Setting PEAP Method and Inner-tunnel virtual server

Hangi Christian hangi_chris at hotmail.com
Wed Mar 12 07:31:13 CET 2014


Thank you so much for your help. I used the chmod 
command on the root user to allow the permission and I used the testing 
user command as a regular user in the debugging mode and it worked. 


But, I tried to test all the protocols, they are working in the default 
testing. I tried to set only  EAP PEAP-MSCHAPv2 method by commenting out
 all the others EAP methods except EAP-TLS and EAP-TTLS, and setting 
default_eap_type = peap. i also changed the
password from cleartext into somethin like this ** " testing"  
User-password = "P at ssw0rd "**  





 But I don't know how to configure the inner-tunnel virtual server 
inside the sites-enabled in order to allow 802.1x authentication.


when i tried to test without configuring the inner-tunnel virtual server i got this .











rad_recv: Access-Request packet from host 127.0.0.1 port 55247, id=123, length=77


    User-Name = "testing"


    User-Password = "P at ssw0rd"


    NAS-IP-Address = 192.168.9.27


    NAS-Port = 0


    Message-Authenticator = 0x42afe3cc71c80db704cb5b4d6f915c1e


server inner-tunnel {


# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel


+group authorize {


++[chap] = noop


++[mschap] = noop


[suffix] No '@' in User-Name = "testing", looking up realm NULL


[suffix] No such realm "NULL"


++[suffix] = noop


++update control {


++} # update control = noop


[eap] No EAP-Message, not doing EAP


++[eap] = noop


WARNING: Found User-Password == "...".


WARNING: Are you sure you don't mean Cleartext-Password?


WARNING: See "man rlm_pap" for more information.


[files] users: Matched entry testing at line 51


[files]     expand: Hello,%{User-Name} -> Hello,testing


++[files] = ok


++[expiration] = noop


++[logintime] = noop


++[pap] = noop


+} # group authorize = ok


ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user


Failed to authenticate the user.


} # server inner-tunnel


Using Post-Auth-Type REJECT


# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel


+group REJECT {


[attr_filter.access_reject]     expand: %{User-Name} -> testing


attr_filter: Matched entry DEFAULT at line 11


++[attr_filter.access_reject] = updated


+} # group REJECT = updated


Delaying reject of request 0 for 1 seconds


Going to the next request


Waking up in 0.9 seconds.


Sending delayed reject for request 0


Sending Access-Reject of id 123 to 127.0.0.1 port 55247


    Reply-Message = "Hello,testing"


Waking up in 4.9 seconds.


Cleaning up request 0 ID 123 with timestamp +16


Ready to process requests.








i tried to test the peap method using jradius simulator  i got this 





Going to the next request


Waking up in 0.9 seconds.


Sending delayed reject for request 0


Sending Access-Reject of id 123 to 127.0.0.1 port 55247


    Reply-Message = "Hello,testing"


Waking up in 4.9 seconds.


Cleaning up request 0 ID 123 with timestamp +16


Ready to process requests.


rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=2, length=73


    User-Name = "testing"


    NAS-Port = 0


    NAS-IP-Address = 127.0.0.1


    EAP-Message = 0x0200000c0174657374696e67


    Message-Authenticator = 0x3cc3c953e07cc82b12dc94c65102acd1


# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default


+group authorize {


++[preprocess] = ok


++[chap] = noop


++[mschap] = noop


++[digest] = noop


[suffix] No '@' in User-Name = "testing", looking up realm NULL


[suffix] No such realm "NULL"


++[suffix] = noop


[eap] EAP packet type response id 0 length 12


[eap] No EAP Start, assuming it's an on-going EAP conversation


++[eap] = updated


++[unix] = notfound


WARNING: Found User-Password == "...".


WARNING: Are you sure you don't mean Cleartext-Password?


WARNING: See "man rlm_pap" for more information.


[files] users: Matched entry testing at line 51


[files]     expand: Hello,%{User-Name} -> Hello,testing


++[files] = ok


++[expiration] = noop


++[logintime] = noop


[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.


++[pap] = noop


+} # group authorize = updated


Found Auth-Type = EAP


# Executing group from file /usr/local/etc/raddb/sites-enabled/default


+group authenticate {


[eap] EAP Identity


[eap] processing type tls


[tls] Initiate


[tls] Start returned 1


++[eap] = handled


+} # group authenticate = handled


Sending Access-Challenge of id 2 to 127.0.0.1 port 47000


    Reply-Message = "Hello,testing"


    EAP-Message = 0x010100061920


    Message-Authenticator = 0x00000000000000000000000000000000


    State = 0xcf4ca028cf4db9debca7c7b78161462f


Finished request 1.


Going to the next request


Waking up in 4.9 seconds.


rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=3, length=151


    User-Name = "testing"


    NAS-Port = 0


    NAS-IP-Address = 127.0.0.1


    State = 0xcf4ca028cf4db9debca7c7b78161462f


    EAP-Message = 
0x020100481900160301003d010000390301531ff150fa7d236ea125d229a2f796c081b24c29d4b8fd319c253f294bec4dfd0000120039003800330032001600130035002f000a0100


    Message-Authenticator = 0xe3826c6167a24627480ce56fbd6769a0


# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default


+group authorize {


++[preprocess] = ok


++[chap] = noop


++[mschap] = noop


++[digest] = noop


[suffix] No '@' in User-Name = "testing", looking up realm NULL


[suffix] No such realm "NULL"


++[suffix] = noop


[eap] EAP packet type response id 1 length 72


[eap] Continuing tunnel setup.


++[eap] = ok


+} # group authorize = ok


Found Auth-Type = EAP


# Executing group from file /usr/local/etc/raddb/sites-enabled/default


+group authenticate {


[eap] Request found, released from the list


[eap] EAP/peap


[eap] processing type peap


[peap] processing EAP-TLS


[peap] eaptls_verify returned 7 


[peap] Done initial handshake


[peap]     (other): before/accept initialization


[peap]     TLS_accept: before/accept initialization


[peap] <<< TLS 1.0 Handshake [length 003d], ClientHello  


[peap]     TLS_accept: SSLv3 read client hello A


[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  


[peap]     TLS_accept: SSLv3 write server hello A


[peap] >>> TLS 1.0 Handshake [length 08d0], Certificate  


[peap]     TLS_accept: SSLv3 write certificate A


[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange  


[peap]     TLS_accept: SSLv3 write key exchange A


[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  


[peap]     TLS_accept: SSLv3 write server done A


[peap]     TLS_accept: SSLv3 flush data


[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A


In SSL Handshake Phase 


In SSL Accept mode  


[peap] eaptls_process returned 13 


[peap] EAPTLS_HANDLED


++[eap] = handled


+} # group authenticate = handled


Sending Access-Challenge of id 3 to 127.0.0.1 port 47000


    EAP-Message = 
0x0102040019c000000b1f160301002a020000260301531ff1501b19bf495e28952a475864897eae5fcc49b9269c4515e0631ef156910000390016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479


    EAP-Message = 
0x301e170d3134303232353039343530365a170d3135303232353039343530365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100aed3f4e6fa9efadea640eccdba95ba84671a37bd5f8f0526f781d7f52310288efaa32fa4a513a922af4adfe4b160dad05cb685dbbfb809801b7eba53bed1


    EAP-Message = 
0xb37c222a83b63d94afe8d30f195808535b8ace500284ce9163df58c24b7dc64f2c11817aedc26a45da19a8184ae6c3a357ebf7bbb0bd39cb62f9273fcdaf512343aaca2110b87b2c2115cf7f43299bfd922641a4dd9773e0d6cb904efe06a6a265131a04b08f37d455c557c056e311304cb1a84cf993992b0b01647bd46d591c01f50afc0c11c8093785b9fb90dd102383981dbdec2283e96fe537b589d446df50d8693917fabf154ddc66caa6a3ef01e608f17565eb2520cd41ed765d977e9b3d450203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba029a0278625687474703a2f2f777777


    EAP-Message = 
0x2e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100d7f9a17398b726d5861c69fb1425fc06ec2ced7f2a22b411d42c03275ac249d7236d84bcdf767616edd9c1b15aadbe57aa8c9c9a0350e998066a9407bbd9c7ede47f1020b4115429bc60dec66afc0a1db3def7cd5b2bc8423fc950f7db57a682999127e2abda907ebb7a8b3b040e1296840bce6847fd44e3263d1399b3f85129313e5c4405f287488035e2df63840f2833398d80c68b4c13e328f46af697946722924e1546254ad9d8a4387bbe348d010f147e9c59a4a1258944f07d8351b28b7ed7e7eef81522158fe7ae14aa39


    EAP-Message = 0x680bc8b86dc2911707736c66


    Message-Authenticator = 0x00000000000000000000000000000000


    State = 0xcf4ca028ce4eb9debca7c7b78161462f


Finished request 2.


Going to the next request


Waking up in 4.9 seconds.


rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=4, length=85


    User-Name = "testing"


    NAS-Port = 0


    NAS-IP-Address = 127.0.0.1


    State = 0xcf4ca028ce4eb9debca7c7b78161462f


    EAP-Message = 0x020200061900


    Message-Authenticator = 0xd8c05c3b9c781d52ed7b93d2d7e5f299


# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default


+group authorize {


++[preprocess] = ok


++[chap] = noop


++[mschap] = noop


++[digest] = noop


[suffix] No '@' in User-Name = "testing", looking up realm NULL


[suffix] No such realm "NULL"


++[suffix] = noop


[eap] EAP packet type response id 2 length 6


[eap] Continuing tunnel setup.


++[eap] = ok


+} # group authorize = ok


Found Auth-Type = EAP


# Executing group from file /usr/local/etc/raddb/sites-enabled/default


+group authenticate {


[eap] Request found, released from the list


[eap] EAP/peap


[eap] processing type peap


[peap] processing EAP-TLS


[peap] Received TLS ACK


[peap] ACK handshake fragment handler


[peap] eaptls_verify returned 1 


[peap] eaptls_process returned 13 


[peap] EAPTLS_HANDLED


++[eap] = handled


+} # group authenticate = handled


Sending Access-Challenge of id 4 to 127.0.0.1 port 47000


    EAP-Message = 
0x010303fc1940f113789d5fe58467daa0b48d626dcb3d8da9062245d90c64ea654f3981c73a5ca1267f6e525a0004e5308204e1308203c9a003020102020900a9f66bfe117a6d3a300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3134303232353039343530365a


    EAP-Message = 
0x170d3135303232353039343530365a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e179503ca3da7dcf981aff930f99b8c5a2296ba5072376dc3ad0566b0f09807a284b1ff4cbc0812143ef3a248f2ff2940cc71e1edfaa16


    EAP-Message = 
0x6091744a8a2cf21a400b59a98250e0097f78c4f7eb5359a896c83856df1239276c4984ed013d5083dfc1f54dbe83082bfca40f48542185e58b53a68c2278b86523dd381d94afc91f584a9471dd84d1582a2c5ae2a59a15c291cfb885c37dedaacd9e0d8582c629cbf7df7a1ae856e776c039d75bdc388105e0e7f881360e1c1deb7c161ef4dd374dc14250813390f4f75cc47c2b675098927890b9d73231ab79cf492ba86b7e4901a29ea1c406a89505622c378939677bd76cf58a49e3fa442ab2093278776958f3370203010001a382013430820130301d0603551d0e0416041432ea5b0d0283f7fe235134d0055fca1822af60a93081c80603551d23


    EAP-Message = 
0x0481c03081bd801432ea5b0d0283f7fe235134d0055fca1822af60a9a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a9f66bfe117a6d3a300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578


    EAP-Message = 0x616d706c655f6361


    Message-Authenticator = 0x00000000000000000000000000000000


    State = 0xcf4ca028cd4fb9debca7c7b78161462f


Finished request 3.


Going to the next request


Waking up in 4.9 seconds.


rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=5, length=85


    User-Name = "testing"


    NAS-Port = 0


    NAS-IP-Address = 127.0.0.1


    State = 0xcf4ca028cd4fb9debca7c7b78161462f


    EAP-Message = 0x020300061900


    Message-Authenticator = 0xb79350a495b09dc0b764088a6e733871


# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default


+group authorize {


++[preprocess] = ok


++[chap] = noop


++[mschap] = noop


++[digest] = noop


[suffix] No '@' in User-Name = "testing", looking up realm NULL


[suffix] No such realm "NULL"


++[suffix] = noop


[eap] EAP packet type response id 3 length 6


[eap] Continuing tunnel setup.


++[eap] = ok


+} # group authorize = ok


Found Auth-Type = EAP


# Executing group from file /usr/local/etc/raddb/sites-enabled/default


+group authenticate {


[eap] Request found, released from the list


[eap] EAP/peap


[eap] processing type peap


[peap] processing EAP-TLS


[peap] Received TLS ACK


[peap] ACK handshake fragment handler


[peap] eaptls_verify returned 1 


[peap] eaptls_process returned 13 


[peap] EAPTLS_HANDLED


++[eap] = handled


+} # group authenticate = handled


Sending Access-Challenge of id 5 to 127.0.0.1 port 47000


    EAP-Message = 
0x0104033919002e63726c300d06092a864886f70d01010505000382010100a4e27f07df6259c73bdf038c528225ab72be8e8447acf759c13159d2e48eb016b6f54c410363392f9d36b4d9a652e871e000e39dd1ae409a5106fa7582ed55601a764fab3bd81e384c3de62d04394a30ab1f0b0820e1eeeb27209c237cf39eb401d76d67756d1dd2129f849a0845e39b159304fe5c62e3950f4d49b6db7b314fc7f244ef19f9efba015dde6d609eaf3556a83b404bb64718b64e7b16d050e103dd715e20691b4a6e31d31ab065bb7a6b8b0f8f27b42726e9c9187f94572613e5c36e433a7b24afffa293930597e486a477c228cc2a9d50f5c916a50f144b3c


    EAP-Message = 
0x7a7a633cb797174fe44470f989dd72a3e9783c745df5cf318e3e84bd246d11d900160301020d0c0002090080a8f0e70aef23c507c30ad6cb681afb5153bfc1417fbe2b4b6ccd4898760c984564b5308bacd50cdcc3ee5e9ddf84cf6047239302a988c35b1c78f6da77b18e079216b679e618fff798faaec47a25ed37480f74dd76d8cbd125384fed51b31efa6ff0feb3e8de9f387c2ee7cc313d2de8ae2e67b01605e9b019720135e9685b5b000102008025814b22830831f6716e74da15ba9866e69b7f29a54fafff0bdeeb38cadbbab1ffb7d1ccc326a9f7b3e5d7c12b446fd44e09c5294b9d2dbaa0273d82358d97297e176d5c8d5ce98fd52aa9a8


    EAP-Message = 
0x711535a625454a646980373ccb9639d0ebf2b44bc9f0985cfe4c763948d90a838cab0e491f82323dcb1fac770281519ae7a3f4b2010045dc48edf7fdf54171fb368899a00e657c859fcc3fab1f4da00a892dac500c3209280b06420037a1cc2c74333bf826196f3564a008c7e756af5d45b91e619031509ed5afe63bc9d63130f00e462fbe807aee61798a5b3880f83e8e4f6e98779c92e8b8cb18b516b8579e88f2696efd71d0f3498a395025e78c2f00e487aec42affc9dc521b20547e4f6ccf0967b0e145e9ebc8c34b195356a8ed0fca339b11e1a2e8dfc655a72e1db0da0a0df88852bc37307c7ea7eead34495fce92831bece6f74412597d10f3


    EAP-Message = 
0x75d5d456af23cdd69bc61243b41168d572cabf8768a2780054e9949c1cb9bf222692af5cd4e08a19acba977d1671098c9131876d1b30fefa1816030100040e000000


    Message-Authenticator = 0x00000000000000000000000000000000


    State = 0xcf4ca028cc48b9debca7c7b78161462f


Finished request 4.


Going to the next request


Waking up in 4.9 seconds.


rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=6, length=315


    User-Name = "testing"


    NAS-Port = 0


    NAS-IP-Address = 127.0.0.1


    State = 0xcf4ca028cc48b9debca7c7b78161462f


    EAP-Message = 
0x020400ec19001603010086100000820080a77f24ad2050e6bd07cbbef0f616a25dc4d4022a5a8ff6e4f0a4aa13254ed96e6d343ea6c9e92f8905f1889d772e5e85e966b0e0d4c510d1eb9e9105dc8beb84c2f56e9723994de83325df2017edbf1cdd8ec6da78f3403b9dcd3e29a794d5d091d321f9bc435b87a880cff4d730cfd8bd8c7000c0d4cdc452799ad8968dc4541403010001011603010050c491f1ada3008208f04f195129505068ddeb05f6f2b1d9e6bfd8e309f143be46cb9d9668d481f23d7a80c3c99485d2ab8180df3dbf52b8e3af67465835f446620d1f13735fa3f83850591a3947be7655


    Message-Authenticator = 0x86eb2811521a1551f40507327ff12743


# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default


+group authorize {


++[preprocess] = ok


++[chap] = noop


++[mschap] = noop


++[digest] = noop


[suffix] No '@' in User-Name = "testing", looking up realm NULL


[suffix] No such realm "NULL"


++[suffix] = noop


[eap] EAP packet type response id 4 length 236


[eap] Continuing tunnel setup.


++[eap] = ok


+} # group authorize = ok


Found Auth-Type = EAP


# Executing group from file /usr/local/etc/raddb/sites-enabled/default


+group authenticate {


[eap] Request found, released from the list


[eap] EAP/peap


[eap] processing type peap


[peap] processing EAP-TLS


[peap] eaptls_verify returned 7 


[peap] Done initial handshake


[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  


[peap]     TLS_accept: SSLv3 read client key exchange A


[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  


[peap] <<< TLS 1.0 Handshake [length 0010], Finished  


[peap]     TLS_accept: SSLv3 read finished A


[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  


[peap]     TLS_accept: SSLv3 write change cipher spec A


[peap] >>> TLS 1.0 Handshake [length 0010], Finished  


[peap]     TLS_accept: SSLv3 write finished A


[peap]     TLS_accept: SSLv3 flush data


[peap]     (other): SSL negotiation finished successfully


SSL Connection Established 


[peap] eaptls_process returned 13 


[peap] EAPTLS_HANDLED


++[eap] = handled


+} # group authenticate = handled


Sending Access-Challenge of id 6 to 127.0.0.1 port 47000


    EAP-Message = 
0x0105004119001403010001011603010030924cb8cd91029f0767c24ee999838826f05fe99d10722855956dae0ff10e6c4ac9bf0e17151503ba04ccba9b09d0e497


    Message-Authenticator = 0x00000000000000000000000000000000


    State = 0xcf4ca028cb49b9debca7c7b78161462f


Finished request 5.


Going to the next request


Waking up in 4.1 seconds.


rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=7, length=85


    User-Name = "testing"


    NAS-Port = 0


    NAS-IP-Address = 127.0.0.1


    State = 0xcf4ca028cb49b9debca7c7b78161462f


    EAP-Message = 0x020500061900


    Message-Authenticator = 0x6cf39e9e692ebc10078a1dea5845477d


# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default


+group authorize {


++[preprocess] = ok


++[chap] = noop


++[mschap] = noop


++[digest] = noop


[suffix] No '@' in User-Name = "testing", looking up realm NULL


[suffix] No such realm "NULL"


++[suffix] = noop


[eap] EAP packet type response id 5 length 6


[eap] Continuing tunnel setup.


++[eap] = ok


+} # group authorize = ok


Found Auth-Type = EAP


# Executing group from file /usr/local/etc/raddb/sites-enabled/default


+group authenticate {


[eap] Request found, released from the list


[eap] EAP/peap


[eap] processing type peap


[peap] processing EAP-TLS


[peap] Received TLS ACK


[peap] ACK handshake is finished


[peap] eaptls_verify returned 3 


[peap] eaptls_process returned 3 


[peap] EAPTLS_SUCCESS


[peap] Session established.  Decoding tunneled attributes.


[peap] Peap state TUNNEL ESTABLISHED


++[eap] = handled


+} # group authenticate = handled


Sending Access-Challenge of id 7 to 127.0.0.1 port 47000


    EAP-Message = 0x0106002b1900170301002057428dfbc1a703902f590dfce56bae6cd5e6c39efca98488f76badf9b0852fa0


    Message-Authenticator = 0x00000000000000000000000000000000


    State = 0xcf4ca028ca4ab9debca7c7b78161462f


Finished request 6.


Going to the next request


Waking up in 4.1 seconds.


rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=8, length=175


    User-Name = "testing"


    NAS-Port = 0


    NAS-IP-Address = 127.0.0.1


    State = 0xcf4ca028ca4ab9debca7c7b78161462f


    EAP-Message = 
0x0206006019001703010020121d5f70b18873c2ce8adc64ee86316d43cc5c587a65cfede3885092292f45621703010030ae623579fca299bdad152eff69c508636ec69ba9fb2c62f443a75d108dae0e2f80a5cfee6ab81fe8ffe3a8e96fccc18e


    Message-Authenticator = 0xea19005096c49a314c145dd25e9c8ec2


# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default


+group authorize {


++[preprocess] = ok


++[chap] = noop


++[mschap] = noop


++[digest] = noop


[suffix] No '@' in User-Name = "testing", looking up realm NULL


[suffix] No such realm "NULL"


++[suffix] = noop


[eap] EAP packet type response id 6 length 96


[eap] Continuing tunnel setup.


++[eap] = ok


+} # group authorize = ok


Found Auth-Type = EAP


# Executing group from file /usr/local/etc/raddb/sites-enabled/default


+group authenticate {


[eap] Request found, released from the list


[eap] EAP/peap


[eap] processing type peap


[peap] processing EAP-TLS


[peap] eaptls_verify returned 7 


[peap] Done initial handshake


[peap] eaptls_process returned 7 


[peap] EAPTLS_OK


[peap] Session established.  Decoding tunneled attributes.


[peap] Peap state WAITING FOR INNER IDENTITY


[peap] Identity - testing


[peap] Got inner identity 'testing'


[peap] Setting default EAP type for tunneled EAP session.


[peap] Got tunneled request


    EAP-Message = 0x0206000c0174657374696e67


server  {


[peap] Setting User-Name to testing


Sending tunneled request


    EAP-Message = 0x0206000c0174657374696e67


    FreeRADIUS-Proxied-To = 127.0.0.1


    User-Name = "testing"


server inner-tunnel {


# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel


+group authorize {


++[chap] = noop


++[mschap] = noop


[suffix] No '@' in User-Name = "testing", looking up realm NULL


[suffix] No such realm "NULL"


++[suffix] = noop


++update control {


++} # update control = noop


[eap] EAP packet type response id 6 length 12


[eap] No EAP Start, assuming it's an on-going EAP conversation


++[eap] = updated


WARNING: Found User-Password == "...".


WARNING: Are you sure you don't mean Cleartext-Password?


WARNING: See "man rlm_pap" for more information.


[files] users: Matched entry testing at line 51


[files]     expand: Hello,%{User-Name} -> Hello,testing


++[files] = ok


++[expiration] = noop


++[logintime] = noop


++[pap] = noop


+} # group authorize = updated


Found Auth-Type = EAP


# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel


+group authenticate {


[eap] EAP Identity


[eap] No such EAP type mschapv2


[eap] Failed in EAP select


++[eap] = invalid


+} # group authenticate = invalid


Failed to authenticate the user.


Using Post-Auth-Type REJECT


# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel


+group REJECT {


[attr_filter.access_reject]     expand: %{User-Name} -> testing


attr_filter: Matched entry DEFAULT at line 11


++[attr_filter.access_reject] = updated


+} # group REJECT = updated


} # server inner-tunnel


[peap] Got tunneled reply code 3


    Reply-Message = "Hello,testing"


    EAP-Message = 0x04060004


    Message-Authenticator = 0x00000000000000000000000000000000


[peap] Got tunneled reply RADIUS code 3


    Reply-Message = "Hello,testing"


    EAP-Message = 0x04060004


    Message-Authenticator = 0x00000000000000000000000000000000


[peap] Tunneled authentication was rejected.


[peap] FAILURE


++[eap] = handled


+} # group authenticate = handled


Sending Access-Challenge of id 8 to 127.0.0.1 port 47000


    EAP-Message = 0x0107002b1900170301002057077c5e5c4d4c0e362ffe95fff5a33129b376ed00b69e00c99fffcda1428251


    Message-Authenticator = 0x00000000000000000000000000000000


    State = 0xcf4ca028c94bb9debca7c7b78161462f


Finished request 7.


Going to the next request


Waking up in 4.0 seconds.


rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=9, length=175


    User-Name = "testing"


    NAS-Port = 0


    NAS-IP-Address = 127.0.0.1


    State = 0xcf4ca028c94bb9debca7c7b78161462f


    EAP-Message = 
0x0207006019001703010020a0530d6df4bf549909743f057be762457c2b6abd38eb6235375f20a27e93fc851703010030fad2db6536da7f64fcc88f8b2a13970065906d4af2accb08c2d89846de9b30519d192e030afa21f131badbc40cbff6da


    Message-Authenticator = 0xd47ab810fc992cf5a094df676da234a6


# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default


+group authorize {


++[preprocess] = ok


++[chap] = noop


++[mschap] = noop


++[digest] = noop


[suffix] No '@' in User-Name = "testing", looking up realm NULL


[suffix] No such realm "NULL"


++[suffix] = noop


[eap] EAP packet type response id 7 length 96


[eap] Continuing tunnel setup.


++[eap] = ok


+} # group authorize = ok


Found Auth-Type = EAP


# Executing group from file /usr/local/etc/raddb/sites-enabled/default


+group authenticate {


[eap] Request found, released from the list


[eap] EAP/peap


[eap] processing type peap


[peap] processing EAP-TLS


[peap] eaptls_verify returned 7 


[peap] Done initial handshake


[peap] eaptls_process returned 7 


[peap] EAPTLS_OK


[peap] Session established.  Decoding tunneled attributes.


[peap] Peap state send tlv failure


[peap] Received EAP-TLV response.


[peap]  The users session was previously rejected: returning reject (again.)


[peap]  *** This means you need to read the PREVIOUS messages in the debug output


[peap]  *** to find out the reason why the user was rejected.


[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.


[peap]  *** what went wrong, and how to fix the problem.


[eap] Handler failed in EAP/peap


[eap] Failed in EAP select


++[eap] = invalid


+} # group authenticate = invalid


Failed to authenticate the user.


Using Post-Auth-Type REJECT


# Executing group from file /usr/local/etc/raddb/sites-enabled/default


+group REJECT {


[attr_filter.access_reject]     expand: %{User-Name} -> testing


attr_filter: Matched entry DEFAULT at line 11


++[attr_filter.access_reject] = updated


+} # group REJECT = updated


Delaying reject of request 8 for 1 seconds


Going to the next request


Waking up in 0.9 seconds.


Sending delayed reject for request 8


Sending Access-Reject of id 9 to 127.0.0.1 port 47000


    EAP-Message = 0x04070004


    Message-Authenticator = 0x00000000000000000000000000000000


Waking up in 3.0 seconds.


Cleaning up request 1 ID 2 with timestamp +800


Cleaning up request 2 ID 3 with timestamp +800


Cleaning up request 3 ID 4 with timestamp +800


Cleaning up request 4 ID 5 with timestamp +800


Waking up in 0.8 seconds.


Cleaning up request 5 ID 6 with timestamp +800


Cleaning up request 6 ID 7 with timestamp +800


Cleaning up request 7 ID 8 with timestamp +800


Waking up in 1.0 seconds.


Cleaning up request 8 ID 9 with timestamp +800


Ready to process requests.





 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140312/7f024d01/attachment-0001.html>


More information about the Freeradius-Users mailing list