Windows 8 clients can not authenticate with EAP-TTLS and PAP
Cristian Munera
cmunera at netmask.co
Tue Aug 11 18:23:52 CEST 2015
Hello
This is my first time posting here, so sorry if something is wrong, sorry for my English too.
I have configured freeradius V3.0.4 on Centos 7 for authenticating with Mac-address and a LDAP Server, using EAP-TTLS with PAP. One week ago all the clients (Windows 7, Windows 8, Ubuntu, Android) were able to authenticate without any issues; but in last day Windows 8 clients can not authenticate. In the debug (freeradius -X) i can see the server sending an Access-Challenge but the client never respond with the an Access-request.
This is the Output of the freeradius -X when the Windows 8 client try to connect:
Received Access-Request Id 84 from 10.66.146.10:62781 to
10.66.150.52:1812 length 184
User-Name = 'juliop'
NAS-IP-Address = 10.66.146.10
NAS-Port = 0
NAS-Identifier = '10.66.146.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'e0ca94e63751'
Called-Station-Id = 'aca31ec60340'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x0201000b016a756c696f70
Aruba-Essid-Name = 'riguprov'
Aruba-Location-Id = 'apcdoggerC60340'
Aruba-AP-Group = 'WLCZOO'
Message-Authenticator =
0x2ae08657e469e194ccbd4e778e519044
(230) Received Access-Request packet from host 10.66.146.10
port 62781, id=84, length=184
(230) User-Name = 'juliop'
(230) NAS-IP-Address = 10.66.146.10
(230) NAS-Port = 0
(230) NAS-Identifier = '10.66.146.10'
(230) NAS-Port-Type = Wireless-802.11
(230) Calling-Station-Id = 'e0ca94e63751'
(230) Called-Station-Id = 'aca31ec60340'
(230) Service-Type = Login-User
(230) Framed-MTU = 1100
(230) EAP-Message = 0x0201000b016a756c696f70
(230) Aruba-Essid-Name = 'riguprov'
(230) Aruba-Location-Id = 'apcdoggerC60340'
(230) Aruba-AP-Group = 'WLCZOO'
(230) Message-Authenticator =
0x2ae08657e469e194ccbd4e778e519044
(230) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(230) authorize {
(230) filter_username filter_username {
(230) if (!&User-Name)
(230) if (!&User-Name) -> FALSE
(230) if (&User-Name =~ / /)
(230) if (&User-Name =~ / /) -> FALSE
(230) if (&User-Name =~ /@.*@/ )
(230) if (&User-Name =~ /@.*@/ ) -> FALSE
(230) if (&User-Name =~ /\\.\\./ )
(230) if (&User-Name =~ /\\.\\./ ) -> FALSE
(230) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\
\.(.+)$/))
(230) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\
\.(.+)$/)) -> FALSE
(230) if (&User-Name =~ /\\.$/)
(230) if (&User-Name =~ /\\.$/) -> FALSE
(230) if (&User-Name =~ /@\\./)
(230) if (&User-Name =~ /@\\./) -> FALSE
(230) } # filter_username filter_username = notfound
(230) [preprocess] = ok
(230) [chap] = noop
(230) [mschap] = noop
(230) rewrite_calling_station_id rewrite_calling_station_id
{
(230) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(230) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) ->
TRUE
(230) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(230) update request {
(230) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(230) --> e0-ca-94-e6-37-51
(230) Calling-Station-Id := "e0-ca-94-e6-37-51"
(230) } # update request = noop
(230) [updated] = updated
(230) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-
9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-
f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) =
updated
(230) ... skipping else for request 230: Preceding "if"
was taken
(230) } # rewrite_calling_station_id
rewrite_calling_station_id = updated
(230) authorized_macs_rigu : EXPAND %{Calling-Station-ID}
(230) authorized_macs_rigu : --> e0-ca-94-e6-37-51
(230) authorized_macs_rigu : users: Matched entry e0-ca-94-
e6-37-51 at line 3
(230) [authorized_macs_rigu] = ok
(230) if (!ok)
(230) if (!ok) -> FALSE
(230) else else {
(230) eap : Peer sent code Response (2) ID 1 length 11
(230) eap : EAP-Identity reply, returning 'ok' so we can
short-circuit the rest of authorize
(230) [eap] = ok
(230) } # else else = ok
(230) [unix] = notfound
(230) [expiration] = noop
(230) [logintime] = noop
(230) WARNING: pap : No "known good" password found for the
user. Not setting Auth-Type
(230) WARNING: pap : Authentication will fail unless a
"known good" password is available
(230) [pap] = noop
(230) if (User-Password)
(230) if (User-Password) -> FALSE
(230) } # authorize = updated
(230) Found Auth-Type = EAP
(230) # Executing group from file /etc/raddb/sites-
enabled/default
(230) authenticate {
(230) eap : Peer sent method Identity (1)
(230) eap : Calling eap_gtc to process EAP data
(230) eap_gtc : EXPAND Password:
(230) eap_gtc : --> Password:
(230) eap : New EAP session, adding 'State' attribute to
reply 0x045d7f1e045f7973
(230) [eap] = handled
(230) } # authenticate = handled
(230) Sending Access-Challenge packet to host 10.66.146.10
port 62781, id=84, length=0
(230) EAP-Message = 0x0102000f0650617373776f72643a20
(230) Message-Authenticator =
0x00000000000000000000000000000000
(230) State = 0x045d7f1e045f79735c746ec40219cffa
Sending Access-Challenge Id 84 from 10.66.150.52:1812 to
10.66.146.10:62781
EAP-Message = 0x0102000f0650617373776f72643a20
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x045d7f1e045f79735c746ec40219cffa
(230) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 85 from 10.66.146.10:62781 to
10.66.150.52:1812 length 197
User-Name = 'juliop'
NAS-IP-Address = 10.66.146.10
NAS-Port = 0
NAS-Identifier = '10.66.146.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'e0ca94e63751'
Called-Station-Id = 'aca31ec60340'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020200060315
State = 0x045d7f1e045f79735c746ec40219cffa
Aruba-Essid-Name = 'riguprov'
Aruba-Location-Id = 'apcdoggerC60340'
Aruba-AP-Group = 'WLCZOO'
Message-Authenticator =
0xd50b45437d77af44008db8418d48efe9
(231) Received Access-Request packet from host 10.66.146.10
port 62781, id=85, length=197
(231) User-Name = 'juliop'
(231) NAS-IP-Address = 10.66.146.10
(231) NAS-Port = 0
(231) NAS-Identifier = '10.66.146.10'
(231) NAS-Port-Type = Wireless-802.11
(231) Calling-Station-Id = 'e0ca94e63751'
(231) Called-Station-Id = 'aca31ec60340'
(231) Service-Type = Login-User
(231) Framed-MTU = 1100
(231) EAP-Message = 0x020200060315
(231) State = 0x045d7f1e045f79735c746ec40219cffa
(231) Aruba-Essid-Name = 'riguprov'
(231) Aruba-Location-Id = 'apcdoggerC60340'
(231) Aruba-AP-Group = 'WLCZOO'
(231) Message-Authenticator =
0xd50b45437d77af44008db8418d48efe9
(231) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(231) authorize {
(231) filter_username filter_username {
(231) if (!&User-Name)
(231) if (!&User-Name) -> FALSE
(231) if (&User-Name =~ / /)
(231) if (&User-Name =~ / /) -> FALSE
(231) if (&User-Name =~ /@.*@/ )
(231) if (&User-Name =~ /@.*@/ ) -> FALSE
(231) if (&User-Name =~ /\\.\\./ )
(231) if (&User-Name =~ /\\.\\./ ) -> FALSE
(231) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\
\.(.+)$/))
(231) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\
\.(.+)$/)) -> FALSE
(231) if (&User-Name =~ /\\.$/)
(231) if (&User-Name =~ /\\.$/) -> FALSE
(231) if (&User-Name =~ /@\\./)
(231) if (&User-Name =~ /@\\./) -> FALSE
(231) } # filter_username filter_username = notfound
(231) [preprocess] = ok
(231) [chap] = noop
(231) [mschap] = noop
(231) rewrite_calling_station_id rewrite_calling_station_id
{
(231) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(231) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) ->
TRUE
(231) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(231) update request {
(231) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(231) --> e0-ca-94-e6-37-51
(231) Calling-Station-Id := "e0-ca-94-e6-37-51"
(231) } # update request = noop
(231) [updated] = updated
(231) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-
9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-
f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) =
updated
(231) ... skipping else for request 231: Preceding "if"
was taken
(231) } # rewrite_calling_station_id
rewrite_calling_station_id = updated
(231) authorized_macs_rigu : EXPAND %{Calling-Station-ID}
(231) authorized_macs_rigu : --> e0-ca-94-e6-37-51
(231) authorized_macs_rigu : users: Matched entry e0-ca-94-
e6-37-51 at line 3
(231) [authorized_macs_rigu] = ok
(231) if (!ok)
(231) if (!ok) -> FALSE
(231) else else {
(231) eap : Peer sent code Response (2) ID 2 length 6
(231) eap : No EAP Start, assuming it's an on-going EAP
conversation
(231) [eap] = updated
(231) } # else else = updated
(231) [unix] = notfound
(231) [expiration] = noop
(231) [logintime] = noop
(231) WARNING: pap : No "known good" password found for the
user. Not setting Auth-Type
(231) WARNING: pap : Authentication will fail unless a
"known good" password is available
(231) [pap] = noop
(231) if (User-Password)
(231) if (User-Password) -> FALSE
(231) } # authorize = updated
(231) Found Auth-Type = EAP
(231) # Executing group from file /etc/raddb/sites-
enabled/default
(231) authenticate {
(231) eap : Expiring EAP session with state
0xa5b12d7ba0b63875
(231) eap : Expiring EAP session with state
0x045d7f1e045f7973
(231) eap : Finished EAP session with state
0x045d7f1e045f7973
(231) eap : Previous EAP request found for state
0x045d7f1e045f7973, released from the list
(231) eap : Peer sent method NAK (3)
(231) eap : Found mutually acceptable type TTLS (21)
(231) eap : Calling eap_ttls to process EAP data
(231) eap_ttls : Initiate
(231) eap_ttls : Start returned 1
(231) eap : New EAP session, adding 'State' attribute to
reply 0x045d7f1e055e6a73
(231) [eap] = handled
(231) } # authenticate = handled
(231) Sending Access-Challenge packet to host 10.66.146.10
port 62781, id=85, length=0
(231) EAP-Message = 0x010300061520
(231) Message-Authenticator =
0x00000000000000000000000000000000
(231) State = 0x045d7f1e055e6a735c746ec40219cffa
Sending Access-Challenge Id 85 from 10.66.150.52:1812 to
10.66.146.10:62781
EAP-Message = 0x010300061520
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x045d7f1e055e6a735c746ec40219cffa
(231) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 86 from 10.66.146.10:62781 to
10.66.150.52:1812 length 300
User-Name = 'juliop'
NAS-IP-Address = 10.66.146.10
NAS-Port = 0
NAS-Identifier = '10.66.146.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'e0ca94e63751'
Called-Station-Id = 'aca31ec60340'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0203006d158000000063160301005e0100005a030155ca1e1527cd64549
1215c4d26942596749837856c75f293e184b19096f7d8e1000018002f0035
0005000ac013c014c009c00a003200380013000401000019ff01000100000
a0006000400170018000b0002010000230000
State = 0x045d7f1e055e6a735c746ec40219cffa
Aruba-Essid-Name = 'riguprov'
Aruba-Location-Id = 'apcdoggerC60340'
Aruba-AP-Group = 'WLCZOO'
Message-Authenticator =
0xe1de6209c504840cb7a94ab08a4646f2
(232) Received Access-Request packet from host 10.66.146.10
port 62781, id=86, length=300
(232) User-Name = 'juliop'
(232) NAS-IP-Address = 10.66.146.10
(232) NAS-Port = 0
(232) NAS-Identifier = '10.66.146.10'
(232) NAS-Port-Type = Wireless-802.11
(232) Calling-Station-Id = 'e0ca94e63751'
(232) Called-Station-Id = 'aca31ec60340'
(232) Service-Type = Login-User
(232) Framed-MTU = 1100
(232) EAP-Message =
0x0203006d158000000063160301005e0100005a030155ca1e1527cd64549
1215c4d26942596749837856c75f293e184b19096f7d8e1000018002f0035
0005000ac013c014c009c00a003200380013000401000019ff01000100000
a0006000400170018000b0002010000230000
(232) State = 0x045d7f1e055e6a735c746ec40219cffa
(232) Aruba-Essid-Name = 'riguprov'
(232) Aruba-Location-Id = 'apcdoggerC60340'
(232) Aruba-AP-Group = 'WLCZOO'
(232) Message-Authenticator =
0xe1de6209c504840cb7a94ab08a4646f2
(232) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(232) authorize {
(232) filter_username filter_username {
(232) if (!&User-Name)
(232) if (!&User-Name) -> FALSE
(232) if (&User-Name =~ / /)
(232) if (&User-Name =~ / /) -> FALSE
(232) if (&User-Name =~ /@.*@/ )
(232) if (&User-Name =~ /@.*@/ ) -> FALSE
(232) if (&User-Name =~ /\\.\\./ )
(232) if (&User-Name =~ /\\.\\./ ) -> FALSE
(232) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\
\.(.+)$/))
(232) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\
\.(.+)$/)) -> FALSE
(232) if (&User-Name =~ /\\.$/)
(232) if (&User-Name =~ /\\.$/) -> FALSE
(232) if (&User-Name =~ /@\\./)
(232) if (&User-Name =~ /@\\./) -> FALSE
(232) } # filter_username filter_username = notfound
(232) [preprocess] = ok
(232) [chap] = noop
(232) [mschap] = noop
(232) rewrite_calling_station_id rewrite_calling_station_id
{
(232) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(232) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) ->
TRUE
(232) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(232) update request {
(232) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(232) --> e0-ca-94-e6-37-51
(232) Calling-Station-Id := "e0-ca-94-e6-37-51"
(232) } # update request = noop
(232) [updated] = updated
(232) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-
9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-
f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) =
updated
(232) ... skipping else for request 232: Preceding "if"
was taken
(232) } # rewrite_calling_station_id
rewrite_calling_station_id = updated
(232) authorized_macs_rigu : EXPAND %{Calling-Station-ID}
(232) authorized_macs_rigu : --> e0-ca-94-e6-37-51
(232) authorized_macs_rigu : users: Matched entry e0-ca-94-
e6-37-51 at line 3
(232) [authorized_macs_rigu] = ok
(232) if (!ok)
(232) if (!ok) -> FALSE
(232) else else {
(232) eap : Peer sent code Response (2) ID 3 length 109
(232) eap : Continuing tunnel setup
(232) [eap] = ok
(232) } # else else = ok
(232) [unix] = notfound
(232) [expiration] = noop
(232) [logintime] = noop
(232) [pap] = noop
(232) if (User-Password)
(232) if (User-Password) -> FALSE
(232) } # authorize = updated
(232) Found Auth-Type = EAP
(232) # Executing group from file /etc/raddb/sites-
enabled/default
(232) authenticate {
(232) eap : Expiring EAP session with state
0x045d7f1e055e6a73
(232) eap : Finished EAP session with state
0x045d7f1e055e6a73
(232) eap : Previous EAP request found for state
0x045d7f1e055e6a73, released from the list
(232) eap : Peer sent method TTLS (21)
(232) eap : EAP TTLS (21)
(232) eap : Calling eap_ttls to process EAP data
(232) eap_ttls : Authenticate
(232) eap_ttls : processing EAP-TLS
TLS Length 99
(232) eap_ttls : Length Included
(232) eap_ttls : eaptls_verify returned 11
(232) eap_ttls : (other): before/accept initialization
(232) eap_ttls : TLS_accept: before/accept initialization
(232) eap_ttls : <<< TLS 1.0 Handshake [length 005e],
ClientHello
(232) eap_ttls : TLS_accept: SSLv3 read client hello A
(232) eap_ttls : >>> TLS 1.0 Handshake [length 0051],
ServerHello
(232) eap_ttls : TLS_accept: SSLv3 write server hello A
(232) eap_ttls : >>> TLS 1.0 Handshake [length 08d0],
Certificate
(232) eap_ttls : TLS_accept: SSLv3 write certificate A
(232) eap_ttls : >>> TLS 1.0 Handshake [length 0004],
ServerHelloDone
(232) eap_ttls : TLS_accept: SSLv3 write server done A
(232) eap_ttls : TLS_accept: SSLv3 flush data
(232) eap_ttls : TLS_accept: Need to read more data: SSLv3
read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(232) eap_ttls : eaptls_process returned 13
(232) eap : New EAP session, adding 'State' attribute to
reply 0x045d7f1e06596a73
(232) [eap] = handled
(232) } # authenticate = handled
(232) Sending Access-Challenge packet to host 10.66.146.10
port 62781, id=86, length=0
(232) EAP-Message =
0x010403ec15c00000093416030100510200004d030155ca2598dd8c3b53d
f8b24bf7fdcef8d8deaea8c43cce6b8ce3d002e31400bce204c2e39d34510
36f48b4baafb453941ca4904c6858af2168a40acf8a26672e307002f00000
5ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003
020102020101300d06092a864886f70d01010b0500308193310b300906035
5040613024652310f300d0603550408130652616469757331123010060355
04071309536f6d65776865726531153013060355040a130c4578616d706c6
520496e632e3120301e06092a864886f70d010901161161646d696e406578
616d706c652e636f6d312630240603550403131d4578616d706c652043657
2746966696361746520417574686f72697479301e170d3135303630333135
323831355a170d3135303830323135323831355a307c310b3009060355040
613024652310f300d0603550408130652616469757331153013060355040a
130c4578616d706c6520496e632e312330210603550403131a4578616d706
c65205365727665722043657274696669636174653120301e06092a864886
f70d010901161161646d696e406578616d706c652e636f6d30820122300d0
6092a864886f70d01010105000382010f003082010a0282010100d25092ad
a62933bf922ec8bdd20f51d230edb578
(232) Message-Authenticator =
0x00000000000000000000000000000000
(232) State = 0x045d7f1e06596a735c746ec40219cffa
Sending Access-Challenge Id 86 from 10.66.150.52:1812 to
10.66.146.10:62781
EAP-Message =
0x010403ec15c00000093416030100510200004d030155ca2598dd8c3b53d
f8b24bf7fdcef8d8deaea8c43cce6b8ce3d002e31400bce204c2e39d34510
36f48b4baafb453941ca4904c6858af2168a40acf8a26672e307002f00000
5ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003
020102020101300d06092a864886f70d01010b0500308193310b300906035
5040613024652310f300d0603550408130652616469757331123010060355
04071309536f6d65776865726531153013060355040a130c4578616d706c6
520496e632e3120301e06092a864886f70d010901161161646d696e406578
616d706c652e636f6d312630240603550403131d4578616d706c652043657
2746966696361746520417574686f72697479301e170d3135303630333135
323831355a170d3135303830323135323831355a307c310b3009060355040
613024652310f300d0603550408130652616469757331153013060355040a
130c4578616d706c6520496e632e312330210603550403131a4578616d706
c65205365727665722043657274696669636174653120301e06092a864886
f70d010901161161646d696e406578616d706c652e636f6d30820122300d0
6092a864886f70d01010105000382010f003082010a0282010100d25092ad
a62933bf922ec8bdd20f51d230edb57
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x045d7f1e06596a735c746ec40219cffa
(232) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 87 from 10.66.146.10:62781 to
10.66.150.52:1812 length 197
User-Name = 'juliop'
NAS-IP-Address = 10.66.146.10
NAS-Port = 0
NAS-Identifier = '10.66.146.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'e0ca94e63751'
Called-Station-Id = 'aca31ec60340'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020400061500
State = 0x045d7f1e06596a735c746ec40219cffa
Aruba-Essid-Name = 'riguprov'
Aruba-Location-Id = 'apcdoggerC60340'
Aruba-AP-Group = 'WLCZOO'
Message-Authenticator =
0xbb89e26656fbb3e2d883d37f1f809264
(233) Received Access-Request packet from host 10.66.146.10
port 62781, id=87, length=197
(233) User-Name = 'juliop'
(233) NAS-IP-Address = 10.66.146.10
(233) NAS-Port = 0
(233) NAS-Identifier = '10.66.146.10'
(233) NAS-Port-Type = Wireless-802.11
(233) Calling-Station-Id = 'e0ca94e63751'
(233) Called-Station-Id = 'aca31ec60340'
(233) Service-Type = Login-User
(233) Framed-MTU = 1100
(233) EAP-Message = 0x020400061500
(233) State = 0x045d7f1e06596a735c746ec40219cffa
(233) Aruba-Essid-Name = 'riguprov'
(233) Aruba-Location-Id = 'apcdoggerC60340'
(233) Aruba-AP-Group = 'WLCZOO'
(233) Message-Authenticator =
0xbb89e26656fbb3e2d883d37f1f809264
(233) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(233) authorize {
(233) filter_username filter_username {
(233) if (!&User-Name)
(233) if (!&User-Name) -> FALSE
(233) if (&User-Name =~ / /)
(233) if (&User-Name =~ / /) -> FALSE
(233) if (&User-Name =~ /@.*@/ )
(233) if (&User-Name =~ /@.*@/ ) -> FALSE
(233) if (&User-Name =~ /\\.\\./ )
(233) if (&User-Name =~ /\\.\\./ ) -> FALSE
(233) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\
\.(.+)$/))
(233) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\
\.(.+)$/)) -> FALSE
(233) if (&User-Name =~ /\\.$/)
(233) if (&User-Name =~ /\\.$/) -> FALSE
(233) if (&User-Name =~ /@\\./)
(233) if (&User-Name =~ /@\\./) -> FALSE
(233) } # filter_username filter_username = notfound
(233) [preprocess] = ok
(233) [chap] = noop
(233) [mschap] = noop
(233) rewrite_calling_station_id rewrite_calling_station_id
{
(233) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(233) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) ->
TRUE
(233) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(233) update request {
(233) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(233) --> e0-ca-94-e6-37-51
(233) Calling-Station-Id := "e0-ca-94-e6-37-51"
(233) } # update request = noop
(233) [updated] = updated
(233) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-
9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-
f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) =
updated
(233) ... skipping else for request 233: Preceding "if"
was taken
(233) } # rewrite_calling_station_id
rewrite_calling_station_id = updated
(233) authorized_macs_rigu : EXPAND %{Calling-Station-ID}
(233) authorized_macs_rigu : --> e0-ca-94-e6-37-51
(233) authorized_macs_rigu : users: Matched entry e0-ca-94-
e6-37-51 at line 3
(233) [authorized_macs_rigu] = ok
(233) if (!ok)
(233) if (!ok) -> FALSE
(233) else else {
(233) eap : Peer sent code Response (2) ID 4 length 6
(233) eap : Continuing tunnel setup
(233) [eap] = ok
(233) } # else else = ok
(233) [unix] = notfound
(233) [expiration] = noop
(233) [logintime] = noop
(233) [pap] = noop
(233) if (User-Password)
(233) if (User-Password) -> FALSE
(233) } # authorize = updated
(233) Found Auth-Type = EAP
(233) # Executing group from file /etc/raddb/sites-
enabled/default
(233) authenticate {
(233) eap : Expiring EAP session with state
0x045d7f1e06596a73
(233) eap : Finished EAP session with state
0x045d7f1e06596a73
(233) eap : Previous EAP request found for state
0x045d7f1e06596a73, released from the list
(233) eap : Peer sent method TTLS (21)
(233) eap : EAP TTLS (21)
(233) eap : Calling eap_ttls to process EAP data
(233) eap_ttls : Authenticate
(233) eap_ttls : processing EAP-TLS
(233) eap_ttls : Received TLS ACK
(233) eap_ttls : Received TLS ACK
(233) eap_ttls : ACK handshake fragment handler
(233) eap_ttls : eaptls_verify returned 1
(233) eap_ttls : eaptls_process returned 13
(233) eap : New EAP session, adding 'State' attribute to
reply 0x045d7f1e07586a73
(233) [eap] = handled
(233) } # authenticate = handled
(233) Sending Access-Challenge packet to host 10.66.146.10
port 62781, id=87, length=0
(233) EAP-Message =
0x010503ec15c0000009344cbf2bce7c2d153e57a0ae308d0085a8c641d1b
d8a274505d2dff596d77bab57bb54c46518f80b78d2f3705a8a11706a2781
a6dcd17a902e2b4eaa13cd5fa68fe7a8c94257d645fc967bbde06b931ebed
475aa096ef3342df2b5ede54f115db3df0004e5308204e1308203c9a00302
01020209009552ff70bc0159d9300d06092a864886f70d010105050030819
3310b3009060355040613024652310f300d06035504081306526164697573
3112301006035504071309536f6d65776865726531153013060355040a130
c4578616d706c6520496e632e3120301e06092a864886f70d010901161161
646d696e406578616d706c652e636f6d312630240603550403131d4578616
d706c6520436572746966696361746520417574686f72697479301e170d31
35303630333135323831355a170d3135303830323135323831355a3081933
10b3009060355040613024652310f300d0603550408130652616469757331
12301006035504071309536f6d65776865726531153013060355040a130c4
578616d706c6520496e632e3120301e06092a864886f70d01090116116164
6d696e406578616d706c652e636f6d312630240603550403131d4578616d7
06c6520436572746966696361746520417574686f7269747930820122300d
06092a864886f70d0101010500038201
(233) Message-Authenticator =
0x00000000000000000000000000000000
(233) State = 0x045d7f1e07586a735c746ec40219cffa
Sending Access-Challenge Id 87 from 10.66.150.52:1812 to
10.66.146.10:62781
EAP-Message =
0x010503ec15c0000009344cbf2bce7c2d153e57a0ae308d0085a8c641d1b
d8a274505d2dff596d77bab57bb54c46518f80b78d2f3705a8a11706a2781
a6dcd17a902e2b4eaa13cd5fa68fe7a8c94257d645fc967bbde06b931ebed
475aa096ef3342df2b5ede54f115db3df0004e5308204e1308203c9a00302
01020209009552ff70bc0159d9300d06092a864886f70d010105050030819
3310b3009060355040613024652310f300d06035504081306526164697573
3112301006035504071309536f6d65776865726531153013060355040a130
c4578616d706c6520496e632e3120301e06092a864886f70d010901161161
646d696e406578616d706c652e636f6d312630240603550403131d4578616
d706c6520436572746966696361746520417574686f72697479301e170d31
35303630333135323831355a170d3135303830323135323831355a3081933
10b3009060355040613024652310f300d0603550408130652616469757331
12301006035504071309536f6d65776865726531153013060355040a130c4
578616d706c6520496e632e3120301e06092a864886f70d01090116116164
6d696e406578616d706c652e636f6d312630240603550403131d4578616d7
06c6520436572746966696361746520417574686f7269747930820122300d
06092a864886f70d010101050003820
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x045d7f1e07586a735c746ec40219cffa
(233) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 88 from 10.66.146.10:62781 to
10.66.150.52:1812 length 197
User-Name = 'juliop'
NAS-IP-Address = 10.66.146.10
NAS-Port = 0
NAS-Identifier = '10.66.146.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'e0ca94e63751'
Called-Station-Id = 'aca31ec60340'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020500061500
State = 0x045d7f1e07586a735c746ec40219cffa
Aruba-Essid-Name = 'riguprov'
Aruba-Location-Id = 'apcdoggerC60340'
Aruba-AP-Group = 'WLCZOO'
Message-Authenticator =
0x2167af66b4077bc2ada6d8cc82632788
(234) Received Access-Request packet from host 10.66.146.10
port 62781, id=88, length=197
(234) User-Name = 'juliop'
(234) NAS-IP-Address = 10.66.146.10
(234) NAS-Port = 0
(234) NAS-Identifier = '10.66.146.10'
(234) NAS-Port-Type = Wireless-802.11
(234) Calling-Station-Id = 'e0ca94e63751'
(234) Called-Station-Id = 'aca31ec60340'
(234) Service-Type = Login-User
(234) Framed-MTU = 1100
(234) EAP-Message = 0x020500061500
(234) State = 0x045d7f1e07586a735c746ec40219cffa
(234) Aruba-Essid-Name = 'riguprov'
(234) Aruba-Location-Id = 'apcdoggerC60340'
(234) Aruba-AP-Group = 'WLCZOO'
(234) Message-Authenticator =
0x2167af66b4077bc2ada6d8cc82632788
(234) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(234) authorize {
(234) filter_username filter_username {
(234) if (!&User-Name)
(234) if (!&User-Name) -> FALSE
(234) if (&User-Name =~ / /)
(234) if (&User-Name =~ / /) -> FALSE
(234) if (&User-Name =~ /@.*@/ )
(234) if (&User-Name =~ /@.*@/ ) -> FALSE
(234) if (&User-Name =~ /\\.\\./ )
(234) if (&User-Name =~ /\\.\\./ ) -> FALSE
(234) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\
\.(.+)$/))
(234) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\
\.(.+)$/)) -> FALSE
(234) if (&User-Name =~ /\\.$/)
(234) if (&User-Name =~ /\\.$/) -> FALSE
(234) if (&User-Name =~ /@\\./)
(234) if (&User-Name =~ /@\\./) -> FALSE
(234) } # filter_username filter_username = notfound
(234) [preprocess] = ok
(234) [chap] = noop
(234) [mschap] = noop
(234) rewrite_calling_station_id rewrite_calling_station_id
{
(234) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(234) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) ->
TRUE
(234) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(234) update request {
(234) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(234) --> e0-ca-94-e6-37-51
(234) Calling-Station-Id := "e0-ca-94-e6-37-51"
(234) } # update request = noop
(234) [updated] = updated
(234) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-
9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-
f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) =
updated
(234) ... skipping else for request 234: Preceding "if"
was taken
(234) } # rewrite_calling_station_id
rewrite_calling_station_id = updated
(234) authorized_macs_rigu : EXPAND %{Calling-Station-ID}
(234) authorized_macs_rigu : --> e0-ca-94-e6-37-51
(234) authorized_macs_rigu : users: Matched entry e0-ca-94-
e6-37-51 at line 3
(234) [authorized_macs_rigu] = ok
(234) if (!ok)
(234) if (!ok) -> FALSE
(234) else else {
(234) eap : Peer sent code Response (2) ID 5 length 6
(234) eap : Continuing tunnel setup
(234) [eap] = ok
(234) } # else else = ok
(234) [unix] = notfound
(234) [expiration] = noop
(234) [logintime] = noop
(234) [pap] = noop
(234) if (User-Password)
(234) if (User-Password) -> FALSE
(234) } # authorize = updated
(234) Found Auth-Type = EAP
(234) # Executing group from file /etc/raddb/sites-
enabled/default
(234) authenticate {
(234) eap : Expiring EAP session with state
0x045d7f1e07586a73
(234) eap : Finished EAP session with state
0x045d7f1e07586a73
(234) eap : Previous EAP request found for state
0x045d7f1e07586a73, released from the list
(234) eap : Peer sent method TTLS (21)
(234) eap : EAP TTLS (21)
(234) eap : Calling eap_ttls to process EAP data
(234) eap_ttls : Authenticate
(234) eap_ttls : processing EAP-TLS
(234) eap_ttls : Received TLS ACK
(234) eap_ttls : Received TLS ACK
(234) eap_ttls : ACK handshake fragment handler
(234) eap_ttls : eaptls_verify returned 1
(234) eap_ttls : eaptls_process returned 13
(234) eap : New EAP session, adding 'State' attribute to
reply 0x045d7f1e005b6a73
(234) [eap] = handled
(234) } # authenticate = handled
(234) Sending Access-Challenge packet to host 10.66.146.10
port 62781, id=88, length=0
(234) EAP-Message =
0x0106017a15800000093474798209009552ff70bc0159d9300c0603551d1
3040530030101ff30360603551d1f042f302d302ba029a027862568747470
3a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e6
3726c300d06092a864886f70d0101050500038201010017b5b9c2cb8ddbd3
35e4580acb8d0d84c69239921370dc5da9ccd6a3876942c071f1f0e6ebda4
1cf972acc79fe6d2185259060ff1f3d4389df26179837357db62e8e69faf9
8aa9cf9504110d389aafc6d21c23cdc83e952b958b92eab43fc55e622f1c0
fd468e3ef2a9750e502d3148c44b7d3f4ae959592de1a2c96d9ae6a4fe68c
de5a96ae933de7fcc77bcb3f591a2a74cb3331199334067d682cd4bf0190c
571c1d4e290aa945e3d69a58da89eaa7fd993981db116333ba66a1df2b9ca
30b8c6cca5c3ab9b2b9f756be3a2de9426450fdaa2363b16f32982e48d8f4
5009bbe7fb217585fc69a5b0540d0fd279a0737a4f87323e36213f5ffa8e3
3f1472ad16030100040e000000
(234) Message-Authenticator =
0x00000000000000000000000000000000
(234) State = 0x045d7f1e005b6a735c746ec40219cffa
Sending Access-Challenge Id 88 from 10.66.150.52:1812 to
10.66.146.10:62781
EAP-Message =
0x0106017a15800000093474798209009552ff70bc0159d9300c0603551d1
3040530030101ff30360603551d1f042f302d302ba029a027862568747470
3a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e6
3726c300d06092a864886f70d0101050500038201010017b5b9c2cb8ddbd3
35e4580acb8d0d84c69239921370dc5da9ccd6a3876942c071f1f0e6ebda4
1cf972acc79fe6d2185259060ff1f3d4389df26179837357db62e8e69faf9
8aa9cf9504110d389aafc6d21c23cdc83e952b958b92eab43fc55e622f1c0
fd468e3ef2a9750e502d3148c44b7d3f4ae959592de1a2c96d9ae6a4fe68c
de5a96ae933de7fcc77bcb3f591a2a74cb3331199334067d682cd4bf0190c
571c1d4e290aa945e3d69a58da89eaa7fd993981db116333ba66a1df2b9ca
30b8c6cca5c3ab9b2b9f756be3a2de9426450fdaa2363b16f32982e48d8f4
5009bbe7fb217585fc69a5b0540d0fd279a0737a4f87323e36213f5ffa8e3
3f1472ad16030100040e000000
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x045d7f1e005b6a735c746ec40219cffa
(234) Finished request
Received Access-Request Id 89 from 10.66.146.10:62781 to
10.66.150.52:1812 length 529
User-Name = 'juliop'
NAS-IP-Address = 10.66.146.10
NAS-Port = 0
NAS-Identifier = '10.66.146.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'e0ca94e63751'
Called-Station-Id = 'aca31ec60340'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0206015015800000014616030101061000010201006c9734bf98617e57a
b336a9d59387e12409cdad2e5bfeaaaf0812f8a833959718d95e404b1c66b
c1ac158cc842455fb0a9d372bfc66b9999fe43846d272fe2fc937eeb8fdb4
0f43401765ad3738e2b85b6d30046bfb9393df1bfdc28bca11813b7ec357e
e12d13cbaa40e50cf3ba71b192f5388a302c1ec8d81e85818bcdaab72e635
ca1b3628976700cd08dd3260ca9a122222cef2a02e81c9a5c580d01904ba2
931a9612aace62f032c266a79dff97a32209d5d533d9df10791b577b1d6be
50ce7028424f4e798a3320bb4704bec54ecf9ad4b8f3bf2d8267f28da3e54
01c297c0f9e75851eaed8c1fbe6be017ae2ae1ab72a4be278a3a6976a0a22
a06eaa01403010001011603010030ff73e273aa3d537ab4e6a47049ac6761
52dfe2d2f524602e360b0eac392a1ec6faad956c0ed816a71e552178e740f
706
State = 0x045d7f1e005b6a735c746ec40219cffa
Aruba-Essid-Name = 'riguprov'
Aruba-Location-Id = 'apcdoggerC60340'
Aruba-AP-Group = 'WLCZOO'
Message-Authenticator =
0xb3ee38765ea4f5290b0ec7501bf5c911
(235) Received Access-Request packet from host 10.66.146.10
port 62781, id=89, length=529
(235) User-Name = 'juliop'
(235) NAS-IP-Address = 10.66.146.10
(235) NAS-Port = 0
(235) NAS-Identifier = '10.66.146.10'
(235) NAS-Port-Type = Wireless-802.11
(235) Calling-Station-Id = 'e0ca94e63751'
(235) Called-Station-Id = 'aca31ec60340'
(235) Service-Type = Login-User
(235) Framed-MTU = 1100
(235) EAP-Message =
0x0206015015800000014616030101061000010201006c9734bf98617e57a
b336a9d59387e12409cdad2e5bfeaaaf0812f8a833959718d95e404b1c66b
c1ac158cc842455fb0a9d372bfc66b9999fe43846d272fe2fc937eeb8fdb4
0f43401765ad3738e2b85b6d30046bfb9393df1bfdc28bca11813b7ec357e
e12d13cbaa40e50cf3ba71b192f5388a302c1ec8d81e85818bcdaab72e635
ca1b3628976700cd08dd3260ca9a122222cef2a02e81c9a5c580d01904ba2
931a9612aace62f032c266a79dff97a32209d5d533d9df10791b577b1d6be
50ce7028424f4e798a3320bb4704bec54ecf9ad4b8f3bf2d8267f28da3e54
01c297c0f9e75851eaed8c1fbe6be017ae2ae1ab72a4be278a3a6976a0a22
a06eaa01403010001011603010030ff73e273aa3d537ab4e6a47049ac6761
52dfe2d2f524602e360b0eac392a1ec6faad956c0ed816a71e552178e740f
706
(235) State = 0x045d7f1e005b6a735c746ec40219cffa
(235) Aruba-Essid-Name = 'riguprov'
(235) Aruba-Location-Id = 'apcdoggerC60340'
(235) Aruba-AP-Group = 'WLCZOO'
(235) Message-Authenticator =
0xb3ee38765ea4f5290b0ec7501bf5c911
(235) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(235) authorize {
(235) filter_username filter_username {
(235) if (!&User-Name)
(235) if (!&User-Name) -> FALSE
(235) if (&User-Name =~ / /)
(235) if (&User-Name =~ / /) -> FALSE
(235) if (&User-Name =~ /@.*@/ )
(235) if (&User-Name =~ /@.*@/ ) -> FALSE
(235) if (&User-Name =~ /\\.\\./ )
(235) if (&User-Name =~ /\\.\\./ ) -> FALSE
(235) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\
\.(.+)$/))
(235) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\
\.(.+)$/)) -> FALSE
(235) if (&User-Name =~ /\\.$/)
(235) if (&User-Name =~ /\\.$/) -> FALSE
(235) if (&User-Name =~ /@\\./)
(235) if (&User-Name =~ /@\\./) -> FALSE
(235) } # filter_username filter_username = notfound
(235) [preprocess] = ok
(235) [chap] = noop
(235) [mschap] = noop
(235) rewrite_calling_station_id rewrite_calling_station_id
{
(235) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(235) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) ->
TRUE
(235) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(235) update request {
(235) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(235) --> e0-ca-94-e6-37-51
(235) Calling-Station-Id := "e0-ca-94-e6-37-51"
(235) } # update request = noop
(235) [updated] = updated
(235) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-
9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-
f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) =
updated
(235) ... skipping else for request 235: Preceding "if"
was taken
(235) } # rewrite_calling_station_id
rewrite_calling_station_id = updated
(235) authorized_macs_rigu : EXPAND %{Calling-Station-ID}
(235) authorized_macs_rigu : --> e0-ca-94-e6-37-51
(235) authorized_macs_rigu : users: Matched entry e0-ca-94-
e6-37-51 at line 3
(235) [authorized_macs_rigu] = ok
(235) if (!ok)
(235) if (!ok) -> FALSE
(235) else else {
(235) eap : Peer sent code Response (2) ID 6 length 336
(235) eap : Continuing tunnel setup
(235) [eap] = ok
(235) } # else else = ok
(235) [unix] = notfound
(235) [expiration] = noop
(235) [logintime] = noop
(235) [pap] = noop
(235) if (User-Password)
(235) if (User-Password) -> FALSE
(235) } # authorize = updated
(235) Found Auth-Type = EAP
(235) # Executing group from file /etc/raddb/sites-
enabled/default
(235) authenticate {
(235) eap : Expiring EAP session with state
0x045d7f1e005b6a73
(235) eap : Finished EAP session with state
0x045d7f1e005b6a73
(235) eap : Previous EAP request found for state
0x045d7f1e005b6a73, released from the list
(235) eap : Peer sent method TTLS (21)
(235) eap : EAP TTLS (21)
(235) eap : Calling eap_ttls to process EAP data
(235) eap_ttls : Authenticate
(235) eap_ttls : processing EAP-TLS
TLS Length 326
(235) eap_ttls : Length Included
(235) eap_ttls : eaptls_verify returned 11
(235) eap_ttls : <<< TLS 1.0 Handshake [length 0106],
ClientKeyExchange
(235) eap_ttls : TLS_accept: SSLv3 read client key exchange
A
(235) eap_ttls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(235) eap_ttls : <<< TLS 1.0 Handshake [length 0010],
Finished
(235) eap_ttls : TLS_accept: SSLv3 read finished A
(235) eap_ttls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(235) eap_ttls : TLS_accept: SSLv3 write change cipher spec
A
(235) eap_ttls : >>> TLS 1.0 Handshake [length 0010],
Finished
(235) eap_ttls : TLS_accept: SSLv3 write finished A
(235) eap_ttls : TLS_accept: SSLv3 flush data
SSL: adding session
4c2e39d3451036f48b4baafb453941ca4904c6858af2168a40acf8a26672e
307 to cache
(235) eap_ttls : (other): SSL negotiation finished
successfully
SSL Connection Established
(235) eap_ttls : eaptls_process returned 13
(235) eap : New EAP session, adding 'State' attribute to
reply 0x045d7f1e015a6a73
(235) [eap] = handled
(235) } # authenticate = handled
(235) Sending Access-Challenge packet to host 10.66.146.10
port 62781, id=89, length=0
(235) EAP-Message =
0x0107004515800000003b14030100010116030100308e3794c96fb4750fe
302664ac575681fd3da4d4dc79e608e9b41c79bee203833cadba138fc0cec
70aed233037220d0a1
(235) Message-Authenticator =
0x00000000000000000000000000000000
(235) State = 0x045d7f1e015a6a735c746ec40219cffa
Sending Access-Challenge Id 89 from 10.66.150.52:1812 to
10.66.146.10:62781
EAP-Message =
0x0107004515800000003b14030100010116030100308e3794c96fb4750fe
302664ac575681fd3da4d4dc79e608e9b41c79bee203833cadba138fc0cec
70aed233037220d0a1
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x045d7f1e015a6a735c746ec40219cffa
(235) Finished request
Waking up in 0.1 seconds.
Waking up in 4.3 seconds.
(230) Cleaning up request packet ID 84 with timestamp +8048
(231) Cleaning up request packet ID 85 with timestamp +8048
(232) Cleaning up request packet ID 86 with timestamp +8048
Waking up in 0.1 seconds.
(233) Cleaning up request packet ID 87 with timestamp +8049
(234) Cleaning up request packet ID 88 with timestamp +8049
(235) Cleaning up request packet ID 89 with timestamp +8049
Waking up in 3994804.7 seconds.
I'll be very grateful if anyone can help me. if a configuration file is required, just ask me
Thanks Again.
Cristian M.
More information about the Freeradius-Users
mailing list