b7712336ac82a8e00b4ca6772e1af90cb871ce1f6c47c44abb26785bcfa666f5831f2fc182c75d9cfa4adfa6c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918afc260834e7c8f387fecd2a4
(7) Finished request 7.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=8, length=268
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message =
0x026f005019001703010020404ffa3d8eeb64f193cbd53ce3f076375e056bdfad2bd18e1872a531f0255d8d1703010020692b6b2267cca6f533fefe2ef002ffa43dc996478e67f0b5616525b6b42e6734
State = 0xa8ad7918afc260834e7c8f387fecd2a4
Message-Authenticator = 0x9e18d6688f17f7809fc45666b204cfae
(8) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(8) authorize {
(8) filter_username filter_username {
(8) ? if (User-Name != "%{tolower:%{User-Name}}")
(8) expand: "%{tolower:%{User-Name}}" -> 'steve'
(8) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(8) ? if (User-Name =~ / /)
(8) ? if (User-Name =~ / /) -> FALSE
(8) ? if (User-Name =~ /@.*@/ )
(8) ? if (User-Name =~ /@.*@/ ) -> FALSE
(8) ? if (User-Name =~ /\\.\\./ )
(8) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(8) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(8) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(8) ? if (User-Name =~ /\\.$/)
(8) ? if (User-Name =~ /\\.$/) -> FALSE
(8) ? if (User-Name =~ /@\\./)
(8) ? if (User-Name =~ /@\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [preprocess] = ok
(8) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(8) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(8) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(8) [auth_log] = ok
(8) files : users: Matched entry steve at line 73
(8) [files] = ok
(8) ? if (control:wifi_key != "true")
(8) expand: "true" -> 'true'
(8) ? if (control:wifi_key != "true") -> FALSE
(8) eap : EAP packet type response id 111 length 80
(8) eap : Continuing tunnel setup.
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/wifi
(8) authenticate {
(8) eap : Expiring EAP session with state 0x7fd644537eb95e09
(8) eap : Finished EAP session with state 0xa8ad7918afc26083
(8) eap : Previous EAP request found for state 0xa8ad7918afc26083,
released from the list
(8) eap : Peer sent PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes.
(8) eap_peap : Peap state phase2
(8) eap_peap : EAP type MSCHAPv2 (26)
(8) eap_peap : Got tunneled request
EAP-Message = 0x026f00061a03
server wifi {
(8) eap_peap : Setting User-Name to steve
Sending tunneled request
EAP-Message = 0x026f00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'steve'
State = 0x7fd644537eb95e0993bf77b0297ba359
server inner-tunnel {
(8) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) update control {
(8) Proxy-To-Realm := 'LOCAL'
(8) } # update control = noop
(8) eap : EAP packet type response id 111 length 6
(8) eap : EAP-MSCHAPV2 success, returning short-circuit ok
(8) [eap] = ok
(8) } # authorize = ok
�[1m�[33m(8) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does
not exist! Cancelling invalid proxy request.�[0m
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap : Expiring EAP session with state 0x7fd644537eb95e09
(8) eap : Finished EAP session with state 0x7fd644537eb95e09
(8) eap : Previous EAP request found for state 0x7fd644537eb95e09,
released from the list
(8) eap : Peer sent MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap : Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
�[1m(8) Login OK: [steve] (from client localhost port 0 via TLS tunnel)�[0m
(8) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) reply_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/reply-detail-20140423'
(8) reply_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/reply-detail-20140423
(8) reply_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(8) [reply_log] = ok
(8) } # post-auth = ok
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 2
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0x2a51646e02232b7a173294c32b02f17d
MS-MPPE-Recv-Key = 0xfdfe6721674eb1149424aff2f50fc6d7
EAP-Message = 0x036f0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'steve'
(8) eap_peap : Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
MS-MPPE-Send-Key = 0x2a51646e02232b7a173294c32b02f17d
MS-MPPE-Recv-Key = 0xfdfe6721674eb1149424aff2f50fc6d7
EAP-Message = 0x036f0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'steve'
(8) eap_peap : Tunneled authentication was successful.
(8) eap_peap : SUCCESS
(8) eap : New EAP session, adding 'State' attribute to reply
0xa8ad7918a0dd6083
(8) [eap] = handled
(8) } # authenticate = handled
Sending Access-Challenge of id 8 from ::1 port 1812 to ::1 port 48165
EAP-Message =
0x0170002b19001703010020661348a387664b2e5c94ba8323f1a67114ac711a1c4e04edfb13c9f820005322
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8ad7918a0dd60834e7c8f387fecd2a4
(8) Finished request 8.
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host ::1 port 48165, id=9, length=268
User-Name = 'steve'
NAS-IPv6-Address = ::1
Called-Station-Id = '6C-88-14-A8-C3-EC:kcfam'
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Calling-Station-Id = '30-D6-C9-6C-44-4B'
Connect-Info = 'CONNECT 54Mbps 802.11g'
Acct-Session-Id = '53583CBF-00000000'
Framed-MTU = 1400
EAP-Message =
0x0270005019001703010020ae37a2e2decf022da362f42e0e65a167adb06bb829e50734034c82ed7f591f7c1703010020e9139a89dbb6bf66f2f6ec32d49e2be2a4359a5e31e09662e644e09cc5312b33
State = 0xa8ad7918a0dd60834e7c8f387fecd2a4
Message-Authenticator = 0xbc2e93f9e92baad2d86a265f15c2537a
(9) # Executing section authorize from file /etc/raddb/sites-enabled/wifi
(9) authorize {
(9) filter_username filter_username {
(9) ? if (User-Name != "%{tolower:%{User-Name}}")
(9) expand: "%{tolower:%{User-Name}}" -> 'steve'
(9) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(9) ? if (User-Name =~ / /)
(9) ? if (User-Name =~ / /) -> FALSE
(9) ? if (User-Name =~ /@.*@/ )
(9) ? if (User-Name =~ /@.*@/ ) -> FALSE
(9) ? if (User-Name =~ /\\.\\./ )
(9) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(9) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(9) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(9) ? if (User-Name =~ /\\.$/)
(9) ? if (User-Name =~ /\\.$/) -> FALSE
(9) ? if (User-Name =~ /@\\./)
(9) ? if (User-Name =~ /@\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) [preprocess] = ok
(9) auth_log : expand:
"/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
-> '/var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423'
(9) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/0:0:0:0:0:0:0:1/auth-detail-20140423
(9) auth_log : expand: "%t" -> 'Wed Apr 23 22:22:25 2014'
(9) [auth_log] = ok
(9) files : users: Matched entry steve at line 73
(9) [files] = ok
(9) ? if (control:wifi_key != "true")
(9) expand: "true" -> 'true'
(9) ? if (control:wifi_key != "true") -> FALSE
(9) eap : EAP packet type response id 112 length 80
(9) eap : Continuing tunnel setup.
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/wifi
(9) authenticate {
(9) eap : Expiring EAP session with state 0xa8ad7918a0dd6083
(9) eap : Finished EAP session with state 0xa8ad7918a0dd6083
(9) eap : Previous EAP request found for state 0xa8ad7918a0dd6083,
released from the list
(9) eap : Peer sent PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes.
(9) eap_peap : Peap state send tlv success
(9) eap_peap : Received EAP-TLV response.
(9) eap_peap : Success
�[1m�[33m(9) WARNING: eap_peap : No information to cache: session
caching will be disabled for session
63a4c7ded1e2923518111d54f2f3b342ce1254b65d63095b6c09615c3be6a78a�[0m
SSL: Removing session
63a4c7ded1e2923518111d54f2f3b342ce1254b65d63095b6c09615c3be6a78a from
the cache
(9) eap : Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
�[1m(9) Login OK: [steve] (from client localhost port 1 cli
30-D6-C9-6C-44-4B)�[0m
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/wifi
(9) post-auth {
(9) remove_reply_message_if_eap remove_reply_message_if_eap {
(9) ? if (reply:EAP-Message && reply:Reply-Message)
(9) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(9) else else {
(9) [noop] = noop
(9) } # else else = noop
(9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(9) } # post-auth = noop
Sending Access-Accept of id 9 from ::1 port 1812 to ::1 port 48165
MS-MPPE-Recv-Key =
0xdad7c775b865f270124273715d138d7c0cc248810d14fb66c6874cf11108813c
MS-MPPE-Send-Key =
0xd6f9da11a8547d1cb1da34c491e18a5ff2eb7e06a90cef54b47b2156f727ba7e
EAP-Message = 0x03700004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = 'steve'
(9) Finished request 9.
Waking up in 0.2 seconds.
Waking up in 4.5 seconds.
More information about the Freeradius-Users
mailing list