Secrets to getting Windows 8.1 to connect to PEAP-TTLS and PAP
Alex Gregory
alex at c2company.com
Thu Aug 14 20:29:15 CEST 2014
Are there any secrets to getting Win 8.1 client to connect with TTLS and PAP? I have done all of the custom settings in the network config but the server is just ignoring those settings and choosing to try TLS with certs even though I have TTLS selected client side. As of 8.1 is this supposed to work natively inside the OS? Are there any tips to getting it to work? My Mac clients connect fine with a profile created and pushed.
Thanks,
Alex
P.S.
Just in case here is the output - BTW the URL in the error at the bottom is:
http://wiki.freeradius.org/Certificate_Compatibility (which forwards to http://wiki.freeradius.org/create/Certificate_Compatibility and needs to authenticate)
should this be:
http://wiki.freeradius.org/guide/Certificate-Compatibility ?
root at openldap ~# freeradius -X
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Dec 16 2012 at 13:28:43
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client 0.0.0.0/0 {
require_message_authenticator = no
secret = "supersecretsecret"
nastype = "other"
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "supersecretsecret"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/exp iration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logi ntime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/pre process
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
ldap {
server = "localhost"
port = 389
password = "supersecretpassword"
identity = "cn=admin,dc=team,dc=company,dc=com"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "ou=Users,dc=team,dc=company,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-U serDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "a uthenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Ne twork
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group- Id
conns: 0x1585070
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/ac ct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NA S-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutm p
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/f reeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freerad ius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 40922
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=238, len gth=215
User-Name = "joeuser"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a210082000007c753ecfe82"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202000c016a6f6575736572
Message-Authenticator = 0xc497ede93a97c9c7ca14600aa7a34cb5
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "joeuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for joeuser
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> joeuser
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser)
[ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company, dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to localhost:389, authentication 0
[ldap] bind as cn=admin,dc=team,dc=company,dc=com/653776d05374 to localhost:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (ui d=joeuser)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header == "{MD5}X03MO1qnZdYdgyfeuILPmQ=="
[ldap] looking for reply items in directory...
[ldap] user joeuser authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 238 to xxx.xxx.xxx.xxx port 32768
EAP-Message = 0x010300061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed6525f7ed663089b8218754dbe49259
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=239, len gth=330
User-Name = "joeuser"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a210082000007c753ecfe82"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0203006d158000000063160301005e0100005a030153ecfe8c41fb05 d4be0db49380ac2117339a05970e400027fc9e188f772b01ac000018c014c0130035002fc00ac009 00380032000a00130005000401000019ff01000100000a0006000400170018000b00020100002300 00
State = 0xed6525f7ed663089b8218754dbe49259
Message-Authenticator = 0xe7b0a3ce6ee4d2a08b64284b15610fd3
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "joeuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 109
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 99
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 005e], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 02c4], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 239 to xxx.xxx.xxx.xxx port 32768
EAP-Message = 0x0104040015c000000460160301003902000035030153ecfe8b473327 ed0607aed0ec6cec3726d01ac8da0842fbcdb3fd8a5cbc272300c01400000dff01000100000b0004 0300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900b507e23193 5d6b3f300d06092a864886f70d010105050030133111300f060355040313086f70656e6c64617030 1e170d3134303830373232333035385a170d3234303830343232333035385a30133111300f060355 040313086f70656e6c64617030820122300d06092a864886f70d01010105000382010f003082010a 0282010100bae7e24798efa862ea1659a17ac74864a297d09a
EAP-Message = 0x249d8e467e1a40a3fc4fdcf36e73ac43cc11e5df4978020ae6af6c12 d0a98f7c90d0352eae9c5b9c8364cffe115b833c52bfbcb43c292c303ee0f8cca82a3732ed53bcdb a3905a9f030c9bf242e7482f28c0a30e5210afbf064e6129cef1358e30942581621b927da448fcea 0fcca181c7ea6ac7385946513bd092e7ccf41df13f7a4f498533947d1f0451659c20977cfddeb5ff adef948b8f876a1bbba0f2a574e05daf8fe696a828973f21674abc246ca73279dcd5fe1720f1140b 3f351427fc5be4a4158fb31d2b46643e0bbef9297b892cea88babfcb26e53bcc981bec71b84d0fb2 1760176f5d12adc90203010001a30d300b30090603551d1304
EAP-Message = 0x023000300d06092a864886f70d010105050003820101009a35e4dddb 99265dfbe96dbd2dd5efcec97ebbb6111d42b313a0d7b6f29a4a4cc378c154afc028a986a118ddf1 e611aa3fda9ed59c9f745663fcfd2655891584047b99042c2f7d3757ff92e86d008a55dac7e1e2a8 f7e67711fec590812461e9de753eacf30285e44c3c7ecc31671d4ccbfdc6de65536e8b780cbf05ca 5e0442748ccc7356f315baac1cc9bb528198bba1526d18213171b26e3676162be28056600762ed21 df47ca64f29fb8b9853b8e84731708c7e7c5b0862c3d61aa07b37b89eb915e0fb7f5867a9eb93465 74bfc112aa4ea45ae9bae8fdf44b9cedbd3ba5082046a7de23
EAP-Message = 0xc8fefa2502dad1e8da8bf54443bc2b061a301dd93689ce6867d91603 01014b0c0001470300174104f70fc638876015314276bcccdabe2440aad56a3917572ed7a87f0ba4 c26f5351c6d0a46f43b1f83dc2b5f7ae786ec0c7a334dac6db2de6dd502a3f7a0f0b7284010056e3 7efc9925fbb9aa1151fabeb552c39dd8d874facd2371c9732c85d7b0acf8d655082daaaf20e401af a2103f7000ca74f791a31dd8f59a44ad57b08cf2e9d0d351e378d148a4b581f4a1abd3ec78bec92a 8d3bb1431a932a45b757e3e0b0c1ad7c17745e3595cf2fab67df52f256060228ced8e8a6409d58aa c91a8e8c4ad4b7db8c8c45ea9457fd36ae010cbc89e780d7f6
EAP-Message = 0xbacd4f2fa71734998aea28f3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed6525f7ec613089b8218754dbe49259
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=240, len gth=227
User-Name = "joeuser"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a210082000007c753ecfe82"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061500
State = 0xed6525f7ec613089b8218754dbe49259
Message-Authenticator = 0xf111afd88c78687ff4aa2eef1f17a0d1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "joeuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 240 to xxx.xxx.xxx.xxx port 32768
EAP-Message = 0x0105007415800000046006a4ad2d954ab98d347d80ffe5e4296b00b8 06a0a46e2983f027daa7afe8737a814be4e3c2f7bfb6e843bf83511520b211abf8b0f9ed67ca009f 43704d492682c5f871c77485c4032e8e5f5ad8dafde1cfc2700cccf1b4c32df117b96b0e530db316 030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed6525f7ef603089b8218754dbe49259
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=241, len gth=365
User-Name = "joeuser"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a210082000007c753ecfe82"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500901580000000861603010046100000424104f036a69ecb1ba1 3c2f4819fdc2d56f1b71d50a96f86eea7fa05ffe8beaea8254033a11d7d6a0116adb797210ceccb0 81aa171f75ed257305ddedc502bd164c6e1403010001011603010030cf4dbf96b0aa2afb8a7ab99b ba1c049a38c2a0ef029bbadce9e2fea5becece66b318dd62d481e5216f1b2b0d8e5b5cf0
State = 0xed6525f7ef603089b8218754dbe49259
Message-Authenticator = 0x49bfce06950321a5dd2ca7c61e2bcb9f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "joeuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 134
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 241 to xxx.xxx.xxx.xxx port 32768
EAP-Message = 0x0106004515800000003b1403010001011603010030f3cf5808ab3431 98558fd70b33f85ba4c376b3c43fc8aad4f22e4addea3814a164b0813d022c503300c184a18a58ac 78
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed6525f7ee633089b8218754dbe49259
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 238 with timestamp +87
Cleaning up request 1 ID 239 with timestamp +87
Cleaning up request 2 ID 240 with timestamp +87
Cleaning up request 3 ID 241 with timestamp +87
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xed6525f7ee633089 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
More information about the Freeradius-Users
mailing list