LDAP Groups to Freeradius and then Ruckus Wireless?

Enrique Sainz Baixauli enriquesainz.beca at intef.educacion.es
Thu Jun 5 10:03:42 CEST 2014


>> Hi Enrique,
>>
>> Can you show us what the inner-tunnel post-auth section looks like? By
>> trimming down the debug output, we've lost that. 
>>
>> If your inner-tunnel post-auth just uses "update reply {", then you 
>> may
>> with to update it with "update outer.reply {", which should feed the
attribute back. 
>>
>> Stefan
>
>Hi Stefan,
>
>I only added to postauth in inner-tunnel server configuration what I had in
authorize in default server:
>
>foreach &control:LDAP-Group {
>	update reply {
>		&Ruckus-User-Groups += "%{Foreach-Variable-0}"
>	}
>}
>
>Now I changed it into update outer.reply and, instead of the attribute
being added to the tunneled reply to the default server, it was added to the
Access-Challenge that the default server sent to the client. Then, the
client >sends one last Access-Request and the server sends Access-Accept
without the attribute. I am guessing that this last reply was done only by
the default server, so the inner-tunnel didn't get to add anything. But if
that's so, >how can I add the attribute in the default server without
querying LDAP on every packet that the server sends to set up the TLS
conversation?
>
>Thanks again!

Hello again,

I am thinking that rlm_cache might be a good solution to my problem here.
However, I have been looking at config extracts from [1] (especially the
rlm_cache config and the virtual server config) and I still don't get to
understand how and where to call the module. I would like it to cache group
information (LDAP-Group, I guess) in the authorize inner-tunnel server,
because that's when that info is available, and then retrieve it before
sending the last Access-Accept response. The problem here is that (see below
debug output) authorize in inner-tunnel is only executed for request number
(8). And I actually add the group info to the attribute I need it in, but it
gets sent to the client in the Access-Challenge that comes from request (8).
Then, in request (9) EAP handles the authorize section, so group info is
never available in inner-tunnel, and in request (10) (which is the one that
sends the Access-Accept) inner-tunnel isn't even run, so group info is again
never available.

Is rlm_cache the answer to my problems? If so, should I just call it in
authorize in inner-tunnel after ldap and then to retrieve in default server
post-auth? Or when/how? And if not, any other solutions to this?

Thanks very much! Here comes the debug output:


Received Access-Request Id 44 from 192.168.60.1:1024 to 192.168.50.62:1812
length 184
        User-Name = 'juan'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-5A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message = 0x02000009016a75616e
        Attr-26.25053.3 = 0x414c554d4e4f53
        Message-Authenticator = 0x551c607a199f01eb0d0e81738caf9fce
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   authorize {
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0) suffix : No '@' in User-Name = "juan", looking up realm NULL
(0) suffix : No such realm "NULL"
(0)   [suffix] = noop
(0) eap : EAP packet type response id 0 length 9
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)   [eap] = ok
(0)  } #  authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_md5 to process EAP data
(0) eap_md5 : Issuing MD5 Challenge
(0) eap : New EAP session, adding 'State' attribute to reply
0xf2d34be6f2d24f6d
(0)   [eap] = handled
(0)  } #  authenticate = handled
Sending Access-Challenge Id 44 from 192.168.50.62:1812 to 192.168.60.1:1024
        EAP-Message = 0x010100160410cb20de385d1d546bfc7008d3203aad16
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2d34be6f2d24f6dba0219098c99f6b0
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 45 from 192.168.60.1:1024 to 192.168.50.62:1812
length 199
        User-Name = 'juan'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-5A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message = 0x020100060319
        State = 0xf2d34be6f2d24f6dba0219098c99f6b0
        Attr-26.25053.3 = 0x414c554d4e4f53
        Message-Authenticator = 0x5c681550b7e9d39a666e12cc187e7e41
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1)   authorize {
(1)   [preprocess] = ok
(1)   [chap] = noop
(1)   [mschap] = noop
(1)   [digest] = noop
(1) suffix : No '@' in User-Name = "juan", looking up realm NULL
(1) suffix : No such realm "NULL"
(1)   [suffix] = noop
(1) eap : EAP packet type response id 1 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1)   [eap] = updated
(1)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(1) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap :    --> (uid=juan)
(1) ldap : EXPAND dc=ejemplo,dc=org
(1) ldap :    --> dc=ejemplo,dc=org
(1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(1) ldap : Waiting for search result...
(1) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(1) ldap : No cacheable group memberships found in user object
(1) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(1) ldap :    -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(1) ldap : EXPAND dc=ejemplo,dc=org
(1) ldap :    --> dc=ejemplo,dc=org
(1) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(1) ldap : Waiting for search result...
(1) ldap : Added control:Ldap-Group with value "profesores"
(1) ldap : Processing user attributes
(1) ldap :      control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(1)   [ldap] = ok
(1)   foreach &control:LDAP-Group
(1)    update reply {
(1) EXPAND %{Foreach-Variable-0}
(1)    --> profesores
(1)     &Ruckus-User-Groups += '"profesores"'
(1)    } # update reply = noop
(1)   } # foreach &control:LDAP-Group = noop
(1)   [expiration] = noop
(1)   [logintime] = noop
(1) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(1) WARNING: pap : Auth-Type already set.  Not setting to PAP
(1)   [pap] = noop
(1)  } #  authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   authenticate {
(1) eap : Expiring EAP session with state 0xf2d34be6f2d24f6d
(1) eap : Finished EAP session with state 0xf2d34be6f2d24f6d
(1) eap : Previous EAP request found for state 0xf2d34be6f2d24f6d, released
from the list
(1) eap : Peer sent NAK (3)
(1) eap : Found mutually acceptable type PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : Flushing SSL sessions (of #0)
(1) eap_peap : Initiate
(1) eap_peap : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply
0xf2d34be6f3d1526d
(1)   [eap] = handled
(1)  } #  authenticate = handled
Sending Access-Challenge Id 45 from 192.168.50.62:1812 to 192.168.60.1:1024
        Ruckus-User-Groups += 'profesores'
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2d34be6f3d1526dba0219098c99f6b0
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 46 from 192.168.60.1:1024 to 192.168.50.62:1812
length 433
        User-Name = 'juan'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-5A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message =
0x020200f01980000000e616030100e1010000dd0301539023c86aa69faf2c7106399473d0b7
5b15d8dc6e8f9ca40f683448a44eb5962081c93bdccf265b22049421297ff8f45a11aab6cfa5
a4db2f469fbd9d378533190054c014c00ac022c02100390038c00fc0050035c012c008c01cc0
1b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc00200
0500040015001200090014001100080006000300ff01000040000b000403000102000a003400
32000e000d0019000b000c00180009000a001600170008000600070014001500040005001200
13000100020003000f00100011
        State = 0xf2d34be6f3d1526dba0219098c99f6b0
        Attr-26.25053.3 = 0x414c554d4e4f53
        Message-Authenticator = 0xa07d697dcd6a448d60b407c2f0c4c3c9
(2) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(2)   authorize {
(2)   [preprocess] = ok
(2)   [chap] = noop
(2)   [mschap] = noop
(2)   [digest] = noop
(2) suffix : No '@' in User-Name = "juan", looking up realm NULL
(2) suffix : No such realm "NULL"
(2)   [suffix] = noop
(2) eap : EAP packet type response id 2 length 240
(2) eap : Continuing tunnel setup.
(2)   [eap] = ok
(2)  } #  authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2)   authenticate {
(2) eap : Expiring EAP session with state 0xf2d34be6f3d1526d
(2) eap : Finished EAP session with state 0xf2d34be6f3d1526d
(2) eap : Previous EAP request found for state 0xf2d34be6f3d1526d, released
from the list
(2) eap : Peer sent PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
  TLS Length 230
(2) eap_peap : Length Included
(2) eap_peap : eaptls_verify returned 11
(2) eap_peap :     (other): before/accept initialization
(2) eap_peap :     TLS_accept: before/accept initialization
(2) eap_peap : <<< TLS 1.0 Handshake [length 00e1], ClientHello
  SSL: Client requested cached session
81c93bdccf265b22049421297ff8f45a11aab6cfa5a4db2f469fbd9d37853319
(2) eap_peap :     TLS_accept: SSLv3 read client hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
(2) eap_peap :     TLS_accept: SSLv3 write server hello A
(2) eap_peap : >>> TLS 1.0 Handshake [length 08d0], Certificate
(2) eap_peap :     TLS_accept: SSLv3 write certificate A
(2) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap :     TLS_accept: SSLv3 write key exchange A
(2) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap :     TLS_accept: SSLv3 write server done A
(2) eap_peap :     TLS_accept: SSLv3 flush data
(2) eap_peap :     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply
0xf2d34be6f0d0526d
(2)   [eap] = handled
(2)  } #  authenticate = handled
Sending Access-Challenge Id 46 from 192.168.50.62:1812 to 192.168.60.1:1024
        EAP-Message =
0x010303ec19c000000a8c1603010059020000550301537ab444850db3bb3136ea68af9bbafc
51f7770ffd02bcb00e393b3e88ff57de202a6565d47da8be010096c76ce138e64f1b9093d86f
f4ebbf83fd0676ff503bcdc01400000dff01000100000b00040300010216030108d00b0008cc
0008c90003de308203da308202c2a003020102020101300d06092a864886f70d010105050030
8193310b3009060355040613024652310f300d06035504081306526164697573311230100603
5504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e31
20301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406
03550403131d4578616d706c6520436572746966696361746520417574686f72697479301e17
0d3134303532363039303731395a170d3134303732353039303731395a307c310b3009060355
040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d
706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274
696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e
636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b4d9
2a9bd1b2b267aad680a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2d34be6f0d0526dba0219098c99f6b0
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 47 from 192.168.60.1:1024 to 192.168.50.62:1812
length 199
        User-Name = 'juan'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-5A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message = 0x020300061900
        State = 0xf2d34be6f0d0526dba0219098c99f6b0
        Attr-26.25053.3 = 0x414c554d4e4f53
        Message-Authenticator = 0xe309d5e5cdae1c0bbfa623be11903ab5
(3) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(3)   authorize {
(3)   [preprocess] = ok
(3)   [chap] = noop
(3)   [mschap] = noop
(3)   [digest] = noop
(3) suffix : No '@' in User-Name = "juan", looking up realm NULL
(3) suffix : No such realm "NULL"
(3)   [suffix] = noop
(3) eap : EAP packet type response id 3 length 6
(3) eap : Continuing tunnel setup.
(3)   [eap] = ok
(3)  } #  authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3)   authenticate {
(3) eap : Expiring EAP session with state 0xf2d34be6f0d0526d
(3) eap : Finished EAP session with state 0xf2d34be6f0d0526d
(3) eap : Previous EAP request found for state 0xf2d34be6f0d0526d, released
from the list
(3) eap : Peer sent PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply
0xf2d34be6f1d7526d
(3)   [eap] = handled
(3)  } #  authenticate = handled
Sending Access-Challenge Id 47 from 192.168.50.62:1812 to 192.168.60.1:1024
        EAP-Message =
0x010403e81940f08a7c1b2dd8c2953a42092c40256f3c95aead6ca24e42eb6c1922b09e14b1
acbecd87e846237acd2d2b9421114a92a0fece98830605e1b5299bda2f3c687c04b964250562
c495fda180e34903539504d24ed41219657467513bbee3da43aeceea7dc740779031ef400004
e5308204e1308203c9a003020102020900ae1eee72cb957415300d06092a864886f70d010105
0500308193310b3009060355040613024652310f300d06035504081306526164697573311230
1006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e
632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126
30240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
301e170d3134303532363039303731395a170d3134303732353039303731395a308193310b30
09060355040613024652310f300d060355040813065261646975733112301006035504071309
536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e0609
2a864886f70d010901161161646d696e406578616d706c652e636f6d31263024060355040313
1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d0609
2a864886f70d0101010
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2d34be6f1d7526dba0219098c99f6b0
(3) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 48 from 192.168.60.1:1024 to 192.168.50.62:1812
length 199
        User-Name = 'juan'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-5A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message = 0x020400061900
        State = 0xf2d34be6f1d7526dba0219098c99f6b0
        Attr-26.25053.3 = 0x414c554d4e4f53
        Message-Authenticator = 0x4cf4e096457ca42b66f081ffe62c56a3
(4) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(4)   authorize {
(4)   [preprocess] = ok
(4)   [chap] = noop
(4)   [mschap] = noop
(4)   [digest] = noop
(4) suffix : No '@' in User-Name = "juan", looking up realm NULL
(4) suffix : No such realm "NULL"
(4)   [suffix] = noop
(4) eap : EAP packet type response id 4 length 6
(4) eap : Continuing tunnel setup.
(4)   [eap] = ok
(4)  } #  authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4)   authenticate {
(4) eap : Expiring EAP session with state 0xf2d34be6f1d7526d
(4) eap : Finished EAP session with state 0xf2d34be6f1d7526d
(4) eap : Previous EAP request found for state 0xf2d34be6f1d7526d, released
from the list
(4) eap : Peer sent PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
(4) eap_peap : Received TLS ACK
(4) eap_peap : Received TLS ACK
(4) eap_peap : ACK handshake fragment handler
(4) eap_peap : eaptls_verify returned 1
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply
0xf2d34be6f6d6526d
(4)   [eap] = handled
(4)  } #  authenticate = handled
Sending Access-Challenge Id 48 from 192.168.50.62:1812 to 192.168.60.1:1024
        EAP-Message =
0x010502ce190020417574686f72697479820900ae1eee72cb957415300c0603551d13040530
030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d
706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003
820101003e5b89120dcee4dd3ad38d4e613703d4c2957b440e989041bbc0b2104fab41bc1711
4e7375667726228cdebdd991df6adbbf6acedfbcce2a3db0fbfd52c6d8651795cafd46b86aee
ee792b917a8310520e406173fb9071650f734758316fd06c6087eacf393b241191332b5ef05a
c25e91f0c80a7f387385718f077a1ee574bed2485c2f29b926f9a5239f0545883a8b8f713c8b
cb1665b992027f88fd6112f30a4170b5151b86b36e837f6024d70e51dddaefbd8be228797820
17a7064bbc0dae176d5c5a3fb2db24c1da3162f9c8bb483e4e9c3e5f76cec3a49e9b43fd102d
447ecd12c1d9ee6df5a5b868bbefeb39d69430ff28323a319fdb076127784acb160301014b0c
000147030017410419d934713434dd24230ffad43111e2bfef9dd5657948bffa872bb594ce8d
14018e1319bd86c7b3dac03a66bfb00427b33eb856a705404f5c9c3698e7d0d32f5d01009ab4
07bae9b7b3d713700259aface19f0abd52ee93d0576038e3ce91fc6b9128cbde2ca0126a5dfb
be21dfc58e4e7a15e2a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2d34be6f6d6526dba0219098c99f6b0
(4) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 49 from 192.168.60.1:1024 to 192.168.50.62:1812
length 337
        User-Name = 'juan'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-5A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message =
0x020500901980000000861603010046100000424104160c81895c3d89fb344bb2e4235d88f5
a644a8dd981215a2895151d75ecc80abdf72f0c36bccddd3a313aba4a13f617bf209c8c3c3ab
6775877e878f6b94ab5c14030100010116030100304d156ceb95e04c21090a6054e72c32101a
edf9bbd1615936f5c2a6633e9ba093d8c6ec6aead5b6f9139aede59a1085fe
        State = 0xf2d34be6f6d6526dba0219098c99f6b0
        Attr-26.25053.3 = 0x414c554d4e4f53
        Message-Authenticator = 0x5962e73ff0cb81ca848b8d4b1643bbfc
(5) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(5)   authorize {
(5)   [preprocess] = ok
(5)   [chap] = noop
(5)   [mschap] = noop
(5)   [digest] = noop
(5) suffix : No '@' in User-Name = "juan", looking up realm NULL
(5) suffix : No such realm "NULL"
(5)   [suffix] = noop
(5) eap : EAP packet type response id 5 length 144
(5) eap : Continuing tunnel setup.
(5)   [eap] = ok
(5)  } #  authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5)   authenticate {
(5) eap : Expiring EAP session with state 0xf2d34be6f6d6526d
(5) eap : Finished EAP session with state 0xf2d34be6f6d6526d
(5) eap : Previous EAP request found for state 0xf2d34be6f6d6526d, released
from the list
(5) eap : Peer sent PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
  TLS Length 134
(5) eap_peap : Length Included
(5) eap_peap : eaptls_verify returned 11
(5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap :     TLS_accept: SSLv3 read client key exchange A
(5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap :     TLS_accept: SSLv3 read finished A
(5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap :     TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap :     TLS_accept: SSLv3 write finished A
(5) eap_peap :     TLS_accept: SSLv3 flush data
  SSL: adding session
2a6565d47da8be010096c76ce138e64f1b9093d86ff4ebbf83fd0676ff503bcd to cache
(5) eap_peap :     (other): SSL negotiation finished successfully
SSL Connection Established
(5) eap_peap : eaptls_process returned 13
(5) eap_peap : FR_TLS_HANDLED
(5) eap : New EAP session, adding 'State' attribute to reply
0xf2d34be6f7d5526d
(5)   [eap] = handled
(5)  } #  authenticate = handled
Sending Access-Challenge Id 49 from 192.168.50.62:1812 to 192.168.60.1:1024
        EAP-Message =
0x01060041190014030100010116030100305f1dd086b2fcda746ddd6675d050b616eb46f6c4
85ad33bcfb24708bea0b71f847df30874010c1109cf3718fccd5fb9c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2d34be6f7d5526dba0219098c99f6b0
(5) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 50 from 192.168.60.1:1024 to 192.168.50.62:1812
length 199
        User-Name = 'juan'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-5A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message = 0x020600061900
        State = 0xf2d34be6f7d5526dba0219098c99f6b0
        Attr-26.25053.3 = 0x414c554d4e4f53
        Message-Authenticator = 0xe204536505984e24186fbdb38c7d72a7
(6) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(6)   authorize {
(6)   [preprocess] = ok
(6)   [chap] = noop
(6)   [mschap] = noop
(6)   [digest] = noop
(6) suffix : No '@' in User-Name = "juan", looking up realm NULL
(6) suffix : No such realm "NULL"
(6)   [suffix] = noop
(6) eap : EAP packet type response id 6 length 6
(6) eap : Continuing tunnel setup.
(6)   [eap] = ok
(6)  } #  authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6)   authenticate {
(6) eap : Expiring EAP session with state 0xf2d34be6f7d5526d
(6) eap : Finished EAP session with state 0xf2d34be6f7d5526d
(6) eap : Previous EAP request found for state 0xf2d34be6f7d5526d, released
from the list
(6) eap : Peer sent PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
(6) eap_peap : Received TLS ACK
(6) eap_peap : Received TLS ACK
(6) eap_peap : ACK handshake is finished
(6) eap_peap : eaptls_verify returned 3
(6) eap_peap : eaptls_process returned 3
(6) eap_peap : FR_TLS_SUCCESS
(6) eap_peap : Session established.  Decoding tunneled attributes.
(6) eap_peap : Peap state TUNNEL ESTABLISHED
(6) eap : New EAP session, adding 'State' attribute to reply
0xf2d34be6f4d4526d
(6)   [eap] = handled
(6)  } #  authenticate = handled
Sending Access-Challenge Id 50 from 192.168.50.62:1812 to 192.168.60.1:1024
        EAP-Message =
0x0107002b19001703010020e7dc197b9d445951f885b9272c9920eb0ccf2022d8dc5b84adb3
7eda224b2039
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2d34be6f4d4526dba0219098c99f6b0
(6) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 51 from 192.168.60.1:1024 to 192.168.50.62:1812
length 273
        User-Name = 'juan'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-5A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message =
0x020700501900170301002035445b3148809e34a209ba4306150164c5972e03971a54a84a67
0e2444b4d81317030100200963d2867e367f7d0e82be8adad08264b5e0a0a5cb6c3060ea1c27
cb44f9cef2
        State = 0xf2d34be6f4d4526dba0219098c99f6b0
        Attr-26.25053.3 = 0x414c554d4e4f53
        Message-Authenticator = 0x338da1d3c7e5c75bba182f7efefd8c31
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(7)   authorize {
(7)   [preprocess] = ok
(7)   [chap] = noop
(7)   [mschap] = noop
(7)   [digest] = noop
(7) suffix : No '@' in User-Name = "juan", looking up realm NULL
(7) suffix : No such realm "NULL"
(7)   [suffix] = noop
(7) eap : EAP packet type response id 7 length 80
(7) eap : Continuing tunnel setup.
(7)   [eap] = ok
(7)  } #  authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7)   authenticate {
(7) eap : Expiring EAP session with state 0xf2d34be6f4d4526d
(7) eap : Finished EAP session with state 0xf2d34be6f4d4526d
(7) eap : Previous EAP request found for state 0xf2d34be6f4d4526d, released
from the list
(7) eap : Peer sent PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : eaptls_verify returned 7
(7) eap_peap : Done initial handshake
(7) eap_peap : eaptls_process returned 7
(7) eap_peap : FR_TLS_OK
(7) eap_peap : Session established.  Decoding tunneled attributes.
(7) eap_peap : Peap state WAITING FOR INNER IDENTITY
(7) eap_peap : Identity - juan
(7) eap_peap : Got inner identity 'juan'
(7) eap_peap : Setting default EAP type for tunneled EAP session.
(7) eap_peap : Got tunneled request
        EAP-Message = 0x02070009016a75616e
server default {
(7) eap_peap : Setting User-Name to juan
Sending tunneled request
        EAP-Message = 0x02070009016a75616e
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'juan'
server inner-tunnel {
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(7)   authorize {
(7)   [chap] = noop
(7)   [mschap] = noop
(7) suffix : No '@' in User-Name = "juan", looking up realm NULL
(7) suffix : No such realm "NULL"
(7)   [suffix] = noop
(7)   update control {
(7)     Proxy-To-Realm := 'LOCAL'
(7)   } # update control = noop
(7) eap : EAP packet type response id 7 length 9
(7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(7)   [eap] = ok
(7)  } #  authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7)   authenticate {
(7) eap : Peer sent Identity (1)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : Issuing Challenge
(7) eap : New EAP session, adding 'State' attribute to reply
0x0cb2efe70cbaf5a7
(7)   [eap] = handled
(7)  } #  authenticate = handled
} # server inner-tunnel
(7) eap_peap : Got tunneled reply code 11
        EAP-Message =
0x0108001e1a0108001910efc88c501c83e7d1122c97cc3931a3466a75616e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0cb2efe70cbaf5a7fe78397182ecc493
(7) eap_peap : Got tunneled reply RADIUS code 11
        EAP-Message =
0x0108001e1a0108001910efc88c501c83e7d1122c97cc3931a3466a75616e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0cb2efe70cbaf5a7fe78397182ecc493
(7) eap_peap : Got tunneled Access-Challenge
(7) eap : New EAP session, adding 'State' attribute to reply
0xf2d34be6f5db526d
(7)   [eap] = handled
(7)  } #  authenticate = handled
Sending Access-Challenge Id 51 from 192.168.50.62:1812 to 192.168.60.1:1024
        EAP-Message =
0x0108003b19001703010030c259dc6418a48f52880c52b4e53a9fd571e709543aea2228628e
ed46695d0cb3edf2b15afcf810ff06db7fe5dafaa79b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2d34be6f5db526dba0219098c99f6b0
(7) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 52 from 192.168.60.1:1024 to 192.168.50.62:1812
length 321
        User-Name = 'juan'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-5A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message =
0x0208008019001703010020ca2297ddcdb80ca5c658810c20a1048a3b1fd4fda09e2586f096
e0c3c0ec1b8017030100500c5e41e36b65952fcc24d98040ba5b13bc777f27d94d75587bccda
c9eae340d3ff56e5a80e44401b1b84f06048231da6d4de6c190653500f3ad3351748758ea14b
43868b6934d83b77e01bde5d27bf81
        State = 0xf2d34be6f5db526dba0219098c99f6b0
        Attr-26.25053.3 = 0x414c554d4e4f53
        Message-Authenticator = 0xf005c1e2521b44d4635ea6f72e096598
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(8)   authorize {
(8)   [preprocess] = ok
(8)   [chap] = noop
(8)   [mschap] = noop
(8)   [digest] = noop
(8) suffix : No '@' in User-Name = "juan", looking up realm NULL
(8) suffix : No such realm "NULL"
(8)   [suffix] = noop
(8) eap : EAP packet type response id 8 length 128
(8) eap : Continuing tunnel setup.
(8)   [eap] = ok
(8)  } #  authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8)   authenticate {
(8) eap : Expiring EAP session with state 0x0cb2efe70cbaf5a7
(8) eap : Finished EAP session with state 0xf2d34be6f5db526d
(8) eap : Previous EAP request found for state 0xf2d34be6f5db526d, released
from the list
(8) eap : Peer sent PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established.  Decoding tunneled attributes.
(8) eap_peap : Peap state phase2
(8) eap_peap : EAP type MSCHAPv2 (26)
(8) eap_peap : Got tunneled request
        EAP-Message =
0x0208003f1a0208003a311405263ba16d3386f4c29edb366bd1140000000000000000312202
cc3292cab89b43f145649092513174d1ee90e90224006a75616e
server default {
(8) eap_peap : Setting User-Name to juan
Sending tunneled request
        EAP-Message =
0x0208003f1a0208003a311405263ba16d3386f4c29edb366bd1140000000000000000312202
cc3292cab89b43f145649092513174d1ee90e90224006a75616e
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'juan'
        State = 0x0cb2efe70cbaf5a7fe78397182ecc493
server inner-tunnel {
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(8)   authorize {
(8)   [chap] = noop
(8)   [mschap] = noop
(8) suffix : No '@' in User-Name = "juan", looking up realm NULL
(8) suffix : No such realm "NULL"
(8)   [suffix] = noop
(8)   update control {
(8)     Proxy-To-Realm := 'LOCAL'
(8)   } # update control = noop
(8) eap : EAP packet type response id 8 length 63
(8) eap : No EAP Start, assuming it's an on-going EAP conversation
(8)   [eap] = updated
(8)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap :    --> (uid=juan)
(8) ldap : EXPAND dc=ejemplo,dc=org
(8) ldap :    --> dc=ejemplo,dc=org
(8) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(8) ldap : Waiting for search result...
(8) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(8) ldap : No cacheable group memberships found in user object
(8) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(8) ldap :    -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(8) ldap : EXPAND dc=ejemplo,dc=org
(8) ldap :    --> dc=ejemplo,dc=org
(8) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(8) ldap : Waiting for search result...
(8) ldap : Added control:Ldap-Group with value "profesores"
(8) ldap : Processing user attributes
(8) ldap :      control:Password-With-Header += ''1234''
rlm_ldap (ldap): Released connection (4)
(8)   [ldap] = ok
(8)   foreach &control:LDAP-Group
(8)    update outer.reply {
(8) EXPAND %{Foreach-Variable-0}
(8)    --> profesores
(8)     &Ruckus-User-Groups += '"profesores"'
(8)    } # update outer.reply = noop
(8)   } # foreach &control:LDAP-Group = noop
(8)   [expiration] = noop
(8)   [logintime] = noop
(8) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(8) WARNING: pap : Auth-Type already set.  Not setting to PAP
(8)   [pap] = noop
(8)  } #  authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8)   authenticate {
(8) eap : Expiring EAP session with state 0x0cb2efe70cbaf5a7
(8) eap : Finished EAP session with state 0x0cb2efe70cbaf5a7
(8) eap : Previous EAP request found for state 0x0cb2efe70cbaf5a7, released
from the list
(8) eap : Peer sent MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
(8) eap_mschapv2 :  Auth-Type MS-CHAP {
(8) mschap : Found Cleartext-Password, hashing to create LM-Password
(8) mschap : Found Cleartext-Password, hashing to create NT-Password
(8) mschap : Creating challenge hash with username: juan
(8) mschap : Client is using MS-CHAPv2
(8) mschap : Adding MS-CHAPv2 MPPE keys
(8)   [mschap] = ok
(8)  } # Auth-Type MS-CHAP = ok
MSCHAP Success
(8) eap : New EAP session, adding 'State' attribute to reply
0x0cb2efe70dbbf5a7
(8)   [eap] = handled
(8)  } #  authenticate = handled
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 11
        EAP-Message =
0x010900331a0308002e533d4338424430343744353931323244333545373631353142433444
3743434346364534423341423236
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0cb2efe70dbbf5a7fe78397182ecc493
(8) eap_peap : Got tunneled reply RADIUS code 11
        EAP-Message =
0x010900331a0308002e533d4338424430343744353931323244333545373631353142433444
3743434346364534423341423236
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0cb2efe70dbbf5a7fe78397182ecc493
(8) eap_peap : Got tunneled Access-Challenge
(8) eap : New EAP session, adding 'State' attribute to reply
0xf2d34be6fada526d
(8)   [eap] = handled
(8)  } #  authenticate = handled
Sending Access-Challenge Id 52 from 192.168.50.62:1812 to 192.168.60.1:1024
        Ruckus-User-Groups += 'profesores'
        EAP-Message =
0x0109005b190017030100501c6001565f58ad0148f0cde072e0eae03b6306c874c55d5c9599
d8581a68807b0ce0e02d471ccd40e82e99a7e9c93f8ed779ec42c3e802db9089ddbb64be4e0a
3317fb3a595a98ef1aafb878b93314c3
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2d34be6fada526dba0219098c99f6b0
(8) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 53 from 192.168.60.1:1024 to 192.168.50.62:1812
length 273
        User-Name = 'juan'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-5A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message =
0x0209005019001703010020ff5990044103107d4c1c6c0dcfd1592042bb616688995c8dd577
80afdee5290717030100206a03608ba19931e3be1f213f3f662169139b78345f3ae82edd9517
c9ac069de1
        State = 0xf2d34be6fada526dba0219098c99f6b0
        Attr-26.25053.3 = 0x414c554d4e4f53
        Message-Authenticator = 0xa33a0c467259057dfa7938db9d7983eb
(9) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(9)   authorize {
(9)   [preprocess] = ok
(9)   [chap] = noop
(9)   [mschap] = noop
(9)   [digest] = noop
(9) suffix : No '@' in User-Name = "juan", looking up realm NULL
(9) suffix : No such realm "NULL"
(9)   [suffix] = noop
(9) eap : EAP packet type response id 9 length 80
(9) eap : Continuing tunnel setup.
(9)   [eap] = ok
(9)  } #  authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9)   authenticate {
(9) eap : Expiring EAP session with state 0x0cb2efe70dbbf5a7
(9) eap : Finished EAP session with state 0xf2d34be6fada526d
(9) eap : Previous EAP request found for state 0xf2d34be6fada526d, released
from the list
(9) eap : Peer sent PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established.  Decoding tunneled attributes.
(9) eap_peap : Peap state phase2
(9) eap_peap : EAP type MSCHAPv2 (26)
(9) eap_peap : Got tunneled request
        EAP-Message = 0x020900061a03
server default {
(9) eap_peap : Setting User-Name to juan
Sending tunneled request
        EAP-Message = 0x020900061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = 'juan'
        State = 0x0cb2efe70dbbf5a7fe78397182ecc493
server inner-tunnel {
(9) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(9)   authorize {
(9)   [chap] = noop
(9)   [mschap] = noop
(9) suffix : No '@' in User-Name = "juan", looking up realm NULL
(9) suffix : No such realm "NULL"
(9)   [suffix] = noop
(9)   update control {
(9)     Proxy-To-Realm := 'LOCAL'
(9)   } # update control = noop
(9) eap : EAP packet type response id 9 length 6
(9) eap : EAP-MSCHAPV2 success, returning short-circuit ok
(9)   [eap] = ok
(9)  } #  authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(9)   authenticate {
(9) eap : Expiring EAP session with state 0x0cb2efe70dbbf5a7
(9) eap : Finished EAP session with state 0x0cb2efe70dbbf5a7
(9) eap : Previous EAP request found for state 0x0cb2efe70dbbf5a7, released
from the list
(9) eap : Peer sent MSCHAPv2 (26)
(9) eap : EAP MSCHAPv2 (26)
(9) eap : Calling eap_mschapv2 to process EAP data
(9) eap : Freeing handler
(9)   [eap] = ok
(9)  } #  authenticate = ok
(9) # Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
(9)  (null) post-auth { ... } # empty sub-section is ignored
} # server inner-tunnel
(9) eap_peap : Got tunneled reply code 2
        MS-MPPE-Encryption-Policy = Encryption-Allowed
        MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
        MS-MPPE-Send-Key = 0xafb88407094b01fc005b3597058d8598
        MS-MPPE-Recv-Key = 0x642cb4e62dc038e3896c5d673858b38c
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'juan'
(9) eap_peap : Got tunneled reply RADIUS code 2
        MS-MPPE-Encryption-Policy = Encryption-Allowed
        MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
        MS-MPPE-Send-Key = 0xafb88407094b01fc005b3597058d8598
        MS-MPPE-Recv-Key = 0x642cb4e62dc038e3896c5d673858b38c
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'juan'
(9) eap_peap : Tunneled authentication was successful.
(9) eap_peap : SUCCESS
(9) eap : New EAP session, adding 'State' attribute to reply
0xf2d34be6fbd9526d
(9)   [eap] = handled
(9)  } #  authenticate = handled
Sending Access-Challenge Id 53 from 192.168.50.62:1812 to 192.168.60.1:1024
        EAP-Message =
0x010a002b1900170301002059aab1d6a4c6ab0a57f24096d6d0aa80e9662d6a63ac66e96db8
a524d2085cc8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2d34be6fbd9526dba0219098c99f6b0
(9) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 54 from 192.168.60.1:1024 to 192.168.50.62:1812
length 273
        User-Name = 'juan'
        Calling-Station-Id = '60-BE-B5-98-BA-0B'
        NAS-IP-Address = 192.168.60.1
        NAS-Port = 1
        Called-Station-Id = '2C-E6-CC-5A-3E-58:ALUMNOS'
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = '2C-E6-CC-5A-3E-58'
        Connect-Info = 'CONNECT 802.11g/n'
        EAP-Message =
0x020a005019001703010020bc5b6012ba4c6d4926636f89412299e03018b666ab58139c884e
1d8e301ad05617030100200b70dae1f629e3833f6be835eda0d221b722c8a2f4b347f3425229
f9cb872647
        State = 0xf2d34be6fbd9526dba0219098c99f6b0
        Attr-26.25053.3 = 0x414c554d4e4f53
        Message-Authenticator = 0xdd12a7edfa22a09e90d59aba01b16498
(10) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(10)   authorize {
(10)   [preprocess] = ok
(10)   [chap] = noop
(10)   [mschap] = noop
(10)   [digest] = noop
(10) suffix : No '@' in User-Name = "juan", looking up realm NULL
(10) suffix : No such realm "NULL"
(10)   [suffix] = noop
(10) eap : EAP packet type response id 10 length 80
(10) eap : Continuing tunnel setup.
(10)   [eap] = ok
(10)  } #  authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10)   authenticate {
(10) eap : Expiring EAP session with state 0xf2d34be6fbd9526d
(10) eap : Finished EAP session with state 0xf2d34be6fbd9526d
(10) eap : Previous EAP request found for state 0xf2d34be6fbd9526d, released
from the list
(10) eap : Peer sent PEAP (25)
(10) eap : EAP PEAP (25)
(10) eap : Calling eap_peap to process EAP data
(10) eap_peap : processing EAP-TLS
(10) eap_peap : eaptls_verify returned 7
(10) eap_peap : Done initial handshake
(10) eap_peap : eaptls_process returned 7
(10) eap_peap : FR_TLS_OK
(10) eap_peap : Session established.  Decoding tunneled attributes.
(10) eap_peap : Peap state send tlv success
(10) eap_peap : Received EAP-TLV response.
(10) eap_peap : Success
(10) WARNING: eap_peap : No information to cache: session caching will be
disabled for session
2a6565d47da8be010096c76ce138e64f1b9093d86ff4ebbf83fd0676ff503bcd
  SSL: Removing session
2a6565d47da8be010096c76ce138e64f1b9093d86ff4ebbf83fd0676ff503bcd from the
cache
(10) eap : Freeing handler
(10)   [eap] = ok
(10)  } #  authenticate = ok
(10) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(10)   post-auth {
(10) ldap : EXPAND .
(10) ldap :    --> .
(10) ldap : EXPAND Authenticated at %S
(10) ldap :    --> Authenticated at 2014-05-20 03:47:48
rlm_ldap (ldap): Reserved connection (4)
(10) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(10) ldap :    --> (uid=juan)
(10) ldap : EXPAND dc=ejemplo,dc=org
(10) ldap :    --> dc=ejemplo,dc=org
(10) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(10) ldap : Waiting for search result...
(10) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(10) ldap : Modifying object with DN
"uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(10) ldap : Waiting for modify result...
rlm_ldap (ldap): Released connection (4)
(10)   [ldap] = ok
(10)   foreach &control:LDAP-Group {
(10)   } # foreach &control:LDAP-Group = noop
(10)   [exec] = noop
(10)   remove_reply_message_if_eap remove_reply_message_if_eap {
(10)     if (reply:EAP-Message && reply:Reply-Message)
(10)     if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(10)    else else {
(10)     [noop] = noop
(10)    } # else else = noop
(10)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(10)  } #  post-auth = ok
Sending Access-Accept Id 54 from 192.168.50.62:1812 to 192.168.60.1:1024
        MS-MPPE-Recv-Key =
0x82502acb1a755aa3a2eba98e23e3f5796ccab96d124ff6198b32c78859edc7da
        MS-MPPE-Send-Key =
0x759dee2ef53c1423c8bd1d6412ab31963a14690b756a64237315aa0e8e3aa94f
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'juan'
(10) Finished request
Waking up in 0.1 seconds.
Waking up in 4.5 seconds.
(0) Cleaning up request packet ID 44 with timestamp +5
(1) Cleaning up request packet ID 45 with timestamp +5
(2) Cleaning up request packet ID 46 with timestamp +5
(3) Cleaning up request packet ID 47 with timestamp +5
(4) Cleaning up request packet ID 48 with timestamp +5
(5) Cleaning up request packet ID 49 with timestamp +5
(6) Cleaning up request packet ID 50 with timestamp +5
(7) Cleaning up request packet ID 51 with timestamp +5
(8) Cleaning up request packet ID 52 with timestamp +5
(9) Cleaning up request packet ID 53 with timestamp +5
(10) Cleaning up request packet ID 54 with timestamp +5
Ready to process requests.



More information about the Freeradius-Users mailing list