LDAP Groups to Freeradius and then Ruckus Wireless?

Enrique Sainz Baixauli enriquesainz.beca at intef.educacion.es
Tue Jun 3 12:43:08 CEST 2014


>
> Thank you guys very much. Really. I will now move forward to configuring
EAP-PEAP, PAP was just a test :)
>

Hi again,

So I managed to put the LDAP-Group attribute into the reply using PAP, but
after configuring PEAP-MSCHAPv2 and getting it to work, of course there is
no attribute in the reply :)
I understand that, in EAP authentication, the eap module returns the
authorize section before getting to ldap to avoid the overload of querying
the ldap server on each packet that form the TLS conversation. So I thought
of filling the reply in the postauth section. But, if I do it in the default
server, it doesn't know about the groups (ie LDAP-Group is empty), and if I
do it in the inner-tunnel server, the tunneled reply to the default server
contains my attribute, but then I don't know how to put it into the
Access-Accept response to the client.

Am I understanding anything wrong? How can I send the attribute back to the
client?

This is the (huge) debug output, I hope it helps. The attribute in the
tunneled reply is close to the end of processing request (9).

Received Access-Request Id 57 from 192.168.60.1:1029 to 192.168.50.62:1812
length 190
        User-Name = 'pepe'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message = 0x020000090170657065
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0x270ccc8fe82858ae31fc9d5a5694d683
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   authorize {
(0)   filter_username filter_username {
(0)     if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0)    --> pepe
(0)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(0)     if (User-Name =~ / /)
(0)     if (User-Name =~ / /)  -> FALSE
(0)     if (User-Name =~ /@.*@/ )
(0)     if (User-Name =~ /@.*@/ )  -> FALSE
(0)     if (User-Name =~ /\\.\\./ )
(0)     if (User-Name =~ /\\.\\./ )  -> FALSE
(0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(0)     if (User-Name =~ /\\.$/)
(0)     if (User-Name =~ /\\.$/)   -> FALSE
(0)     if (User-Name =~ /@\\./)
(0)     if (User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(0) suffix : No such realm "NULL"
(0)   [suffix] = noop
(0) eap : EAP packet type response id 0 length 9
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)   [eap] = ok
(0)  } #  authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_md5 to process EAP data
(0) eap_md5 : Issuing MD5 Challenge
(0) eap : New EAP session, adding 'State' attribute to reply
0xca8f630eca8e6799
(0)   [eap] = handled
(0)  } #  authenticate = handled
Sending Access-Challenge Id 57 from 192.168.50.62:1812 to 192.168.60.1:1029
        EAP-Message = 0x0101001604109ed4c50cadd454cb460331c800fcad9e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xca8f630eca8e6799cfb856ad0867eff6
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 58 from 192.168.60.1:1029 to 192.168.50.62:1812
length 205
        User-Name = 'pepe'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message = 0x020100060319
        State = 0xca8f630eca8e6799cfb856ad0867eff6
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0x18795b931bfaf56efabdb28a3686c1a0
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1)   authorize {
(1)   filter_username filter_username {
(1)     if (User-Name != "%{tolower:%{User-Name}}")
(1) EXPAND %{tolower:%{User-Name}}
(1)    --> pepe
(1)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(1)     if (User-Name =~ / /)
(1)     if (User-Name =~ / /)  -> FALSE
(1)     if (User-Name =~ /@.*@/ )
(1)     if (User-Name =~ /@.*@/ )  -> FALSE
(1)     if (User-Name =~ /\\.\\./ )
(1)     if (User-Name =~ /\\.\\./ )  -> FALSE
(1)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(1)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(1)     if (User-Name =~ /\\.$/)
(1)     if (User-Name =~ /\\.$/)   -> FALSE
(1)     if (User-Name =~ /@\\./)
(1)     if (User-Name =~ /@\\./)   -> FALSE
(1)   } # filter_username filter_username = notfound
(1)   [preprocess] = ok
(1)   [chap] = noop
(1)   [mschap] = noop
(1)   [digest] = noop
(1) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(1) suffix : No such realm "NULL"
(1)   [suffix] = noop
(1) eap : EAP packet type response id 1 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1)   [eap] = updated
(1)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap :    --> (uid=pepe)
(1) ldap : EXPAND dc=ejemplo,dc=org
(1) ldap :    --> dc=ejemplo,dc=org
(1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=pepe)', scope 'sub'
(1) ldap : Waiting for search result...
(1) ldap : User object found at DN "uid=pepe,ou=usuarios,dc=ejemplo,dc=org"
(1) ldap : No cacheable group memberships found in user object
(1) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(1) ldap :    -->
(&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(1) ldap : EXPAND dc=ejemplo,dc=org
(1) ldap :    --> dc=ejemplo,dc=org
(1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(1) ldap : Waiting for search result...
(1) ldap : Added control:Ldap-Group with value "alumnos"
(1) ldap : Processing user attributes
(1) ldap :      control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(1)   [ldap] = ok
(1)   foreach &control:LDAP-Group
(1)    update reply {
(1) EXPAND %{Foreach-Variable-0}
(1)    --> alumnos
(1)     &Ruckus-User-Groups += '"alumnos"'
(1)    } # update reply = noop
(1)   } # foreach &control:LDAP-Group = noop
(1)   [expiration] = noop
(1)   [logintime] = noop
(1) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(1) WARNING: pap : Auth-Type already set.  Not setting to PAP
(1)   [pap] = noop
(1)  } #  authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   authenticate {
(1) eap : Expiring EAP session with state 0xca8f630eca8e6799
(1) eap : Finished EAP session with state 0xca8f630eca8e6799
(1) eap : Previous EAP request found for state 0xca8f630eca8e6799, released
from the list
(1) eap : Peer sent NAK (3)
(1) eap : Found mutually acceptable type PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : Flushing SSL sessions (of #0)
(1) eap_peap : Initiate
(1) eap_peap : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply
0xca8f630ecb8d7a99
(1)   [eap] = handled
(1)  } #  authenticate = handled
Sending Access-Challenge Id 58 from 192.168.50.62:1812 to 192.168.60.1:1029
        Ruckus-User-Groups += 'alumnos'
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xca8f630ecb8d7a99cfb856ad0867eff6
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 59 from 192.168.60.1:1029 to 192.168.50.62:1812
length 439
        User-Name = 'pepe'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message =
0x020200f01980000000e616030100e1010000dd0301538da51e65239cb8a55acf5ff0eb03fd
d8156b28e4af029cf2308a4915a336be2086b31f1ebc8b0665e550b08be38a3cc114343f316a
8200c02dac3c19dc43a6ce0054c014c00ac022c02100390038c00fc0050035c012c008c01cc0
1b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc00200
0500040015001200090014001100080006000300ff01000040000b000403000102000a003400
32000e000d0019000b000c00180009000a001600170008000600070014001500040005001200
13000100020003000f00100011
        State = 0xca8f630ecb8d7a99cfb856ad0867eff6
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0x4b8481af020203d0b05505729a042b74
(2) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(2)   authorize {
(2)   filter_username filter_username {
(2)     if (User-Name != "%{tolower:%{User-Name}}")
(2) EXPAND %{tolower:%{User-Name}}
(2)    --> pepe
(2)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(2)     if (User-Name =~ / /)
(2)     if (User-Name =~ / /)  -> FALSE
(2)     if (User-Name =~ /@.*@/ )
(2)     if (User-Name =~ /@.*@/ )  -> FALSE
(2)     if (User-Name =~ /\\.\\./ )
(2)     if (User-Name =~ /\\.\\./ )  -> FALSE
(2)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(2)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(2)     if (User-Name =~ /\\.$/)
(2)     if (User-Name =~ /\\.$/)   -> FALSE
(2)     if (User-Name =~ /@\\./)
(2)     if (User-Name =~ /@\\./)   -> FALSE
(2)   } # filter_username filter_username = notfound
(2)   [preprocess] = ok
(2)   [chap] = noop
(2)   [mschap] = noop
(2)   [digest] = noop
(2) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(2) suffix : No such realm "NULL"
(2)   [suffix] = noop
(2) eap : EAP packet type response id 2 length 240
(2) eap : Continuing tunnel setup.
(2)   [eap] = ok
(2)  } #  authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2)   authenticate {
(2) eap : Expiring EAP session with state 0xca8f630ecb8d7a99
(2) eap : Finished EAP session with state 0xca8f630ecb8d7a99
(2) eap : Previous EAP request found for state 0xca8f630ecb8d7a99, released
from the list
(2) eap : Peer sent PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
  TLS Length 230
(2) eap_peap : Length Included
(2) eap_peap : eaptls_verify returned 11
(2) eap_peap :     (other): before/accept initialization
(2) eap_peap :     TLS_accept: before/accept initialization
(2) eap_peap : <<< TLS 1.0 Handshake [length 00e1], ClientHello
  SSL: Client requested cached session
86b31f1ebc8b0665e550b08be38a3cc114343f316a8200c02dac3c19dc43a6ce
(2) eap_peap :     TLS_accept: SSLv3 read client hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
(2) eap_peap :     TLS_accept: SSLv3 write server hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate
(2) eap_peap :     TLS_accept: SSLv3 write certificate A
(2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap :     TLS_accept: SSLv3 write key exchange A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap :     TLS_accept: SSLv3 write server done A
(2) eap_peap :     TLS_accept: SSLv3 flush data
(2) eap_peap :     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply
0xca8f630ec88c7a99
(2)   [eap] = handled
(2)  } #  authenticate = handled
Sending Access-Challenge Id 59 from 192.168.50.62:1812 to 192.168.60.1:1029
        EAP-Message =
0x010303ec19c000000a8c16030100590200005503015378358f41d46bdc38e37cb7c6151d2c
2b6c72a3797f4a54e912d453a5e3d7f120c3af38d6dd50905c7ad47b7db409e605af5a4f5165
4183fd63bbe48598a79297c01400000dff01000100000b00040300010216030108d00b0008cc
0008c90003de308203da308202c2a003020102020101300d06092a864886f70d010105050030
8193310b3009060355040613024652310f300d06035504081306526164697573311230100603
5504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e31
20301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406
03550403131d4578616d706c6520436572746966696361746520417574686f72697479301e17
0d3134303532363039303731395a170d3134303732353039303731395a307c310b3009060355
040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d
706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274
696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e
636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b4d9
2a9bd1b2b267aad680a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xca8f630ec88c7a99cfb856ad0867eff6
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 60 from 192.168.60.1:1029 to 192.168.50.62:1812
length 205
        User-Name = 'pepe'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message = 0x020300061900
        State = 0xca8f630ec88c7a99cfb856ad0867eff6
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0x9dc6fad55ff41f34da41ec0bf1ec9f30
(3) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(3)   authorize {
(3)   filter_username filter_username {
(3)     if (User-Name != "%{tolower:%{User-Name}}")
(3) EXPAND %{tolower:%{User-Name}}
(3)    --> pepe
(3)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(3)     if (User-Name =~ / /)
(3)     if (User-Name =~ / /)  -> FALSE
(3)     if (User-Name =~ /@.*@/ )
(3)     if (User-Name =~ /@.*@/ )  -> FALSE
(3)     if (User-Name =~ /\\.\\./ )
(3)     if (User-Name =~ /\\.\\./ )  -> FALSE
(3)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(3)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(3)     if (User-Name =~ /\\.$/)
(3)     if (User-Name =~ /\\.$/)   -> FALSE
(3)     if (User-Name =~ /@\\./)
(3)     if (User-Name =~ /@\\./)   -> FALSE
(3)   } # filter_username filter_username = notfound
(3)   [preprocess] = ok
(3)   [chap] = noop
(3)   [mschap] = noop
(3)   [digest] = noop
(3) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(3) suffix : No such realm "NULL"
(3)   [suffix] = noop
(3) eap : EAP packet type response id 3 length 6
(3) eap : Continuing tunnel setup.
(3)   [eap] = ok
(3)  } #  authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3)   authenticate {
(3) eap : Expiring EAP session with state 0xca8f630ec88c7a99
(3) eap : Finished EAP session with state 0xca8f630ec88c7a99
(3) eap : Previous EAP request found for state 0xca8f630ec88c7a99, released
from the list
(3) eap : Peer sent PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply
0xca8f630ec98b7a99
(3)   [eap] = handled
(3)  } #  authenticate = handled
Sending Access-Challenge Id 60 from 192.168.50.62:1812 to 192.168.60.1:1029
        EAP-Message =
0x010403e81940f08a7c1b2dd8c2953a42092c40256f3c95aead6ca24e42eb6c1922b09e14b1
acbecd87e846237acd2d2b9421114a92a0fece98830605e1b5299bda2f3c687c04b964250562
c495fda180e34903539504d24ed41219657467513bbee3da43aeceea7dc740779031ef400004
e5308204e1308203c9a003020102020900ae1eee72cb957415300d06092a864886f70d010105
0500308193310b3009060355040613024652310f300d06035504081306526164697573311230
1006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e
632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126
30240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
301e170d3134303532363039303731395a170d3134303732353039303731395a308193310b30
09060355040613024652310f300d060355040813065261646975733112301006035504071309
536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e0609
2a864886f70d010901161161646d696e406578616d706c652e636f6d31263024060355040313
1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d0609
2a864886f70d0101010
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xca8f630ec98b7a99cfb856ad0867eff6
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 61 from 192.168.60.1:1029 to 192.168.50.62:1812
length 205
        User-Name = 'pepe'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message = 0x020400061900
        State = 0xca8f630ec98b7a99cfb856ad0867eff6
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0xad6ec1846f682592550dc811527c5c54
(4) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(4)   authorize {
(4)   filter_username filter_username {
(4)     if (User-Name != "%{tolower:%{User-Name}}")
(4) EXPAND %{tolower:%{User-Name}}
(4)    --> pepe
(4)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(4)     if (User-Name =~ / /)
(4)     if (User-Name =~ / /)  -> FALSE
(4)     if (User-Name =~ /@.*@/ )
(4)     if (User-Name =~ /@.*@/ )  -> FALSE
(4)     if (User-Name =~ /\\.\\./ )
(4)     if (User-Name =~ /\\.\\./ )  -> FALSE
(4)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(4)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(4)     if (User-Name =~ /\\.$/)
(4)     if (User-Name =~ /\\.$/)   -> FALSE
(4)     if (User-Name =~ /@\\./)
(4)     if (User-Name =~ /@\\./)   -> FALSE
(4)   } # filter_username filter_username = notfound
(4)   [preprocess] = ok
(4)   [chap] = noop
(4)   [mschap] = noop
(4)   [digest] = noop
(4) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(4) suffix : No such realm "NULL"
(4)   [suffix] = noop
(4) eap : EAP packet type response id 4 length 6
(4) eap : Continuing tunnel setup.
(4)   [eap] = ok
(4)  } #  authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4)   authenticate {
(4) eap : Expiring EAP session with state 0xca8f630ec98b7a99
(4) eap : Finished EAP session with state 0xca8f630ec98b7a99
(4) eap : Previous EAP request found for state 0xca8f630ec98b7a99, released
from the list
(4) eap : Peer sent PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
(4) eap_peap : Received TLS ACK
(4) eap_peap : Received TLS ACK
(4) eap_peap : ACK handshake fragment handler
(4) eap_peap : eaptls_verify returned 1
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply
0xca8f630ece8a7a99
(4)   [eap] = handled
(4)  } #  authenticate = handled
Sending Access-Challenge Id 61 from 192.168.50.62:1812 to 192.168.60.1:1029
        EAP-Message =
0x010502ce190020417574686f72697479820900ae1eee72cb957415300c0603551d13040530
030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d
706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003
820101003e5b89120dcee4dd3ad38d4e613703d4c2957b440e989041bbc0b2104fab41bc1711
4e7375667726228cdebdd991df6adbbf6acedfbcce2a3db0fbfd52c6d8651795cafd46b86aee
ee792b917a8310520e406173fb9071650f734758316fd06c6087eacf393b241191332b5ef05a
c25e91f0c80a7f387385718f077a1ee574bed2485c2f29b926f9a5239f0545883a8b8f713c8b
cb1665b992027f88fd6112f30a4170b5151b86b36e837f6024d70e51dddaefbd8be228797820
17a7064bbc0dae176d5c5a3fb2db24c1da3162f9c8bb483e4e9c3e5f76cec3a49e9b43fd102d
447ecd12c1d9ee6df5a5b868bbefeb39d69430ff28323a319fdb076127784acb160301014b0c
0001470300174104fea48aea10507f3c75f6cb005ee1b4c4e2a4e786623cbb38de42515ee6b5
662d9077169a9410a493c39aab58eecb9e8de3543285de3d705827eb1db3f938badf01006d72
c4efb3261f9942aafdc842be559ec74dbe776adb63cefa3459b7cf267d903e22f3c041fa4b7b
ae6785cafa79e0a786b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xca8f630ece8a7a99cfb856ad0867eff6
(4) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 62 from 192.168.60.1:1029 to 192.168.50.62:1812
length 343
        User-Name = 'pepe'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message =
0x02050090198000000086160301004610000042410479b4717f31bae51b687e05b99075df4b
b1856c96fbfe390a87b7d36b18ca41f60eb3d2a9d537258b7fa71640d853fcf6150b47dee2d3
0e98b69a5fb481c4534f140301000101160301003014ff0d8ac2076da83713e58258b5f99418
0fc44d461386be015f393b3035ad1171b6e5c57e874ff69a763dc81cb36ba7
        State = 0xca8f630ece8a7a99cfb856ad0867eff6
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0xa7191b4b593e3c54236169e6b5203703
(5) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(5)   authorize {
(5)   filter_username filter_username {
(5)     if (User-Name != "%{tolower:%{User-Name}}")
(5) EXPAND %{tolower:%{User-Name}}
(5)    --> pepe
(5)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(5)     if (User-Name =~ / /)
(5)     if (User-Name =~ / /)  -> FALSE
(5)     if (User-Name =~ /@.*@/ )
(5)     if (User-Name =~ /@.*@/ )  -> FALSE
(5)     if (User-Name =~ /\\.\\./ )
(5)     if (User-Name =~ /\\.\\./ )  -> FALSE
(5)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(5)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(5)     if (User-Name =~ /\\.$/)
(5)     if (User-Name =~ /\\.$/)   -> FALSE
(5)     if (User-Name =~ /@\\./)
(5)     if (User-Name =~ /@\\./)   -> FALSE
(5)   } # filter_username filter_username = notfound
(5)   [preprocess] = ok
(5)   [chap] = noop
(5)   [mschap] = noop
(5)   [digest] = noop
(5) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(5) suffix : No such realm "NULL"
(5)   [suffix] = noop
(5) eap : EAP packet type response id 5 length 144
(5) eap : Continuing tunnel setup.
(5)   [eap] = ok
(5)  } #  authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5)   authenticate {
(5) eap : Expiring EAP session with state 0xca8f630ece8a7a99
(5) eap : Finished EAP session with state 0xca8f630ece8a7a99
(5) eap : Previous EAP request found for state 0xca8f630ece8a7a99, released
from the list
(5) eap : Peer sent PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
  TLS Length 134
(5) eap_peap : Length Included
(5) eap_peap : eaptls_verify returned 11
(5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap :     TLS_accept: SSLv3 read client key exchange A
(5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap :     TLS_accept: SSLv3 read finished A
(5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap :     TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap :     TLS_accept: SSLv3 write finished A
(5) eap_peap :     TLS_accept: SSLv3 flush data
  SSL: adding session
c3af38d6dd50905c7ad47b7db409e605af5a4f51654183fd63bbe48598a79297 to cache
(5) eap_peap :     (other): SSL negotiation finished successfully
SSL Connection Established
(5) eap_peap : eaptls_process returned 13
(5) eap_peap : FR_TLS_HANDLED
(5) eap : New EAP session, adding 'State' attribute to reply
0xca8f630ecf897a99
(5)   [eap] = handled
(5)  } #  authenticate = handled
Sending Access-Challenge Id 62 from 192.168.50.62:1812 to 192.168.60.1:1029
        EAP-Message =
0x0106004119001403010001011603010030e86c26fec297bf39788828c4589d7577e227b84a
5eb138420d6ef40e47e7e8cba3a6701ae4e5ffedf8a018753ef42ccd
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xca8f630ecf897a99cfb856ad0867eff6
(5) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 63 from 192.168.60.1:1029 to 192.168.50.62:1812
length 205
        User-Name = 'pepe'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message = 0x020600061900
        State = 0xca8f630ecf897a99cfb856ad0867eff6
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0xc0eadc0fa03eaeff5c483be15d22f364
(6) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(6)   authorize {
(6)   filter_username filter_username {
(6)     if (User-Name != "%{tolower:%{User-Name}}")
(6) EXPAND %{tolower:%{User-Name}}
(6)    --> pepe
(6)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(6)     if (User-Name =~ / /)
(6)     if (User-Name =~ / /)  -> FALSE
(6)     if (User-Name =~ /@.*@/ )
(6)     if (User-Name =~ /@.*@/ )  -> FALSE
(6)     if (User-Name =~ /\\.\\./ )
(6)     if (User-Name =~ /\\.\\./ )  -> FALSE
(6)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(6)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(6)     if (User-Name =~ /\\.$/)
(6)     if (User-Name =~ /\\.$/)   -> FALSE
(6)     if (User-Name =~ /@\\./)
(6)     if (User-Name =~ /@\\./)   -> FALSE
(6)   } # filter_username filter_username = notfound
(6)   [preprocess] = ok
(6)   [chap] = noop
(6)   [mschap] = noop
(6)   [digest] = noop
(6) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(6) suffix : No such realm "NULL"
(6)   [suffix] = noop
(6) eap : EAP packet type response id 6 length 6
(6) eap : Continuing tunnel setup.
(6)   [eap] = ok
(6)  } #  authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6)   authenticate {
(6) eap : Expiring EAP session with state 0xca8f630ecf897a99
(6) eap : Finished EAP session with state 0xca8f630ecf897a99
(6) eap : Previous EAP request found for state 0xca8f630ecf897a99, released
from the list
(6) eap : Peer sent PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
(6) eap_peap : Received TLS ACK
(6) eap_peap : Received TLS ACK
(6) eap_peap : ACK handshake is finished
(6) eap_peap : eaptls_verify returned 3
(6) eap_peap : eaptls_process returned 3
(6) eap_peap : FR_TLS_SUCCESS
(6) eap_peap : Session established.  Decoding tunneled attributes.
(6) eap_peap : Peap state TUNNEL ESTABLISHED
(6) eap : New EAP session, adding 'State' attribute to reply
0xca8f630ecc887a99
(6)   [eap] = handled
(6)  } #  authenticate = handled
Sending Access-Challenge Id 63 from 192.168.50.62:1812 to 192.168.60.1:1029
        EAP-Message =
0x0107002b19001703010020e0aa5b04d6aa89c3c3dff6c898c14e79f97226a9a4c4a2f022eb
6fb0211eddf5
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xca8f630ecc887a99cfb856ad0867eff6
(6) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 64 from 192.168.60.1:1029 to 192.168.50.62:1812
length 279
        User-Name = 'pepe'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message =
0x020700501900170301002052facbcbec6c260e7bb68e6a35007c6466738131cd920e082330
6467c90e0a0c1703010020b79cd0543dfeaca9f333a95ee6172dcedd22c3e48f21c123221486
35c70eabdb
        State = 0xca8f630ecc887a99cfb856ad0867eff6
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0xe8b6f273a507fc0af2321e0350f85b33
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(7)   authorize {
(7)   filter_username filter_username {
(7)     if (User-Name != "%{tolower:%{User-Name}}")
(7) EXPAND %{tolower:%{User-Name}}
(7)    --> pepe
(7)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(7)     if (User-Name =~ / /)
(7)     if (User-Name =~ / /)  -> FALSE
(7)     if (User-Name =~ /@.*@/ )
(7)     if (User-Name =~ /@.*@/ )  -> FALSE
(7)     if (User-Name =~ /\\.\\./ )
(7)     if (User-Name =~ /\\.\\./ )  -> FALSE
(7)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(7)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(7)     if (User-Name =~ /\\.$/)
(7)     if (User-Name =~ /\\.$/)   -> FALSE
(7)     if (User-Name =~ /@\\./)
(7)     if (User-Name =~ /@\\./)   -> FALSE
(7)   } # filter_username filter_username = notfound
(7)   [preprocess] = ok
(7)   [chap] = noop
(7)   [mschap] = noop
(7)   [digest] = noop
(7) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(7) suffix : No such realm "NULL"
(7)   [suffix] = noop
(7) eap : EAP packet type response id 7 length 80
(7) eap : Continuing tunnel setup.
(7)   [eap] = ok
(7)  } #  authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7)   authenticate {
(7) eap : Expiring EAP session with state 0xca8f630ecc887a99
(7) eap : Finished EAP session with state 0xca8f630ecc887a99
(7) eap : Previous EAP request found for state 0xca8f630ecc887a99, released
from the list
(7) eap : Peer sent PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : eaptls_verify returned 7
(7) eap_peap : Done initial handshake
(7) eap_peap : eaptls_process returned 7
(7) eap_peap : FR_TLS_OK
(7) eap_peap : Session established.  Decoding tunneled attributes.
(7) eap_peap : Peap state WAITING FOR INNER IDENTITY
(7) eap_peap : Identity - pepe
(7) eap_peap : Got inner identity 'pepe'
(7) eap_peap : Setting default EAP type for tunneled EAP session.
(7) eap_peap : Got tunneled request
        EAP-Message = 0x020700090170657065
server default {
(7) eap_peap : Setting User-Name to pepe
Sending tunneled request
        EAP-Message = 0x020700090170657065
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'pepe'
server inner-tunnel {
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(7)   authorize {
(7)   [chap] = noop
(7)   [mschap] = noop
(7) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(7) suffix : No such realm "NULL"
(7)   [suffix] = noop
(7)   update control {
(7)     Proxy-To-Realm := 'LOCAL'
(7)   } # update control = noop
(7) eap : EAP packet type response id 7 length 9
(7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(7)   [eap] = ok
(7)  } #  authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7)   authenticate {
(7) eap : Peer sent Identity (1)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : Issuing Challenge
(7) eap : New EAP session, adding 'State' attribute to reply
0x1645b1d8164dab8d
(7)   [eap] = handled
(7)  } #  authenticate = handled
} # server inner-tunnel
(7) eap_peap : Got tunneled reply code 11
        EAP-Message =
0x0108001e1a0108001910bbd4fd9f1f0a5645beda85a017a0f3dc70657065
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1645b1d8164dab8dd6731ee8f2d6baee
(7) eap_peap : Got tunneled reply RADIUS code 11
        EAP-Message =
0x0108001e1a0108001910bbd4fd9f1f0a5645beda85a017a0f3dc70657065
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1645b1d8164dab8dd6731ee8f2d6baee
(7) eap_peap : Got tunneled Access-Challenge
(7) eap : New EAP session, adding 'State' attribute to reply
0xca8f630ecd877a99
(7)   [eap] = handled
(7)  } #  authenticate = handled
Sending Access-Challenge Id 64 from 192.168.50.62:1812 to 192.168.60.1:1029
        EAP-Message =
0x0108003b190017030100305f90b63728008ace293a7eea7acfd4ffacbfe34c9d563f14a92a
8a43346d37e0824fd6fe46cbc9055d4a134736848188
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xca8f630ecd877a99cfb856ad0867eff6
(7) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 65 from 192.168.60.1:1029 to 192.168.50.62:1812
length 279
        User-Name = 'pepe'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message =
0x02080050190017030100203473db8280b34a767ce26f397ff62cdc7cc7f0099a2d80ca1063
66d6d5caf5c017030100203c97bbd6a210c6828e4909146fb2b2691b7f080691a5bef688f0ba
d376b6e868
        State = 0xca8f630ecd877a99cfb856ad0867eff6
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0x495d782bdbd78da86a4983c344e19fa9
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(8)   authorize {
(8)   filter_username filter_username {
(8)     if (User-Name != "%{tolower:%{User-Name}}")
(8) EXPAND %{tolower:%{User-Name}}
(8)    --> pepe
(8)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(8)     if (User-Name =~ / /)
(8)     if (User-Name =~ / /)  -> FALSE
(8)     if (User-Name =~ /@.*@/ )
(8)     if (User-Name =~ /@.*@/ )  -> FALSE
(8)     if (User-Name =~ /\\.\\./ )
(8)     if (User-Name =~ /\\.\\./ )  -> FALSE
(8)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(8)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(8)     if (User-Name =~ /\\.$/)
(8)     if (User-Name =~ /\\.$/)   -> FALSE
(8)     if (User-Name =~ /@\\./)
(8)     if (User-Name =~ /@\\./)   -> FALSE
(8)   } # filter_username filter_username = notfound
(8)   [preprocess] = ok
(8)   [chap] = noop
(8)   [mschap] = noop
(8)   [digest] = noop
(8) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(8) suffix : No such realm "NULL"
(8)   [suffix] = noop
(8) eap : EAP packet type response id 8 length 80
(8) eap : Continuing tunnel setup.
(8)   [eap] = ok
(8)  } #  authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8)   authenticate {
(8) eap : Expiring EAP session with state 0x1645b1d8164dab8d
(8) eap : Finished EAP session with state 0xca8f630ecd877a99
(8) eap : Previous EAP request found for state 0xca8f630ecd877a99, released
from the list
(8) eap : Peer sent PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established.  Decoding tunneled attributes.
(8) eap_peap : Peap state phase2
(8) eap_peap : EAP type NAK (3)
(8) eap_peap : Got tunneled request
        EAP-Message = 0x020800060306
server default {
(8) eap_peap : Setting User-Name to pepe
Sending tunneled request
        EAP-Message = 0x020800060306
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'pepe'
        State = 0x1645b1d8164dab8dd6731ee8f2d6baee
server inner-tunnel {
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(8)   authorize {
(8)   [chap] = noop
(8)   [mschap] = noop
(8) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(8) suffix : No such realm "NULL"
(8)   [suffix] = noop
(8)   update control {
(8)     Proxy-To-Realm := 'LOCAL'
(8)   } # update control = noop
(8) eap : EAP packet type response id 8 length 6
(8) eap : No EAP Start, assuming it's an on-going EAP conversation
(8)   [eap] = updated
(8)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap :    --> (uid=pepe)
(8) ldap : EXPAND dc=ejemplo,dc=org
(8) ldap :    --> dc=ejemplo,dc=org
(8) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=pepe)', scope 'sub'
(8) ldap : Waiting for search result...
(8) ldap : User object found at DN "uid=pepe,ou=usuarios,dc=ejemplo,dc=org"
(8) ldap : No cacheable group memberships found in user object
(8) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(8) ldap :    -->
(&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(8) ldap : EXPAND dc=ejemplo,dc=org
(8) ldap :    --> dc=ejemplo,dc=org
(8) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(8) ldap : Waiting for search result...
(8) ldap : Added control:Ldap-Group with value "alumnos"
(8) ldap : Processing user attributes
(8) ldap :      control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(8)   [ldap] = ok
(8)   [expiration] = noop
(8)   [logintime] = noop
(8) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(8) WARNING: pap : Auth-Type already set.  Not setting to PAP
(8)   [pap] = noop
(8)  } #  authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8)   authenticate {
(8) eap : Expiring EAP session with state 0x1645b1d8164dab8d
(8) eap : Finished EAP session with state 0x1645b1d8164dab8d
(8) eap : Previous EAP request found for state 0x1645b1d8164dab8d, released
from the list
(8) eap : Peer sent NAK (3)
(8) eap : Found mutually acceptable type GTC (6)
(8) eap : Calling eap_gtc to process EAP data
(8) eap_gtc : EXPAND Password:
(8) eap_gtc :    --> Password:
(8) eap : New EAP session, adding 'State' attribute to reply
0x1645b1d8174cb78d
(8)   [eap] = handled
(8)  } #  authenticate = handled
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 11
        EAP-Message = 0x0109000f0650617373776f72643a20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1645b1d8174cb78dd6731ee8f2d6baee
(8) eap_peap : Got tunneled reply RADIUS code 11
        EAP-Message = 0x0109000f0650617373776f72643a20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1645b1d8174cb78dd6731ee8f2d6baee
(8) eap_peap : Got tunneled Access-Challenge
(8) eap : New EAP session, adding 'State' attribute to reply
0xca8f630ec2867a99
(8)   [eap] = handled
(8)  } #  authenticate = handled
Sending Access-Challenge Id 65 from 192.168.50.62:1812 to 192.168.60.1:1029
        EAP-Message =
0x0109002b19001703010020caf64314c5598dd575e14665e2a59335a049eb1b1bb027757785
8139c4f4ec75
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xca8f630ec2867a99cfb856ad0867eff6
(8) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 66 from 192.168.60.1:1029 to 192.168.50.62:1812
length 279
        User-Name = 'pepe'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message =
0x0209005019001703010020538fa0dc38c725a5913db62915e6c2abfec057b909e3690370b4
ab58378960f1170301002067278a7eee3f5ae726b5d57b88604a2aaea43ab9690c860123061f
f69664eeb1
        State = 0xca8f630ec2867a99cfb856ad0867eff6
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0x487be75e55a52fa5f63ef7daf993adf7
(9) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(9)   authorize {
(9)   filter_username filter_username {
(9)     if (User-Name != "%{tolower:%{User-Name}}")
(9) EXPAND %{tolower:%{User-Name}}
(9)    --> pepe
(9)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(9)     if (User-Name =~ / /)
(9)     if (User-Name =~ / /)  -> FALSE
(9)     if (User-Name =~ /@.*@/ )
(9)     if (User-Name =~ /@.*@/ )  -> FALSE
(9)     if (User-Name =~ /\\.\\./ )
(9)     if (User-Name =~ /\\.\\./ )  -> FALSE
(9)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(9)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(9)     if (User-Name =~ /\\.$/)
(9)     if (User-Name =~ /\\.$/)   -> FALSE
(9)     if (User-Name =~ /@\\./)
(9)     if (User-Name =~ /@\\./)   -> FALSE
(9)   } # filter_username filter_username = notfound
(9)   [preprocess] = ok
(9)   [chap] = noop
(9)   [mschap] = noop
(9)   [digest] = noop
(9) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(9) suffix : No such realm "NULL"
(9)   [suffix] = noop
(9) eap : EAP packet type response id 9 length 80
(9) eap : Continuing tunnel setup.
(9)   [eap] = ok
(9)  } #  authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9)   authenticate {
(9) eap : Expiring EAP session with state 0x1645b1d8174cb78d
(9) eap : Finished EAP session with state 0xca8f630ec2867a99
(9) eap : Previous EAP request found for state 0xca8f630ec2867a99, released
from the list
(9) eap : Peer sent PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established.  Decoding tunneled attributes.
(9) eap_peap : Peap state phase2
(9) eap_peap : EAP type GTC (6)
(9) eap_peap : Got tunneled request
        EAP-Message = 0x020900090631323334
server default {
(9) eap_peap : Setting User-Name to pepe
Sending tunneled request
        EAP-Message = 0x020900090631323334
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'pepe'
        State = 0x1645b1d8174cb78dd6731ee8f2d6baee
server inner-tunnel {
(9) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(9)   authorize {
(9)   [chap] = noop
(9)   [mschap] = noop
(9) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(9) suffix : No such realm "NULL"
(9)   [suffix] = noop
(9)   update control {
(9)     Proxy-To-Realm := 'LOCAL'
(9)   } # update control = noop
(9) eap : EAP packet type response id 9 length 9
(9) eap : No EAP Start, assuming it's an on-going EAP conversation
(9)   [eap] = updated
(9)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(9) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(9) ldap :    --> (uid=pepe)
(9) ldap : EXPAND dc=ejemplo,dc=org
(9) ldap :    --> dc=ejemplo,dc=org
(9) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=pepe)', scope 'sub'
(9) ldap : Waiting for search result...
(9) ldap : User object found at DN "uid=pepe,ou=usuarios,dc=ejemplo,dc=org"
(9) ldap : No cacheable group memberships found in user object
(9) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(9) ldap :    -->
(&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(9) ldap : EXPAND dc=ejemplo,dc=org
(9) ldap :    --> dc=ejemplo,dc=org
(9) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3dpepe\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(9) ldap : Waiting for search result...
(9) ldap : Added control:Ldap-Group with value "alumnos"
(9) ldap : Processing user attributes
(9) ldap :      control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(9)   [ldap] = ok
(9)   [expiration] = noop
(9)   [logintime] = noop
(9) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(9) WARNING: pap : Auth-Type already set.  Not setting to PAP
(9)   [pap] = noop
(9)  } #  authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(9)   authenticate {
(9) eap : Expiring EAP session with state 0x1645b1d8174cb78d
(9) eap : Finished EAP session with state 0x1645b1d8174cb78d
(9) eap : Previous EAP request found for state 0x1645b1d8174cb78d, released
from the list
(9) eap : Peer sent GTC (6)
(9) eap : EAP GTC (6)
(9) eap : Calling eap_gtc to process EAP data
(9) eap_gtc : # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
(9) eap_gtc :  Auth-Type PAP {
(9) pap : Login attempt with password
(9) pap : User authenticated successfully
(9)   [pap] = ok
(9)  } # Auth-Type PAP = ok
(9) eap : Freeing handler
(9)   [eap] = ok
(9)  } #  authenticate = ok
(9) # Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
(9)   post-auth {
(9)   foreach &control:LDAP-Group
(9)    update reply {
(9) EXPAND %{Foreach-Variable-0}
(9)    --> alumnos
(9)     &Ruckus-User-Groups += '"alumnos"'
(9)    } # update reply = noop
(9)   } # foreach &control:LDAP-Group = noop
(9)  } #  post-auth = noop
} # server inner-tunnel
(9) eap_peap : Got tunneled reply code 2
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'pepe'
        Ruckus-User-Groups += 'alumnos'
(9) eap_peap : Got tunneled reply RADIUS code 2
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'pepe'
        Ruckus-User-Groups += 'alumnos'
(9) eap_peap : Tunneled authentication was successful.
(9) eap_peap : SUCCESS
(9) eap : New EAP session, adding 'State' attribute to reply
0xca8f630ec3857a99
(9)   [eap] = handled
(9)  } #  authenticate = handled
Sending Access-Challenge Id 66 from 192.168.50.62:1812 to 192.168.60.1:1029
        EAP-Message =
0x010a002b190017030100205b7ee12b0a2696b56c42f6c24918e3681785771399db07b1c8cf
bad9ca62977d
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xca8f630ec3857a99cfb856ad0867eff6
(9) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 67 from 192.168.60.1:1029 to 192.168.50.62:1812
length 279
        User-Name = 'pepe'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-1A-3E-58:PROFESORES'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-1A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message =
0x020a0050190017030100200c397c9591c1268bd7b814eb79866a0858805aecfc20fe0ac79b
a7895de7c2f817030100204548f278bc7712088f9eaaf184f171da93e1739d06d6c2b0f1a289
81874b6d74
        State = 0xca8f630ec3857a99cfb856ad0867eff6
        Attr-26.25053.3 = 0x50524f4645534f524553
        Message-Authenticator = 0xb06ab02ab1591bf1b622790c69e22574
(10) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(10)   authorize {
(10)   filter_username filter_username {
(10)     if (User-Name != "%{tolower:%{User-Name}}")
(10) EXPAND %{tolower:%{User-Name}}
(10)    --> pepe
(10)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(10)     if (User-Name =~ / /)
(10)     if (User-Name =~ / /)  -> FALSE
(10)     if (User-Name =~ /@.*@/ )
(10)     if (User-Name =~ /@.*@/ )  -> FALSE
(10)     if (User-Name =~ /\\.\\./ )
(10)     if (User-Name =~ /\\.\\./ )  -> FALSE
(10)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(10)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(10)     if (User-Name =~ /\\.$/)
(10)     if (User-Name =~ /\\.$/)   -> FALSE
(10)     if (User-Name =~ /@\\./)
(10)     if (User-Name =~ /@\\./)   -> FALSE
(10)   } # filter_username filter_username = notfound
(10)   [preprocess] = ok
(10)   [chap] = noop
(10)   [mschap] = noop
(10)   [digest] = noop
(10) suffix : No '@' in User-Name = "pepe", looking up realm NULL
(10) suffix : No such realm "NULL"
(10)   [suffix] = noop
(10) eap : EAP packet type response id 10 length 80
(10) eap : Continuing tunnel setup.
(10)   [eap] = ok
(10)  } #  authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10)   authenticate {
(10) eap : Expiring EAP session with state 0xca8f630ec3857a99
(10) eap : Finished EAP session with state 0xca8f630ec3857a99
(10) eap : Previous EAP request found for state 0xca8f630ec3857a99, released
from the list
(10) eap : Peer sent PEAP (25)
(10) eap : EAP PEAP (25)
(10) eap : Calling eap_peap to process EAP data
(10) eap_peap : processing EAP-TLS
(10) eap_peap : eaptls_verify returned 7
(10) eap_peap : Done initial handshake
(10) eap_peap : eaptls_process returned 7
(10) eap_peap : FR_TLS_OK
(10) eap_peap : Session established.  Decoding tunneled attributes.
(10) eap_peap : Peap state send tlv success
(10) eap_peap : Received EAP-TLV response.
(10) eap_peap : Success
(10) WARNING: eap_peap : No information to cache: session caching will be
disabled for session
c3af38d6dd50905c7ad47b7db409e605af5a4f51654183fd63bbe48598a79297
  SSL: Removing session
c3af38d6dd50905c7ad47b7db409e605af5a4f51654183fd63bbe48598a79297 from the
cache
(10) eap : Freeing handler
(10)   [eap] = ok
(10)  } #  authenticate = ok
(10) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(10)   post-auth {
(10)   [exec] = noop
(10)   remove_reply_message_if_eap remove_reply_message_if_eap {
(10)     if (reply:EAP-Message && reply:Reply-Message)
(10)     if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(10)    else else {
(10)     [noop] = noop
(10)    } # else else = noop
(10)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(10)  } #  post-auth = noop
Sending Access-Accept Id 67 from 192.168.50.62:1812 to 192.168.60.1:1029
        MS-MPPE-Recv-Key =
0xc9c36837fb4ba931d68c0c220281df76f734659afdaa1689de4da23226379ac9
        MS-MPPE-Send-Key =
0x4337f2058e9c6e489945200a6f5f9a95330b36b4a386e491a03979e721635748
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'pepe'
(10) Finished request
Waking up in 0.1 seconds.
Waking up in 4.4 seconds.
(0) Cleaning up request packet ID 57 with timestamp +9
(1) Cleaning up request packet ID 58 with timestamp +9
(2) Cleaning up request packet ID 59 with timestamp +9
(3) Cleaning up request packet ID 60 with timestamp +9
(4) Cleaning up request packet ID 61 with timestamp +9
(5) Cleaning up request packet ID 62 with timestamp +9
(6) Cleaning up request packet ID 63 with timestamp +9
(7) Cleaning up request packet ID 64 with timestamp +9
(8) Cleaning up request packet ID 65 with timestamp +9
(9) Cleaning up request packet ID 66 with timestamp +9
(10) Cleaning up request packet ID 67 with timestamp +9
Ready to process requests.



More information about the Freeradius-Users mailing list