Inner Tunnel User-Name - PEAP/MSCHAPV2

Chris Arg grkcharge at gmail.com
Fri Dec 12 18:23:23 CET 2014


> No.
> You have to look at the rest of the debug output to see what’s going on.
> The update blocks don’t return any code.  They just pass through the code
which was there before the update block was run.

Okay, that makes sense.

Quick overview of what I think/see is happening. I'm sure it's wrong so
please correct me.

Packet 8 comes in. Post-Proxy is run and the update to outer.session-state
happens. Access-Challenge is sent and the state is cached.
Packet 9 comes in. It's an Access-Request packet which triggers the
previously cached information to be retrieved. This packet only gets to the
authenticate section before a new Access-Challenge is sent causing the
current state to be cached.
Packet 10 comes in. It's an Access-Request which retrieves the previous
state information. Post-Auth in sites-enabled/default is ran which executes
update for &reply: += &session-state:. This results in a No attributes
updated because the previous state didn't have any.

(8) Received Access-Request Id 70 from 172.23.242.165:1645 to
192.168.244.230:1812 length 324
(8)   User-Name = 'anon1337'
(8)   Service-Type = Framed-User
(8)   Framed-IP-Address = 192.168.243.38
(8)   Framed-MTU = 1500
(8)   Called-Station-Id = '00-00-00-00-AA-AA'
(8)   Calling-Station-Id = '00-00-00-00-BB-BB'
(8)   EAP-Message =
0x02850090190017030100202521e17eceb019efb0902fa8d72d8a2ab02ee389663711a72de20381703010060063a3571bfc98199485cf8b5551527d58e1b7a9a751e7038a60a127be872aeae13bd67e7a165c1c52406b3ee64c85566d8e621cbfb38969e243d9e34bae87fb1f5b
(8)   Message-Authenticator = 0xe39116b3135152d0ee52e3258
(8)   NAS-Port-Type = Ethernet
(8)   NAS-Port = 50002
(8)   NAS-Port-Id = 'FastEthernet0/2'
(8)   Called-Station-Id = '00-00-00-00-AA-AA'
(8)   State = 0x0fd7c6d30852dfc3c063e5767e205a4d
(8)   NAS-IP-Address = 172.23.242.165
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8)   authorize {
(8) ntdomain: Checking for prefix before "\"
(8) ntdomain: No '\' in User-Name = "anon1337", looking up realm NULL
(8) ntdomain: No such realm "NULL"
(8)     [ntdomain] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "anon1337", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent code Response (2) ID 133 length 144
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0xd3877aa8d3026065
(8) eap: Finished EAP session with state 0x0fd7c6d30852dfc3
(8) eap: Previous EAP request found for state 0x0fd7c6d30852dfc3, released
from the list
(8) eap: Peer sent method PEAP (25)
(8) eap: EAP PEAP (25)
(8) eap: Calling eap_peap to process EAP data
(8) eap_peap: processing EAP-TLS
(8) eap_peap: eaptls_verify returned 7
(8) eap_peap: Done initial handshake
(8) eap_peap: eaptls_process returned 7
(8) eap_peap: FR_TLS_OK
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP type MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message =
0x028500481a02850043312e31704e23166e02ecec68b8b34d2e400000000000000000ed732d4aae8a94fa2b2afbfdd05b5c78e9dc7b3b9dbb99b400676c6f6
(8) eap_peap: Setting User-Name to mydomain\user000
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message =
0x028500481a02850043312e31704e23166e02ecec68b8b34d2e400000000000000000ed732d4aae8a94fa2b2afbfdd05b5c78e9dc7b3b9dbb99b400676c6f6
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = 'mydomain\user000'
(8) eap_peap:   State = 0xd3877aa8d30260658703aed2f073d630
(8) eap_peap:   Service-Type = Framed-User
(8) eap_peap:   Framed-IP-Address = 192.168.243.38
(8) eap_peap:   Framed-MTU = 1500
(8) eap_peap:   Called-Station-Id = '00-00-00-00-AA-AA'
(8) eap_peap:   Called-Station-Id = '00-00-00-00-AA-AA'
(8) eap_peap:   Calling-Station-Id = '00-00-00-00-BB-BB'
(8) eap_peap:   NAS-Port-Type = Ethernet
(8) eap_peap:   NAS-Port = 50002
(8) eap_peap:   NAS-Port-Id = 'FastEthernet0/2'
(8) eap_peap:   NAS-IP-Address = 172.23.242.165
(8) eap_peap:   Event-Timestamp = 'Dec 12 2014 11:27:58 EST'
(8) Virtual server received request
(8)   EAP-Message =
0x028500481a02850043312e31704e23166e02ecec68b8b34d2e400000000000000000ed732d4aae8a94fa2b2afbfdd05b5c78e9dc7b3b9dbb99b400
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = 'mydomain\user000'
(8)   State = 0xd3877aa8d30260658703aed2f073d630
(8)   Service-Type = Framed-User
(8)   Framed-IP-Address = 192.168.243.38
(8)   Framed-MTU = 1500
(8)   Called-Station-Id = '00-00-00-00-AA-AA'
(8)   Called-Station-Id = '00-00-00-00-AA-AA'
(8)   Calling-Station-Id = '00-00-00-00-BB-BB'
(8)   NAS-Port-Type = Ethernet
(8)   NAS-Port = 50002
(8)   NAS-Port-Id = 'FastEthernet0/2'
(8)   NAS-IP-Address = 172.23.242.165
(8)   Event-Timestamp = 'Dec 12 2014 11:27:58 EST'
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8)     authorize {
(8) ntdomain: Checking for prefix before "\"
(8) ntdomain: Looking up realm "mydomain" for User-Name = "mydomain\user000"
(8) ntdomain: Found realm "mydomain"
(8) ntdomain: Adding Realm = "mydomain"
(8) ntdomain: Proxying request from user mydomain\user000 to realm mydomain
(8) ntdomain: Preparing to proxy authentication request to realm "mydomain"
(8)       [ntdomain] = updated
(8) suffix: Request already has destination realm set.  Ignoring
(8)       [suffix] = noop
(8) eap: Request is supposed to be proxied to Realm mydomain. Not doing EAP.
(8)       [eap] = noop
(8)       [expiration] = noop
(8)       [logintime] = noop
(8)       [pap] = noop
(8)     } # authorize = updated
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) eap_peap: Got tunneled reply code 0
(8) eap_peap: Calling authenticate in order to initiate tunneled EAP session
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)   authenticate {
(8) eap: Expiring EAP session with state 0xd3877aa8d3026065
(8) eap: Finished EAP session with state 0xd3877aa8d3026065
(8) eap: Previous EAP request found for state 0xd3877aa8d3026065, released
from the list
(8) eap: Peer sent method MSCHAPv2 (26)
(8) eap: EAP MSCHAPv2 (26)
(8) eap: Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2: cancelling authentication and letting it be proxied
(8) eap: No EAP proxy set.  Not composing EAP
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) eap_peap: Tunnelled authentication will be proxied to mydomain
(8) eap_peap: Remembering to do EAP-MS-CHAP-V2 post-proxy
(8) eap: Tunneled session will be proxied.  Not doing EAP
(8)     [eap] = handled
(8)   } # authenticate = handled
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 57020
(8) Proxying request to home server 192.168.1.103 port 1812 timeout
30.000000
(8) Sent Access-Request Id 247 from 0.0.0.0:57020 to 192.168.1.103:1812
length 255
(8)   User-Name = 'mydomain\user000'
(8)   Service-Type = Framed-User
(8)   Framed-IP-Address = 192.168.243.38
(8)   Framed-MTU = 1500
(8)   Called-Station-Id = '00-00-00-00-AA-AA'
(8)   Called-Station-Id = '00-00-00-00-AA-AA'
(8)   Calling-Station-Id = '00-00-00-00-BB-BB'
(8)   NAS-Port-Type = Ethernet
(8)   NAS-Port = 50002
(8)   NAS-Port-Id = 'FastEthernet0/2'
(8)   NAS-IP-Address = 172.23.242.165
(8)   Event-Timestamp = 'Dec 12 2014 11:27:58 EST'
(8)   MS-CHAP-Challenge = 0xc3ecc897daed3f010d860fe7ae1331c3
(8)   MS-CHAP2-Response =
0x856c2e31704e23166e02ecec68b8b34d2e400000000000000000ed732d4aae8a94fa2b2afbfdd05b5c78e9dc7b3b9dbb99b4
(8)   Message-Authenticator := 0x00
(8)   Proxy-State = 0x3730
(8) Received Access-Accept Id 247 from 192.168.1.103:1812 to
192.168.244.230:57020 length 256
(8)   Proxy-State = 0x3730
(8)   Framed-Protocol = PPP
(8)   Service-Type = Framed-User
(8)   Class =
0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc74c5b0000000000054507
(8)   MS-MPPE-Recv-Key = 0x6f6da555aa52c08a69f1d40ab379f27d
(8)   MS-MPPE-Send-Key = 0xd848d864c43408713a143c15f3c9344c
(8)   MS-CHAP2-Success =
0x85533d43323141433136344334303733393138383343353235354643414645363330314630384133343839
(8)   MS-CHAP-Domain = '\205MYDOMAIN'
(8)   MS-Link-Utilization-Threshold = 50
(8)   MS-Link-Drop-Time-Limit = 120
(8) # Executing section post-proxy from file
/etc/raddb/sites-enabled/default
(8)   post-proxy {
(8) eap: Doing post-proxy callback
(8) eap: Passing reply from proxy back into the tunnel
server inner-tunnel {
(8) eap: Passing reply back for EAP-MS-CHAP-V2
(8) # Executing section post-proxy from file
/etc/raddb/sites-enabled/inner-tunnel
(8)   post-proxy {
(8)     update {
(8)       &outer.session-state:Proxy-State += &reply:Proxy-State -> 0x3730
(8)       &outer.session-state:Framed-Protocol += &reply:Framed-Protocol ->
PPP
(8)       &outer.session-state:Service-Type += &reply:Service-Type ->
Framed-User
(8)       &outer.session-state:Class += &reply:Class ->
0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc
(8)       &outer.session-state:MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key
-> 0x6f6da555aa52c08a69
(8)       &outer.session-state:MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key
-> 0xd848d864c4340871
(8)       &outer.session-state:MS-CHAP2-Success += &reply:MS-CHAP2-Success
-> 0x85533d433231414331363443343037333931383833433532353546434146453
(8)       &outer.session-state:MS-CHAP-Domain += &reply:MS-CHAP-Domain ->
'\205MYDOMAIN'
(8)       &outer.session-state:MS-Link-Utilization-Threshold +=
&reply:MS-Link-Utilization-Threshold -> 50
(8)       &outer.session-state:MS-Link-Drop-Time-Limit +=
&reply:MS-Link-Drop-Time-Limit -> 120
(8)     } # update = noop
(8) eap: Doing post-proxy callback
(8) eap: Passing reply from proxy back into the tunnel 2.
(8) eap: Proxied authentication succeeded
MSCHAP Success
(8) eap: EAP session adding &reply:State = 0xd3877aa8d2016065
(8)     [eap] = ok
(8)   } # post-proxy = ok
} # server inner-tunnel
(8) eap: Final reply from tunneled session code 11
(8) eap:   Proxy-State = 0x3730
(8) eap:   Framed-Protocol = PPP
(8) eap:   Service-Type = Framed-User
(8) eap:   Class =
0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc74c5b
(8) eap:   MS-CHAP-Domain = '\205MYDOMAIN'
(8) eap:   MS-Link-Utilization-Threshold = 50
(8) eap:   MS-Link-Drop-Time-Limit = 120
(8) eap:   EAP-Message =
0x018600331a0385002e533d4332314143313634433430373339313838334335323535464341464536333
(8) eap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap:   State = 0xd3877aa8d20160658703aed2f073d630
(8) eap: Got reply 11
(8) eap: Got tunneled reply RADIUS code 11
(8) eap:   Proxy-State = 0x3730
(8) eap:   Framed-Protocol = PPP
(8) eap:   Service-Type = Framed-User
(8) eap:   Class =
0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc74c5b
(8) eap:   MS-CHAP-Domain = '\205MYDOMAIN'
(8) eap:   MS-Link-Utilization-Threshold = 50
(8) eap:   MS-Link-Drop-Time-Limit = 120
(8) eap:   EAP-Message =
0x018600331a0385002e533d4332314143313634433430373339313838334335323535464341464536
(8) eap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap:   State = 0xd3877aa8d20160658703aed2f073d630
(8) eap: Got tunneled Access-Challenge
(8) eap: Reply was handled
(8) eap: EAP session adding &reply:State = 0x0fd7c6d30751dfc3
(8)     [eap] = ok
(8)   } # post-proxy = ok
(8) Sent Access-Challenge Id 70 from 192.168.244.230:1812 to
172.23.242.165:1645 length 149
(8)   EAP-Message =
0x0186005b19001703010050d842dac4be474e61feb49b428f0dc15cb5b2dea5ae2a1d770b9905700a90190eb47cb97044cfadb837fc0e4cccfa20ac359de5e222fed03aa7a55e7e283d600dbe28cd55d6d9cde6cc552d7a571665b4
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x0fd7c6d30751dfc3c063e5767e205a4d
(8) Finished request
Waking up in 0.2 seconds.
Waking up in 3.3 seconds.
(9) Received Access-Request Id 71 from 172.23.242.165:1645 to
192.168.244.230:1812 length 260
(9)   User-Name = 'anon1337'
(9)   Service-Type = Framed-User
(9)   Framed-IP-Address = 192.168.243.38
(9)   Framed-MTU = 1500
(9)   Called-Station-Id = '00-00-00-00-AA-AA'
(9)   Calling-Station-Id = '00-00-00-00-BB-BB'
(9)   EAP-Message =
0x0286005019001703010020942518f712e6644f26f85fbfe31548d38134a0beeddd00eda1355955a6524eba17030100201e10596c0804a765b2a43e3d627d6c0c87a8d524dd6e100d373d45e0a172046f
(9)   Message-Authenticator = 0x5cf80e7b5e5a27c09ad086ac15db2aac
(9)   NAS-Port-Type = Ethernet
(9)   NAS-Port = 50002
(9)   NAS-Port-Id = 'FastEthernet0/2'
(9)   Called-Station-Id = '00-00-00-00-AA-AA'
(9)   State = 0x0fd7c6d30751dfc3c063e5767e205a4d
(9)   NAS-IP-Address = 172.23.242.165
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9)   authorize {
(9)     [preprocess] = ok
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: No '\' in User-Name = "anon1337", looking up realm NULL
(9) ntdomain: No such realm "NULL"
(9)     [ntdomain] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "anon1337", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent code Response (2) ID 134 length 80
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0xd3877aa8d2016065
(9) eap: Finished EAP session with state 0x0fd7c6d30751dfc3
(9) eap: Previous EAP request found for state 0x0fd7c6d30751dfc3, released
from the list
(9) eap: Peer sent method PEAP (25)
(9) eap: EAP PEAP (25)
(9) eap: Calling eap_peap to process EAP data
(9) eap_peap: processing EAP-TLS
(9) eap_peap: eaptls_verify returned 7
(9) eap_peap: Done initial handshake
(9) eap_peap: eaptls_process returned 7
(9) eap_peap: FR_TLS_OK
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP type MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap:   EAP-Message = 0x028600061a03
(9) eap_peap: Setting User-Name to mydomain\user000
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap:   EAP-Message = 0x028600061a03
(9) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap:   User-Name = 'mydomain\user000'
(9) eap_peap:   State = 0xd3877aa8d20160658703aed2f073d630
(9) eap_peap:   Service-Type = Framed-User
(9) eap_peap:   Framed-IP-Address = 192.168.243.38
(9) eap_peap:   Framed-MTU = 1500
(9) eap_peap:   Called-Station-Id = '00-00-00-00-AA-AA'
(9) eap_peap:   Called-Station-Id = '00-00-00-00-AA-AA'
(9) eap_peap:   Calling-Station-Id = '00-00-00-00-BB-BB'
(9) eap_peap:   NAS-Port-Type = Ethernet
(9) eap_peap:   NAS-Port = 50002
(9) eap_peap:   NAS-Port-Id = 'FastEthernet0/2'
(9) eap_peap:   NAS-IP-Address = 172.23.242.165
(9) eap_peap:   Event-Timestamp = 'Dec 12 2014 11:27:59 EST'
(9) Virtual server received request
(9)   EAP-Message = 0x028600061a03
(9)   FreeRADIUS-Proxied-To = 127.0.0.1
(9)   User-Name = 'mydomain\user000'
(9)   State = 0xd3877aa8d20160658703aed2f073d630
(9)   Service-Type = Framed-User
(9)   Framed-IP-Address = 192.168.243.38
(9)   Framed-MTU = 1500
(9)   Called-Station-Id = '00-00-00-00-AA-AA'
(9)   Called-Station-Id = '00-00-00-00-AA-AA'
(9)   Calling-Station-Id = '00-00-00-00-BB-BB'
(9)   NAS-Port-Type = Ethernet
(9)   NAS-Port = 50002
(9)   NAS-Port-Id = 'FastEthernet0/2'
(9)   NAS-IP-Address = 172.23.242.165
(9)   Event-Timestamp = 'Dec 12 2014 11:27:59 EST'
(9) server inner-tunnel {
(9)   session-state: No cached attributes
(9)   # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(9)     authorize {
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: Looking up realm "mydomain" for User-Name = "mydomain\user000"
(9) ntdomain: Found realm "mydomain"
(9) ntdomain: Adding Realm = "mydomain"
(9) ntdomain: Proxying request from user mydomain\user000 to realm mydomain
(9) ntdomain: Preparing to proxy authentication request to realm "mydomain"
(9)       [ntdomain] = updated
(9) suffix: Request already has destination realm set.  Ignoring
(9)       [suffix] = noop
(9) eap: Request is supposed to be proxied to Realm mydomain. Not doing EAP.
(9)       [eap] = noop
(9)       [expiration] = noop
(9)       [logintime] = noop
(9)       [pap] = noop
(9)     } # authorize = updated
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) eap_peap: Got tunneled reply code 0
(9) eap_peap: Calling authenticate in order to initiate tunneled EAP session
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9)   authenticate {
(9) eap: Expiring EAP session with state 0xd3877aa8d2016065
(9) eap: Finished EAP session with state 0xd3877aa8d2016065
(9) eap: Previous EAP request found for state 0xd3877aa8d2016065, released
from the list
(9) eap: Peer sent method MSCHAPv2 (26)
(9) eap: EAP MSCHAPv2 (26)
(9) eap: Calling eap_mschapv2 to process EAP data
(9) eap: Freeing handler
(9)     [eap] = ok
(9)   } # authenticate = ok
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap:   MS-MPPE-Send-Key = 0xd848d864c43408713a143c15f3c9344c
(9) eap_peap:   MS-MPPE-Recv-Key = 0x6f6da555aa52c08a69f1d40ab379f27d
(9) eap_peap:   Proxy-State = 0x3730
(9) eap_peap:   Framed-Protocol = PPP
(9) eap_peap:   Service-Type = Framed-User
(9) eap_peap:   Class =
0x3e5d044100000137000102000a02016700000000000000000000000001d006be3dc74c
5b0000000000054507
(9) eap_peap:   MS-CHAP-Domain = '\205MYDOMAIN'
(9) eap_peap:   MS-Link-Utilization-Threshold = 50
(9) eap_peap:   MS-Link-Drop-Time-Limit = 120
(9) eap_peap:   EAP-Message = 0x03860004
(9) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap:   User-Name = 'mydomain\user000'
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap: EAP session adding &reply:State = 0x0fd7c6d30650dfc3
(9)     [eap] = handled
(9)   } # authenticate = handled
(9) Sent Access-Challenge Id 71 from 192.168.244.230:1812 to
172.23.242.165:1645 length 101
(9)   EAP-Message =
0x0187002b19001703010020b3abef85cebb3db0803d642e026b9f7004abecc69886888bb234
ec4bb9f1dfbf
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   State = 0x0fd7c6d30650dfc3c063e5767e205a4d
(9) Finished request
Waking up in 0.3 seconds.
(10) Received Access-Request Id 72 from 172.23.242.165:1645 to
192.168.244.230:1812 length 260
(10)   User-Name = 'anon1337'
(10)   Service-Type = Framed-User
(10)   Framed-IP-Address = 192.168.243.38
(10)   Framed-MTU = 1500
(10)   Called-Station-Id = '00-00-00-00-AA-AA'
(10)   Calling-Station-Id = '00-00-00-00-BB-BB'
(10)   EAP-Message =
0x028700501900170301002027b611569c3ac21656ebff7c931c6330b260d9c7685df6afe4d
631e191ef65641703010020277137daef7aa622436b04c068134830a1cf8c671d81b6c743bea4f440ebd25d
(10)   Message-Authenticator = 0xcae72c0f0b1bf4edc223132d46c7f042
(10)   NAS-Port-Type = Ethernet
(10)   NAS-Port = 50002
(10)   NAS-Port-Id = 'FastEthernet0/2'
(10)   Called-Station-Id = '00-00-00-00-AA-AA'
(10)   State = 0x0fd7c6d30650dfc3c063e5767e205a4d
(10)   NAS-IP-Address = 172.23.242.165
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10)   authorize {
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "anon1337", looking up realm NULL
(10) suffix: No such realm "NULL"
(10)     [suffix] = noop
(10) eap: Peer sent code Response (2) ID 135 length 80
(10) eap: Continuing tunnel setup
(10)     [eap] = ok
(10)   } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10)   authenticate {
(10) eap: Expiring EAP session with state 0x0fd7c6d30650dfc3
(10) eap: Finished EAP session with state 0x0fd7c6d30650dfc3
(10) eap: Previous EAP request found for state 0x0fd7c6d30650dfc3, released
from the list
(10) eap: Peer sent method PEAP (25)
(10) eap: EAP PEAP (25)
(10) eap: Calling eap_peap to process EAP data
(10) eap_peap: processing EAP-TLS
(10) eap_peap: eaptls_verify returned 7
(10) eap_peap: Done initial handshake
(10) eap_peap: eaptls_process returned 7
(10) eap_peap: FR_TLS_OK
(10) eap_peap: Session established.  Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap_peap: No information to cache: session caching will be disabled
for session 7f3018ef052
364931aa2fc8b559a5cac5f8c7f4d7c81fa96d7848f7fa3ac77b3
  SSL: Removing session
7f3018ef052364931aa2fc8b559a5cac5f8c7f4d7c81fa96d7848f7fa3ac77b3 from th
e cache
(10) eap: Freeing handler
(10)     [eap] = ok
(10)   } # authenticate = ok
(10) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(10)   post-auth {
(10)     update {
(10)       No attributes updated
(10)     } # update = noop
(10)     [exec] = noop
(10)     policy remove_reply_message_if_eap {
(10)       if (&reply:EAP-Message && &reply:Reply-Message) {
(10)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(10)       else {
(10)         [noop] = noop
(10)       } # else = noop
(10)     } # policy remove_reply_message_if_eap = noop
(10)   } # post-auth = noop
(10) Sent Access-Accept Id 72 from 192.168.244.230:1812 to
172.23.242.165:1645 length 170
(10)   MS-MPPE-Recv-Key = 0xffe49f5506d33369f1e22b38cd618e47ef03fbc24
(10)   MS-MPPE-Send-Key = 0xefc13185a69d26a600f7da511b76ef00c6d5d6ac5
(10)   EAP-Message = 0x03870004
(10)   Message-Authenticator = 0x00000000000000000000000000000000
(10)   User-Name = 'anon1337'
(10) Finished request
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141212/bea405c6/attachment-0001.html>


More information about the Freeradius-Users mailing list