Fwd: Radius attributes sent in the wrong packet
Jan-Ivar Hansen
hanjan at gmail.com
Wed May 14 11:06:01 CEST 2014
Hi all!
Please excuse me if this is a stupid question, but I'm new to both Linux
and FreeRadius, so please have patience with me :)
I have tried to set up a FreeRadius/daloRadius/MySql to authenticate users
logging on to a Meraki AccessPoint and want to use Radius attributes to
override the VLAN for the user. The authentication part works (EAP), but
the attributes seems to be sent back to the AP in a Access-Challenge
packet, while Meraki needs them to be in the Accept-Accept packet. Do
anyone have any suggestions on what I have done wrong since I get this
behaviour?
Below is the Freeradius -X output, but please let me know if there is any
more info I should provide:
rad_recv: Access-Request packet from host 10.200.30.210 port 32773, id=204,
length=156
User-Name = "kenolsen"
NAS-IP-Address = 10.200.30.210
NAS-Port = 0
Called-Station-Id = "00-18-0A-22-81-F0:OIP WiFi"
Calling-Station-Id = "74-E1-B6-BA-72-0C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0200000d016b656e6f6c73656e
Message-Authenticator = 0xd48e676b8975dc40ae0b7df8b5b866de
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "kenolsen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} -> kenolsen
[sql] sql_set_user escaped user --> 'kenolsen'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'kenolsen' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'kenolsen' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'kenolsen'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'ext_kenneth'
ORDER BY id
[sql] User found in group ext_kenneth
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'ext_kenneth'
ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 204 to 10.200.30.210 port 32773
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1074"
Tunnel-Type:0 = VLAN
Filter-Id = "ext_kenneth"
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89791f5d897806e31f4b857d445452c2
Finished request 54.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.200.30.210 port 32773, id=205,
length=313
User-Name = "kenolsen"
NAS-IP-Address = 10.200.30.210
NAS-Port = 0
Called-Station-Id = "00-18-0A-22-81-F0:OIP WiFi"
Calling-Station-Id = "74-E1-B6-BA-72-0C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0201009819800000008e1603010089010000850301537328e57ad8721aaca3a6e92b0dfa868dc69e9f05858f21fa893789b2fe20ba00004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100
State = 0x89791f5d897806e31f4b857d445452c2
Message-Authenticator = 0x2b88d5e0c5c86dcfdf2b1c4b2e27a56e
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "kenolsen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 152
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 142
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0089], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 02cc], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 205 to 10.200.30.210 port 32773
EAP-Message =
0x0102040019c00000046816030100390200003503011dad871036647c20b8574e35f71995aa73797edcbcd01dbd667dbb48258497c400c01400000dff01000100000b00040300010216030102cc0b0002c80002c50002c2308202be308201a6a003020102020900ac021e13336fac03300d06092a864886f70d01010b05003017311530130603550403130c7562756e7475726164697573301e170d3134303530323138333731345a170d3234303432393138333731345a3017311530130603550403130c7562756e747572616469757330820122300d06092a864886f70d01010105000382010f003082010a0282010100e9581f74a35280ab518c25b5
EAP-Message =
0xcedba6c81f8e235b9762f71f084d32dd193caec09e5e4f237129f9dcd168c2f104b3aa27b511d0fe14bb4222b06c69772b1cb445f713576c2094247dac23ba523a5acc3217d810d26baed3e362d8209183eb75e86f8a726388b373c21edbf43d14b94e356d21572b43da914c882531dd68ebf2c5abfd330ff2eac4cab9af33e79a1be14dbeaf61965580bdac6527cb3beea804131f3f87ae30b8fbf812aaa8f042958a54147a9968c13403f0f11477fc022faadf92a1894b97a6f7cc0c4074542ff88c2db4954dddde11d6bcc8b8cf53386ff8e4434dccac5ee39de63d7ca627f45cf0c30e8404cc37e5ed41907b7d584d29e9330203010001a30d300b
EAP-Message =
0x30090603551d1304023000300d06092a864886f70d01010b050003820101002ac1663a6516b752f429fad02eaec1d3eb6c3a346e0c42e809a390d388227558ff65d362bf5551c985abdf3709fd5e6cc5462e3f2df1ebf7eb6cd9e7580f8a47d788bd4b6a9fcb1dcb16c9451659db29e6794cf00cdfd798fff297fcdd1a52597b01ef8c9b463eef515239afe718675cbcc11467fad707e84a965836f78c32dcb49f0f56951a9324193b0f5e3d034d11a714d2d05f7d2169765d2eabc9f4fefed46647a4a949ec29de522c61e0fb3e13c71a344d682f8ea53d52d0108d29c111bdaf08d61b4b12120396125d3669c3dba106a763ff0e80764501f0f630c1
EAP-Message =
0x9a673296a8ab4a178b902ad27f84e8bc51d4776804d752c5491a208a1ba790d8b2bc160301014b0c00014703001741044bea19b4123a8e1f813f354c371e53837bd59da7a923ef7fed1e5d7136392f19bcfbab3e4d9a3a535ca592e441b1287e930887c61729d0723d3e8eef4d28176b0100a78741c2fa11e1a58504346f8e14532adadd6226e7b33545f3ed2d8720a4f383cdd5c038b145c784df485d676a9abaecc3142e616b3942d1a819353c4948e46c19eac709fe009a185fdce3746562c6d057e7fe1aed08bac2ccd1562c9a70b788a1fd5660155a015c32aecbea077cfc324eb2e6a7128997f8aaf61a164a67b516bc75271237db76b6a1d514
EAP-Message = 0x72a1101e42f39faa95f47a5a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89791f5d887b06e31f4b857d445452c2
Finished request 55.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.200.30.210 port 32773, id=206,
length=167
User-Name = "kenolsen"
NAS-IP-Address = 10.200.30.210
NAS-Port = 0
Called-Station-Id = "00-18-0A-22-81-F0:OIP WiFi"
Calling-Station-Id = "74-E1-B6-BA-72-0C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020200061900
State = 0x89791f5d887b06e31f4b857d445452c2
Message-Authenticator = 0x394037ddb3b0fdbf46f42ae3223d445d
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "kenolsen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 206 to 10.200.30.210 port 32773
EAP-Message =
0x0103007819003732e9439005ca9b383b2a85d0436a86416a80f59fbf23cff4e758bb28b07ef6affd47dae2d117d4610cd53941468ae58ac04790c46df96846a2fe3a5be146588cab8a994df221155ca0a716de3ba5b3eee7f5618946e8286d197e26ee0c4fc8923e2af5e06d0747fb16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89791f5d8b7a06e31f4b857d445452c2
Finished request 56.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.200.30.210 port 32773, id=207,
length=305
User-Name = "kenolsen"
NAS-IP-Address = 10.200.30.210
NAS-Port = 0
Called-Station-Id = "00-18-0A-22-81-F0:OIP WiFi"
Calling-Station-Id = "74-E1-B6-BA-72-0C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0203009019800000008616030100461000004241045594ec9c45c56983087ee7f91eaaaefaa65032b687010df247207f6a0cd8005dfa15648f7b7ff91d885851d7f8ee0653653ae7e6b281c4927bd53394496befe7140301000101160301003029a2298cd0bacb7b20b4b1829a7629dd304c854359504524bf4fd6a4813e56b479b0f4ee5496d102d39ffb9703c40189
State = 0x89791f5d8b7a06e31f4b857d445452c2
Message-Authenticator = 0xc50f2f7b4a32a29dda8f343ced424816
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "kenolsen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 207 to 10.200.30.210 port 32773
EAP-Message =
0x01040041190014030100010116030100308fe191de88bb7fea6f8ee608099440717fbf95bfcbda0f10edbcdec19613b0bb609f1a046dbcbf60202dca0fb7fbd104
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89791f5d8a7d06e31f4b857d445452c2
Finished request 57.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.200.30.210 port 32773, id=208,
length=167
User-Name = "kenolsen"
NAS-IP-Address = 10.200.30.210
NAS-Port = 0
Called-Station-Id = "00-18-0A-22-81-F0:OIP WiFi"
Calling-Station-Id = "74-E1-B6-BA-72-0C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020400061900
State = 0x89791f5d8a7d06e31f4b857d445452c2
Message-Authenticator = 0xcb9d2a18897c7f67f1763c2c11e11a0f
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "kenolsen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 208 to 10.200.30.210 port 32773
EAP-Message =
0x0105002b19001703010020d91162c1d81bf6ab6e5d8621dea9fe70392b1202506d88628bc0f14a27aa7918
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89791f5d8d7c06e31f4b857d445452c2
Finished request 58.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.200.30.210 port 32773, id=209,
length=204
User-Name = "kenolsen"
NAS-IP-Address = 10.200.30.210
NAS-Port = 0
Called-Station-Id = "00-18-0A-22-81-F0:OIP WiFi"
Calling-Station-Id = "74-E1-B6-BA-72-0C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0205002b19001703010020fa27eeccbbc2bd134e39ae7caba12b8d0f18105d7977c3aff8ab6f988f7726b6
State = 0x89791f5d8d7c06e31f4b857d445452c2
Message-Authenticator = 0xeeb9b317c2e9c14168d5e08e8858071a
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "kenolsen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - kenolsen
[peap] Got inner identity 'kenolsen'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0205000d016b656e6f6c73656e
server {
[peap] Setting User-Name to kenolsen
Sending tunneled request
EAP-Message = 0x0205000d016b656e6f6c73656e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kenolsen"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kenolsen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 5 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> kenolsen
[sql] sql_set_user escaped user --> 'kenolsen'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'kenolsen' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'kenolsen' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'kenolsen'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'ext_kenneth'
ORDER BY id
[sql] User found in group ext_kenneth
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'ext_kenneth'
ORDER BY id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1074"
Tunnel-Type:0 = VLAN
Filter-Id = "ext_kenneth"
EAP-Message =
0x010600221a0106001d10256bbeb94704e7c7167dca04979c1e626b656e6f6c73656e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf91b84c8f91d9eac41ebdf4972430c9b
[peap] Got tunneled reply RADIUS code 11
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1074"
Tunnel-Type:0 = VLAN
Filter-Id = "ext_kenneth"
EAP-Message =
0x010600221a0106001d10256bbeb94704e7c7167dca04979c1e626b656e6f6c73656e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf91b84c8f91d9eac41ebdf4972430c9b
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 209 to 10.200.30.210 port 32773
EAP-Message =
0x0106004b1900170301004064907aed054cfeccb100a980d466367158a766137fa38a3068cd4b89bb7ecba7a1b1c77482d4827899cf0ff2145ccfff18987b4c1e92a5268799359040077654
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89791f5d8c7f06e31f4b857d445452c2
Finished request 59.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.200.30.210 port 32773, id=210,
length=268
User-Name = "kenolsen"
NAS-IP-Address = 10.200.30.210
NAS-Port = 0
Called-Station-Id = "00-18-0A-22-81-F0:OIP WiFi"
Calling-Station-Id = "74-E1-B6-BA-72-0C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0206006b19001703010060336b6f124c1b571e2aa169389df561909bcfe7039f1f5a03234de50d80091740d49cd8c1e099318e4835407bd6a2071c01b80b6c46dc5e94601079e89d199e4f165c6e809af34374a53cc1c74313f5881138c09aa0eb44614de08c05df47154f
State = 0x89791f5d8c7f06e31f4b857d445452c2
Message-Authenticator = 0x29f944cc1f7f6e54d5a07ba3303542f6
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "kenolsen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020600431a0206003e318e2efd553869920b66176b5c5ed263d0000000000000000070b6121e45b577d6fddc595bd0eeac6640904df533a6bee3006b656e6f6c73656e
server {
[peap] Setting User-Name to kenolsen
Sending tunneled request
EAP-Message =
0x020600431a0206003e318e2efd553869920b66176b5c5ed263d0000000000000000070b6121e45b577d6fddc595bd0eeac6640904df533a6bee3006b656e6f6c73656e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kenolsen"
State = 0xf91b84c8f91d9eac41ebdf4972430c9b
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kenolsen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> kenolsen
[sql] sql_set_user escaped user --> 'kenolsen'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'kenolsen' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'kenolsen' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'kenolsen'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'ext_kenneth'
ORDER BY id
[sql] User found in group ext_kenneth
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'ext_kenneth'
ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: kenolsen
[mschap] Told to do MS-CHAPv2 for kenolsen with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1074"
Tunnel-Type:0 = VLAN
Filter-Id = "ext_kenneth"
EAP-Message =
0x010700331a0306002e533d36434246424633333039373935433938383538433438363934394637313233344535424545323237
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf91b84c8f81c9eac41ebdf4972430c9b
[peap] Got tunneled reply RADIUS code 11
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1074"
Tunnel-Type:0 = VLAN
Filter-Id = "ext_kenneth"
EAP-Message =
0x010700331a0306002e533d36434246424633333039373935433938383538433438363934394637313233344535424545323237
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf91b84c8f81c9eac41ebdf4972430c9b
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 210 to 10.200.30.210 port 32773
EAP-Message =
0x0107005b19001703010050ad29dd793787e29fa7a506c5989bf283b193cff7502e0dd8fd52f5d180c0bc5615c76d86b2bd5e2260dff9ffb2a8aae8b5ff443dd30bff2a9fded9dfe79c9b0296b16d23e23ee6bdebb261ffc64acc65
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89791f5d8f7e06e31f4b857d445452c2
Finished request 60.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.200.30.210 port 32773, id=211,
length=204
User-Name = "kenolsen"
NAS-IP-Address = 10.200.30.210
NAS-Port = 0
Called-Station-Id = "00-18-0A-22-81-F0:OIP WiFi"
Calling-Station-Id = "74-E1-B6-BA-72-0C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0207002b19001703010020a0b3ebc1fad29d64094462a34bd388d1296a2a1d89c6e32a740f4f0449c1bdd8
State = 0x89791f5d8f7e06e31f4b857d445452c2
Message-Authenticator = 0x8e4244440c13ad3141e4c5d5f38de28d
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "kenolsen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700061a03
server {
[peap] Setting User-Name to kenolsen
Sending tunneled request
EAP-Message = 0x020700061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kenolsen"
State = 0xf91b84c8f81c9eac41ebdf4972430c9b
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kenolsen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> kenolsen
[sql] sql_set_user escaped user --> 'kenolsen'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'kenolsen' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'kenolsen' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username = 'kenolsen'
ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'ext_kenneth'
ORDER BY id
[sql] User found in group ext_kenneth
[sql] expand: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'ext_kenneth'
ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> kenolsen
[sql] sql_set_user escaped user --> 'kenolsen'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( 'kenolsen', '',
'Access-Accept', '2014-05-14 10:27:17')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'kenolsen',
'', 'Access-Accept', '2014-05-14 10:27:17')
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1074"
Tunnel-Type:0 = VLAN
Filter-Id = "ext_kenneth"
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x292b03d1d71d918f92a7a1c71d3947da
MS-MPPE-Recv-Key = 0x85063f06d1fd87ecf9a50aba1f5de2c1
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "kenolsen"
[peap] Got tunneled reply RADIUS code 2
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1074"
Tunnel-Type:0 = VLAN
Filter-Id = "ext_kenneth"
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x292b03d1d71d918f92a7a1c71d3947da
MS-MPPE-Recv-Key = 0x85063f06d1fd87ecf9a50aba1f5de2c1
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "kenolsen"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 211 to 10.200.30.210 port 32773
EAP-Message =
0x0108002b19001703010020cd3aca9070802ab7d205d353bd0e2a804426053fbf6136b5dbf3d6b501c3123d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x89791f5d8e7106e31f4b857d445452c2
Finished request 61.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.200.30.210 port 32773, id=212,
length=204
User-Name = "kenolsen"
NAS-IP-Address = 10.200.30.210
NAS-Port = 0
Called-Station-Id = "00-18-0A-22-81-F0:OIP WiFi"
Calling-Station-Id = "74-E1-B6-BA-72-0C"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0208002b19001703010020d04c58c70d255ea291896a91cccaddb422002fa0744b17c8cf87e32e0c64f2e3
State = 0x89791f5d8e7106e31f4b857d445452c2
Message-Authenticator = 0x6719a85861f6424e1e18d6a1fe2bc9c6
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "kenolsen", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> kenolsen
[sql] sql_set_user escaped user --> 'kenolsen'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( 'kenolsen', '',
'Access-Accept', '2014-05-14 10:27:17')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(username, pass, reply, authdate)
VALUES ( 'kenolsen',
'', 'Access-Accept', '2014-05-14 10:27:17')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 212 to 10.200.30.210 port 32773
MS-MPPE-Recv-Key =
0xf711f46ef6d9c788413cf7c8eed91729daeadf901d63a58c1f89a3d06452eb73
MS-MPPE-Send-Key =
0x0513d5a68982c335ec6b23cb6e805f2bc8e22b03ee0f1bc0bbdc324970f31779
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "kenolsen"
Finished request 62.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 54 ID 204 with timestamp +3210
Cleaning up request 55 ID 205 with timestamp +3210
Cleaning up request 56 ID 206 with timestamp +3210
Cleaning up request 57 ID 207 with timestamp +3210
Cleaning up request 58 ID 208 with timestamp +3210
Cleaning up request 59 ID 209 with timestamp +3210
Cleaning up request 60 ID 210 with timestamp +3210
Cleaning up request 61 ID 211 with timestamp +3210
Cleaning up request 62 ID 212 with timestamp +3210
Ready to process requests.
Regards
Jan-Ivar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140514/9403cdf2/attachment-0001.html>
More information about the Freeradius-Users
mailing list