Setting PEAP Method and Inner-tunnel virtual server
Hangi Christian
hangi_chris at hotmail.com
Wed Mar 12 07:31:13 CET 2014
Thank you so much for your help. I used the chmod
command on the root user to allow the permission and I used the testing
user command as a regular user in the debugging mode and it worked.
But, I tried to test all the protocols, they are working in the default
testing. I tried to set only EAP PEAP-MSCHAPv2 method by commenting out
all the others EAP methods except EAP-TLS and EAP-TTLS, and setting
default_eap_type = peap. i also changed the
password from cleartext into somethin like this ** " testing"
User-password = "P at ssw0rd "**
But I don't know how to configure the inner-tunnel virtual server
inside the sites-enabled in order to allow 802.1x authentication.
when i tried to test without configuring the inner-tunnel virtual server i got this .
rad_recv: Access-Request packet from host 127.0.0.1 port 55247, id=123, length=77
User-Name = "testing"
User-Password = "P at ssw0rd"
NAS-IP-Address = 192.168.9.27
NAS-Port = 0
Message-Authenticator = 0x42afe3cc71c80db704cb5b4d6f915c1e
server inner-tunnel {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry testing at line 51
[files] expand: Hello,%{User-Name} -> Hello,testing
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> testing
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 123 to 127.0.0.1 port 55247
Reply-Message = "Hello,testing"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 123 with timestamp +16
Ready to process requests.
i tried to test the peap method using jradius simulator i got this
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 123 to 127.0.0.1 port 55247
Reply-Message = "Hello,testing"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 123 with timestamp +16
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=2, length=73
User-Name = "testing"
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
EAP-Message = 0x0200000c0174657374696e67
Message-Authenticator = 0x3cc3c953e07cc82b12dc94c65102acd1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[unix] = notfound
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry testing at line 51
[files] expand: Hello,%{User-Name} -> Hello,testing
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 47000
Reply-Message = "Hello,testing"
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf4ca028cf4db9debca7c7b78161462f
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=3, length=151
User-Name = "testing"
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
State = 0xcf4ca028cf4db9debca7c7b78161462f
EAP-Message =
0x020100481900160301003d010000390301531ff150fa7d236ea125d229a2f796c081b24c29d4b8fd319c253f294bec4dfd0000120039003800330032001600130035002f000a0100
Message-Authenticator = 0xe3826c6167a24627480ce56fbd6769a0
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 72
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 003d], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 08d0], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 47000
EAP-Message =
0x0102040019c000000b1f160301002a020000260301531ff1501b19bf495e28952a475864897eae5fcc49b9269c4515e0631ef156910000390016030108d00b0008cc0008c90003de308203da308202c2a003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3134303232353039343530365a170d3135303232353039343530365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100aed3f4e6fa9efadea640eccdba95ba84671a37bd5f8f0526f781d7f52310288efaa32fa4a513a922af4adfe4b160dad05cb685dbbfb809801b7eba53bed1
EAP-Message =
0xb37c222a83b63d94afe8d30f195808535b8ace500284ce9163df58c24b7dc64f2c11817aedc26a45da19a8184ae6c3a357ebf7bbb0bd39cb62f9273fcdaf512343aaca2110b87b2c2115cf7f43299bfd922641a4dd9773e0d6cb904efe06a6a265131a04b08f37d455c557c056e311304cb1a84cf993992b0b01647bd46d591c01f50afc0c11c8093785b9fb90dd102383981dbdec2283e96fe537b589d446df50d8693917fabf154ddc66caa6a3ef01e608f17565eb2520cd41ed765d977e9b3d450203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f302d302ba029a0278625687474703a2f2f777777
EAP-Message =
0x2e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100d7f9a17398b726d5861c69fb1425fc06ec2ced7f2a22b411d42c03275ac249d7236d84bcdf767616edd9c1b15aadbe57aa8c9c9a0350e998066a9407bbd9c7ede47f1020b4115429bc60dec66afc0a1db3def7cd5b2bc8423fc950f7db57a682999127e2abda907ebb7a8b3b040e1296840bce6847fd44e3263d1399b3f85129313e5c4405f287488035e2df63840f2833398d80c68b4c13e328f46af697946722924e1546254ad9d8a4387bbe348d010f147e9c59a4a1258944f07d8351b28b7ed7e7eef81522158fe7ae14aa39
EAP-Message = 0x680bc8b86dc2911707736c66
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf4ca028ce4eb9debca7c7b78161462f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=4, length=85
User-Name = "testing"
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
State = 0xcf4ca028ce4eb9debca7c7b78161462f
EAP-Message = 0x020200061900
Message-Authenticator = 0xd8c05c3b9c781d52ed7b93d2d7e5f299
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 47000
EAP-Message =
0x010303fc1940f113789d5fe58467daa0b48d626dcb3d8da9062245d90c64ea654f3981c73a5ca1267f6e525a0004e5308204e1308203c9a003020102020900a9f66bfe117a6d3a300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3134303232353039343530365a
EAP-Message =
0x170d3135303232353039343530365a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e179503ca3da7dcf981aff930f99b8c5a2296ba5072376dc3ad0566b0f09807a284b1ff4cbc0812143ef3a248f2ff2940cc71e1edfaa16
EAP-Message =
0x6091744a8a2cf21a400b59a98250e0097f78c4f7eb5359a896c83856df1239276c4984ed013d5083dfc1f54dbe83082bfca40f48542185e58b53a68c2278b86523dd381d94afc91f584a9471dd84d1582a2c5ae2a59a15c291cfb885c37dedaacd9e0d8582c629cbf7df7a1ae856e776c039d75bdc388105e0e7f881360e1c1deb7c161ef4dd374dc14250813390f4f75cc47c2b675098927890b9d73231ab79cf492ba86b7e4901a29ea1c406a89505622c378939677bd76cf58a49e3fa442ab2093278776958f3370203010001a382013430820130301d0603551d0e0416041432ea5b0d0283f7fe235134d0055fca1822af60a93081c80603551d23
EAP-Message =
0x0481c03081bd801432ea5b0d0283f7fe235134d0055fca1822af60a9a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a9f66bfe117a6d3a300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578
EAP-Message = 0x616d706c655f6361
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf4ca028cd4fb9debca7c7b78161462f
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=5, length=85
User-Name = "testing"
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
State = 0xcf4ca028cd4fb9debca7c7b78161462f
EAP-Message = 0x020300061900
Message-Authenticator = 0xb79350a495b09dc0b764088a6e733871
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 5 to 127.0.0.1 port 47000
EAP-Message =
0x0104033919002e63726c300d06092a864886f70d01010505000382010100a4e27f07df6259c73bdf038c528225ab72be8e8447acf759c13159d2e48eb016b6f54c410363392f9d36b4d9a652e871e000e39dd1ae409a5106fa7582ed55601a764fab3bd81e384c3de62d04394a30ab1f0b0820e1eeeb27209c237cf39eb401d76d67756d1dd2129f849a0845e39b159304fe5c62e3950f4d49b6db7b314fc7f244ef19f9efba015dde6d609eaf3556a83b404bb64718b64e7b16d050e103dd715e20691b4a6e31d31ab065bb7a6b8b0f8f27b42726e9c9187f94572613e5c36e433a7b24afffa293930597e486a477c228cc2a9d50f5c916a50f144b3c
EAP-Message =
0x7a7a633cb797174fe44470f989dd72a3e9783c745df5cf318e3e84bd246d11d900160301020d0c0002090080a8f0e70aef23c507c30ad6cb681afb5153bfc1417fbe2b4b6ccd4898760c984564b5308bacd50cdcc3ee5e9ddf84cf6047239302a988c35b1c78f6da77b18e079216b679e618fff798faaec47a25ed37480f74dd76d8cbd125384fed51b31efa6ff0feb3e8de9f387c2ee7cc313d2de8ae2e67b01605e9b019720135e9685b5b000102008025814b22830831f6716e74da15ba9866e69b7f29a54fafff0bdeeb38cadbbab1ffb7d1ccc326a9f7b3e5d7c12b446fd44e09c5294b9d2dbaa0273d82358d97297e176d5c8d5ce98fd52aa9a8
EAP-Message =
0x711535a625454a646980373ccb9639d0ebf2b44bc9f0985cfe4c763948d90a838cab0e491f82323dcb1fac770281519ae7a3f4b2010045dc48edf7fdf54171fb368899a00e657c859fcc3fab1f4da00a892dac500c3209280b06420037a1cc2c74333bf826196f3564a008c7e756af5d45b91e619031509ed5afe63bc9d63130f00e462fbe807aee61798a5b3880f83e8e4f6e98779c92e8b8cb18b516b8579e88f2696efd71d0f3498a395025e78c2f00e487aec42affc9dc521b20547e4f6ccf0967b0e145e9ebc8c34b195356a8ed0fca339b11e1a2e8dfc655a72e1db0da0a0df88852bc37307c7ea7eead34495fce92831bece6f74412597d10f3
EAP-Message =
0x75d5d456af23cdd69bc61243b41168d572cabf8768a2780054e9949c1cb9bf222692af5cd4e08a19acba977d1671098c9131876d1b30fefa1816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf4ca028cc48b9debca7c7b78161462f
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=6, length=315
User-Name = "testing"
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
State = 0xcf4ca028cc48b9debca7c7b78161462f
EAP-Message =
0x020400ec19001603010086100000820080a77f24ad2050e6bd07cbbef0f616a25dc4d4022a5a8ff6e4f0a4aa13254ed96e6d343ea6c9e92f8905f1889d772e5e85e966b0e0d4c510d1eb9e9105dc8beb84c2f56e9723994de83325df2017edbf1cdd8ec6da78f3403b9dcd3e29a794d5d091d321f9bc435b87a880cff4d730cfd8bd8c7000c0d4cdc452799ad8968dc4541403010001011603010050c491f1ada3008208f04f195129505068ddeb05f6f2b1d9e6bfd8e309f143be46cb9d9668d481f23d7a80c3c99485d2ab8180df3dbf52b8e3af67465835f446620d1f13735fa3f83850591a3947be7655
Message-Authenticator = 0x86eb2811521a1551f40507327ff12743
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 236
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 6 to 127.0.0.1 port 47000
EAP-Message =
0x0105004119001403010001011603010030924cb8cd91029f0767c24ee999838826f05fe99d10722855956dae0ff10e6c4ac9bf0e17151503ba04ccba9b09d0e497
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf4ca028cb49b9debca7c7b78161462f
Finished request 5.
Going to the next request
Waking up in 4.1 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=7, length=85
User-Name = "testing"
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
State = 0xcf4ca028cb49b9debca7c7b78161462f
EAP-Message = 0x020500061900
Message-Authenticator = 0x6cf39e9e692ebc10078a1dea5845477d
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 7 to 127.0.0.1 port 47000
EAP-Message = 0x0106002b1900170301002057428dfbc1a703902f590dfce56bae6cd5e6c39efca98488f76badf9b0852fa0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf4ca028ca4ab9debca7c7b78161462f
Finished request 6.
Going to the next request
Waking up in 4.1 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=8, length=175
User-Name = "testing"
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
State = 0xcf4ca028ca4ab9debca7c7b78161462f
EAP-Message =
0x0206006019001703010020121d5f70b18873c2ce8adc64ee86316d43cc5c587a65cfede3885092292f45621703010030ae623579fca299bdad152eff69c508636ec69ba9fb2c62f443a75d108dae0e2f80a5cfee6ab81fe8ffe3a8e96fccc18e
Message-Authenticator = 0xea19005096c49a314c145dd25e9c8ec2
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testing
[peap] Got inner identity 'testing'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0206000c0174657374696e67
server {
[peap] Setting User-Name to testing
Sending tunneled request
EAP-Message = 0x0206000c0174657374696e67
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testing"
server inner-tunnel {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 6 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[files] users: Matched entry testing at line 51
[files] expand: Hello,%{User-Name} -> Hello,testing
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] No such EAP type mschapv2
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> testing
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[peap] Got tunneled reply code 3
Reply-Message = "Hello,testing"
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
Reply-Message = "Hello,testing"
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 8 to 127.0.0.1 port 47000
EAP-Message = 0x0107002b1900170301002057077c5e5c4d4c0e362ffe95fff5a33129b376ed00b69e00c99fffcda1428251
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf4ca028c94bb9debca7c7b78161462f
Finished request 7.
Going to the next request
Waking up in 4.0 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 47000, id=9, length=175
User-Name = "testing"
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
State = 0xcf4ca028c94bb9debca7c7b78161462f
EAP-Message =
0x0207006019001703010020a0530d6df4bf549909743f057be762457c2b6abd38eb6235375f20a27e93fc851703010030fad2db6536da7f64fcc88f8b2a13970065906d4af2accb08c2d89846de9b30519d192e030afa21f131badbc40cbff6da
Message-Authenticator = 0xd47ab810fc992cf5a094df676da234a6
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 7 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> testing
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 9 to 127.0.0.1 port 47000
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.0 seconds.
Cleaning up request 1 ID 2 with timestamp +800
Cleaning up request 2 ID 3 with timestamp +800
Cleaning up request 3 ID 4 with timestamp +800
Cleaning up request 4 ID 5 with timestamp +800
Waking up in 0.8 seconds.
Cleaning up request 5 ID 6 with timestamp +800
Cleaning up request 6 ID 7 with timestamp +800
Cleaning up request 7 ID 8 with timestamp +800
Waking up in 1.0 seconds.
Cleaning up request 8 ID 9 with timestamp +800
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140312/7f024d01/attachment-0001.html>
More information about the Freeradius-Users
mailing list