MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5
Krause, Kilian
krause at tik.uni-stuttgart.de
Fri Feb 27 23:06:30 CET 2015
Hi,
> > And when I look at the logs, I see that you’ve gone out of your way to
> butcher them. Why? You’ve removed the exact information I need to help
> you.
>
> So you want us to help diagnose EAP issue, but have removed all the EAP
> data?
Well, I was still hoping that I'd not need to rip apart my entire testbed config. Now I've removed any production configs so here's the full log with just dummy login data (so that I have permission to post full details to a public mailinglist).
The AnyConnect NAM module client EAP profile is attached.
The switchport on the 3750-X is configured as:
interface GigabitEthernet1/0/1
description MACSEC client port test
switchport mode access
authentication event linksec fail action authorize vlan 465
authentication order dot1x
authentication port-control auto
authentication violation protect
macsec
mka policy downlink
dot1x pae authenticator
spanning-tree portfast
end
(both of which pretty much go along the default cisco config guides).
FreeRADIUS log for TTLS resulting in EAP-Key-Name = "" looks like this:
-(snip)-
freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/tls_log
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/cui_log
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/inner_log
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/nksvpn
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/asa_log
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/nksusers
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/control-socket
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/soh
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 5
cleanup_delay = 5
max_requests = 2048
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth+acct"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
realm LOCAL {
}
realm NULL {
}
realm unistuttgart.de {
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
radiusd: #### Loading Clients ####
client ar30a-y1t-s5 {
ipaddr = 172.18.198.32
require_message_authenticator = no
secret = "..."
nastype = "other"
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "1234"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file £Ýç?
modules {
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key"
certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt"
private_key_password = "..."
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server soh-server { # from file /etc/freeradius/sites-enabled/soh
modules {
Module: Checking authorize {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/freeradius/freeradius.sock"
}
}
... adding new socket proxy address * port 60291
... adding new socket proxy address * port 54640
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/freeradius/freeradius.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=179, length=189
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x0201001e01616e6f6e796d6f757340756e697374757474676172742e6465
Message-Authenticator = 0x310082a7764857d8fc1b4627379528d3
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 30
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 179 to 172.18.198.32 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfb7e4b8afb7c52e0195bd1096fdf3655
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=180, length=183
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020200060315
Message-Authenticator = 0x81bb5b45fb18e1d020e45c97b7f52b49
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xfb7e4b8afb7c52e0195bd1096fdf3655
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 180 to 172.18.198.32 port 1645
EAP-Message = 0x010300061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfb7e4b8afa7d5ee0195bd1096fdf3655
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=181, length=309
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x02030084150016030100790100007503012852a20547b500b7f68ef9d12f94962911f02b9bef08352b7cf3c5b378604e44000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013
Message-Authenticator = 0x586d094023b3133cfbe8bb88d8db5a54
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xfb7e4b8afa7d5ee0195bd1096fdf3655
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0079], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 0724], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 181 to 172.18.198.32 port 1645
EAP-Message = 0x0104040015c0000009c0160301003902000035030154f0e94fe7a83b762d5667ec882bbfd0f06fd3b2d7ec8535f098b1bf25f8a43b00c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763
EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699
EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132
EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3
EAP-Message = 0x82026630820262304f060355
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfb7e4b8af97a5ee0195bd1096fdf3655
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=182, length=183
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020400061500
Message-Authenticator = 0x5dc3a2d8909ccccd8d90f283d7ace0a9
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xfb7e4b8af97a5ee0195bd1096fdf3655
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 182 to 172.18.198.32 port 1645
EAP-Message = 0x0105040015c0000009c01d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d06
EAP-Message = 0x03551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d
EAP-Message = 0x7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584
EAP-Message = 0xda860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c0002470300174104717306adc73ae2116704979ca012a0f24e3f1c5a663f1337d0876fef21f49fda2d925793bdd86a53aee79fa992bb5867afc8933b06cde83f4b40c884cfcfc88602003512e658ad4b977080325920eef0c3097430c0a576b56392c375d2e6827846f17cb83d60ca1b7366e5
EAP-Message = 0x1f91362636c010688ed0fe86
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfb7e4b8af87b5ee0195bd1096fdf3655
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=183, length=183
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020500061500
Message-Authenticator = 0x5f80016ee1ea7aba8ec45ec2ed178c6d
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xfb7e4b8af87b5ee0195bd1096fdf3655
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 183 to 172.18.198.32 port 1645
EAP-Message = 0x010601de1580000009c07c9d859cae70d8328c134b9fda8e137f6ec1c905d5be1dd040a05d0f5d575cf34135b7a96ae8904e22eb542f477e2656efd2e01ccadf2e8d1771be619f030a616977456985b76163e5cc34321d39f4bf11861dcdf6ffc8cb7d3e83ce799e12ca3a428eb76447d7684a197f6070e57255a414c26b026e0e5c772fceaca1619b5a8c1c1f25ec3bd8648b1d0985ada3e90d499f12b80bf3023f61c5599e89874facb03f90cb0bde981def4a3c6c2e8bf2635948281d59a0665a4f8ebed8a4e875004e8553e1d146278442ed80fa8c80d5694bf207d75e74052bfd22ece2e925a80636bde2f7c127fdd13fe9bb155547b0ccdd5071
EAP-Message = 0xc0bced3abd58bd13e6cbb5e5a7aa65932163b4e0b7a01d27496bc2691b1bd6a7bf02908dcf94d026b2f2fb6713b44d233879b9a7302283d186138a5a5f35c9ddde1a5b70f3ca14d30625404a4b5935f9ce55ef281445070ff13f44353b125978c5ef6869e13e7b2539f8a6edc07bf906237383b0a2e99d97bb3ca5e1cb9e07ba45c5769ac484563b3cd023c873913b7337ea24768110f4874aece2b49aedfdfe429002be68aed02522c49215fe7f3100aa9d17fb4dd9f3a6251e90138716bb6195f6827a4dbf67484f21c1175a3417c909408120b06a766816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfb7e4b8aff785ee0195bd1096fdf3655
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=184, length=317
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x0206008c15001603010046100000424104b9b344ce9c80fac0b0e96aa13dc790e0ad7f743a45781697b6af030caf3a8734993a94cf98f6a340fedd7edebe017649fb70c935ea49a0e16fc5be030434f4641403010001011603010030815eac8e8ad4190f3592bf0b2edb5460d9af5ab93eb394e8694eccad4b37b8d3937c04ab91fdc90b8c117a904aafd2fc
Message-Authenticator = 0x1c1e7d855458a8d3098fdde3ddf86dc0
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xfb7e4b8aff785ee0195bd1096fdf3655
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 6 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 184 to 172.18.198.32 port 1645
EAP-Message = 0x0107004515800000003b14030100010116030100308f79d0300c835c8b34ed32b1c2b16b6a50cb533f73eac3e836846a31376fc8d0b49d9ec87daef85bf39ffc61139f6877
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfb7e4b8afe795ee0195bd1096fdf3655
Finished request 5.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=185, length=289
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x0207007015001703010020ac062c50d9ede2061baa4d36b348d96df9a5bb540f59059247d70ca88ae9b4d817030100408956d3afb078a498124467d3a3275e14be21441c02a8e1a2140b94290b901d7d00c753c43f2054ac67eb21932538dd9751125125fe701e2135f3c53ac2b85d31
Message-Authenticator = 0x002a15f9b831746e7f863fe263159f15
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xfb7e4b8afe795ee0195bd1096fdf3655
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 7 length 112
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x02000019017465737440756e697374757474676172742e6465
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Got tunneled identity of test at unistuttgart.de
[ttls] Setting default EAP type for tunneled EAP session.
[ttls] Sending tunneled request
EAP-Message = 0x02000019017465737440756e697374757474676172742e6465
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "test at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 0 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 127
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[ttls] Got tunneled reply code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
EAP-Message = 0x0101002e1a0101002910b92948814412ee82da1dd2059e68eda17465737440756e697374757474676172742e6465
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbfd4e25fbfd5f86d9adb2c85cd749c1d
[ttls] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 185 to 172.18.198.32 port 1645
EAP-Message = 0x0108005f1580000000551703010050546db30172f4a30cb78c76bef5907dad160bec9738a88b265033840f78111003c1e87a6255c1051cd178cf5c67e74601a8cf2676d674546fa30010bf35770fe6f6416061b76cd594b6ab40235bb932ae
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfb7e4b8afd765ee0195bd1096fdf3655
Finished request 6.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=186, length=337
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020800a0150017030100202ebd61605ed88be0d5136ef1c728e9260c15de503954daad14e4ce66c34dbf4f1703010070f672c15cdff050d2f92ff3170d5b373b61589c468b06602e18adfdf305eebffa265838a5ec04485ebbbf005f9e7366c7c617b7a4c4906b8e95a13f2ac54db9b707b07099eec7138579f023ceb269b543b8d241b8d2791c2a87fc9daf3e4aa595f3fc5098e96c4ec1adc448c74b66feca
Message-Authenticator = 0x9a0f2af59d90000cebe3c65ae9a7c7c3
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xfb7e4b8afd765ee0195bd1096fdf3655
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 8 length 160
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x0201004f1a0201004a31231ab1b20e9e7266dbb6e9793d6d477d0000000000000000caceb4606f5dbb180f2e167ecd8b16831b100fc6904f5d2c007465737440756e697374757474676172742e6465
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x0201004f1a0201004a31231ab1b20e9e7266dbb6e9793d6d477d0000000000000000caceb4606f5dbb180f2e167ecd8b16831b100fc6904f5d2c007465737440756e697374757474676172742e6465
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test at unistuttgart.de"
State = 0xbfd4e25fbfd5f86d9adb2c85cd749c1d
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "test at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 1 length 79
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 127
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: test at unistuttgart.de
[mschap] Client is using MS-CHAPv2 for test at unistuttgart.de, we need NT-Password
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[ttls] Got tunneled reply code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
EAP-Message = 0x010200331a0301002e533d30313132353741314341354637444534453235414645424435434333383645324639313941393433
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbfd4e25fbed6f86d9adb2c85cd749c1d
[ttls] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 186 to 172.18.198.32 port 1645
EAP-Message = 0x0109006f15800000006517030100606afa3de81ad95abe95318904055cf5b34717b07bfd90b68e932f300d5e6cf11daa31c36b6b7b1f3848076ecd1a0793d83cfb3ce74484ded2a4e7c44e4ec206b851368a3c83edf6fd3abd20f8b69e7d3a40a3070272901ed4d7db16f5d94d5a37
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfb7e4b8afc775ee0195bd1096fdf3655
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=187, length=273
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x02090060150017030100201780eedd3729128221269f3b3b3a7f58a2d89300ef0830e3d7d7145fe7ba5d4b1703010030327c8d83df420fdccb646b16bb250328f6c6350e17b0e64c0567d116e7f7ee75a1793cc01f8be15934d02d13e7cdf5c4
Message-Authenticator = 0x1edda8ae512f59ece1179f98c15d471d
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xfb7e4b8afc775ee0195bd1096fdf3655
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 9 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x020200061a03
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x020200061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test at unistuttgart.de"
State = 0xbfd4e25fbed6f86d9adb2c85cd749c1d
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "test at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 127
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [test at unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel)
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[ttls] Got tunneled reply code 2
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
EAP-Message = 0x03020004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test"
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
rlm_eap_ttls: Freeing handler for user test at unistuttgart.de
++[eap] = ok
+} # group authenticate = ok
Login OK: [anonymous at unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
++? if (reply:EAP-Session-Id)
? Evaluating (reply:EAP-Session-Id) -> TRUE
++? if (reply:EAP-Session-Id) -> TRUE
++if (reply:EAP-Session-Id) {
+++update reply {
expand: %{reply:EAP-Session-Id} ->
+++} # update reply = noop
++} # if (reply:EAP-Session-Id) = noop
+} # group post-auth = noop
Sending Access-Accept of id 187 to 172.18.198.32 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "125"
Cisco-AVPair = "linksec-policy=must-secure"
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test"
MS-MPPE-Recv-Key = 0x1a3f17c2d4e9de667dd14ba7b49bc7d9fc0a955ce42e31cdfb0b4440abe6f1f5
MS-MPPE-Send-Key = 0x70ab81030ceb1e3ad83ba5ca90da25d521282d57a85e4d4259ce09beb4fe51bc
EAP-Message = 0x03090004
EAP-Key-Name = ""
Finished request 8.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 0 ID 179 with timestamp +9
Cleaning up request 1 ID 180 with timestamp +9
Cleaning up request 2 ID 181 with timestamp +9
Cleaning up request 3 ID 182 with timestamp +9
Cleaning up request 4 ID 183 with timestamp +10
Cleaning up request 5 ID 184 with timestamp +10
Cleaning up request 6 ID 185 with timestamp +10
Cleaning up request 7 ID 186 with timestamp +10
Cleaning up request 8 ID 187 with timestamp +10
Ready to process requests.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=188, length=189
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020a001e01616e6f6e796d6f757340756e697374757474676172742e6465
Message-Authenticator = 0x76855ce7c1ef8e603926873fe80d2a87
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 10 length 30
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 188 to 172.18.198.32 port 1645
EAP-Message = 0x010b00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa20b346fa2002dc0c95b38f2c20d4854
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=189, length=183
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020b00060315
Message-Authenticator = 0xc1e04db636efab7c499a294e4c93bfa9
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xa20b346fa2002dc0c95b38f2c20d4854
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 189 to 172.18.198.32 port 1645
EAP-Message = 0x010c00061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa20b346fa30721c0c95b38f2c20d4854
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=190, length=309
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020c008415001603010079010000750301c2f1b4369136f3777bc4e109387787232dd92fdc245c796ee61018c727854d22000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013
Message-Authenticator = 0x1742a2f140bf698a2c1992fce93c1dd1
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xa20b346fa30721c0c95b38f2c20d4854
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 12 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0079], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 0724], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 190 to 172.18.198.32 port 1645
EAP-Message = 0x010d040015c0000009c0160301003902000035030154f0e958a8444f528782eed87574fea205f03a0358a95b68ea2e07199502a63500c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763
EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699
EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132
EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3
EAP-Message = 0x82026630820262304f060355
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa20b346fa00621c0c95b38f2c20d4854
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=191, length=183
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020d00061500
Message-Authenticator = 0xc4c35c641864cd84c3093628cef924f9
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xa20b346fa00621c0c95b38f2c20d4854
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 13 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 191 to 172.18.198.32 port 1645
EAP-Message = 0x010e040015c0000009c01d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d06
EAP-Message = 0x03551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d
EAP-Message = 0x7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584
EAP-Message = 0xda860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741045ed75da665b9017435b4038c934abbf5009b4c9f434e0dbeb30cddd33b09a8e60ebaf9f2fbb3db4c6448f4736521d22f6fd8d4799069b9e0a68802e61967d83c0200132563389e87e0d0939a61bc941504e42102ad26102ad7c9ec0262334fe8d5d75fbe837320092c5267
EAP-Message = 0x7ad30d7bf8eaaa6a59cdc965
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa20b346fa10521c0c95b38f2c20d4854
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=192, length=183
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020e00061500
Message-Authenticator = 0x11548231eb4324d6709e5824343e8b14
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xa20b346fa10521c0c95b38f2c20d4854
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 14 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 192 to 172.18.198.32 port 1645
EAP-Message = 0x010f01de1580000009c0ddac1d8778aca006f92db8c9b12cf0a3b1728aeeeb14458cd321de258a16854506d2b724202b04d72656c3841d73c78417d2d428525aa458fda37db5f13032ef3d09da5b4ef8cf55930f54c1886e1047c1410f562775ddb0b39bef1c56d2dce25e21c9595361c19c7bb347799cba5bc3640109e4646ba85ad3dae873db1729825d8526af5b6ce008de8cffd161acdb2c335baaf50096eb1c6001e48da87ee9731b8de39364a08a36f1dc69fb143dc91a8b54299f32b9d566f82556d4794e35a522002d8ae2a2eda273552d171c23b373ce1f3bc8fa979ff191ce1dc643ea51bb8232cf65a1b8de03312820c9170e1439f97abc
EAP-Message = 0x055efcb625431e5b39e1fbb2e4fd5bda7e8fdc61dcfc2b14ef8650c0e9cd754520f494ba5ed6dcc795bac2c1f8945ea4d5170cb944bf6820d699c4a5c66dc5c6d3d892614ef48b2eeb0b4d39640e313dc453e104608a16b2a83fda6420e64f2f048ced7ea35c331797904c069273e7cff8fb0ebe7e6940a971788e5974f131289298a7a97d582f97c866a343e583592437b7fe850e8a2d00359f40c379b5ff161ee970182c3f10d913b79390a69776b559a85fd7a0cc463a88c565c76063ab51a4fa8ea718481f0441da73c9aecdf5c5eaf02357ee5527f816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa20b346fa60421c0c95b38f2c20d4854
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=193, length=317
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020f008c150016030100461000004241047f307f7d8f9130a0e34c02298894e3bd6f51525c7c85d8a035965bcd0044bad7e91c12fdd3fdd263ce4890306f361941c4ee8ea2c5e2201bb78f0b1552400dbd1403010001011603010030a2a4f602103e2801aa9a5cf2f19781dc63b9088011136de288eaf1ec89a14ff7cf7a05186d7f0240f8aa7a6d27c64401
Message-Authenticator = 0x321ca3c9bab12081ad1152823138850c
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xa20b346fa60421c0c95b38f2c20d4854
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 15 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 193 to 172.18.198.32 port 1645
EAP-Message = 0x0110004515800000003b140301000101160301003066454fe53f7ccb6249b2c781509669a56698c3431239e22d750db4784a40f465ce4b7fc7ef593302478ea171eb51a7a4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa20b346fa71b21c0c95b38f2c20d4854
Finished request 14.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=194, length=289
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x0210007015001703010020d41a723e20f08fd833f559bfc02c8d95e82b6db9878674bea608b72dcd5f310017030100407b127a702f6bf9f8798715abdf3a06b99e8494ad2009cd3533868a3ca0f1a86d2d40f34460f0fc2390494ab7684bc86b1831f9da729d0f0632a282218b8fe6fc
Message-Authenticator = 0xaf4226d5916ec0201e978f55ced154e8
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xa20b346fa71b21c0c95b38f2c20d4854
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 16 length 112
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x02000019017465737440756e697374757474676172742e6465
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Got tunneled identity of test at unistuttgart.de
[ttls] Setting default EAP type for tunneled EAP session.
[ttls] Sending tunneled request
EAP-Message = 0x02000019017465737440756e697374757474676172742e6465
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "test at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 0 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 127
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[ttls] Got tunneled reply code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
EAP-Message = 0x0101002e1a0101002910d6ef0301cbc00cff6103ebb5c86581607465737440756e697374757474676172742e6465
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x090ccac9090dd0e190c6fcc2517b50c6
[ttls] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 194 to 172.18.198.32 port 1645
EAP-Message = 0x0111005f158000000055170301005084bc197827291a3343a677a84740837595f94d9652cd844e62e73fa180aaad7f105dc6e8b3192a3586993d481bc1e80ee96a559dcd7d9b299efd904fbf5f497276650b0cee0b01603615a96e7790092c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa20b346fa41a21c0c95b38f2c20d4854
Finished request 15.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=195, length=337
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x021100a015001703010020944874392600ca218d37dd4e8340f39557384fd2d060582e9f50c4a8831103ec170301007024105b6ba4d7f64a40685b11753d739090b183ab748615101a334e5f06a138bba9cf34f19ae39dd6ef043784c700fc59db759aa8c1f546cff06549be5033a32df868401c06d5c27a6ce31041d6fbcef03b479b6ac42b0458f793cc18e4a33e57f8a56c74ddf6f20c54bce8e665b74616
Message-Authenticator = 0x10cabb6de4f1bde23da154f301913900
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xa20b346fa41a21c0c95b38f2c20d4854
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 17 length 160
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x0201004f1a0201004a311dfd5207dab8f60e950878b079426b08000000000000000048a5d83eaa13c552bf4eed4ed859f479bf795f9cf8ad98be007465737440756e697374757474676172742e6465
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x0201004f1a0201004a311dfd5207dab8f60e950878b079426b08000000000000000048a5d83eaa13c552bf4eed4ed859f479bf795f9cf8ad98be007465737440756e697374757474676172742e6465
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test at unistuttgart.de"
State = 0x090ccac9090dd0e190c6fcc2517b50c6
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "test at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 1 length 79
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 127
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: test at unistuttgart.de
[mschap] Client is using MS-CHAPv2 for test at unistuttgart.de, we need NT-Password
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[ttls] Got tunneled reply code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
EAP-Message = 0x010200331a0301002e533d39433037323344364432423141343843353843334544354334323838453239424437354234444141
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x090ccac9080ed0e190c6fcc2517b50c6
[ttls] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 195 to 172.18.198.32 port 1645
EAP-Message = 0x0112006f15800000006517030100604804557fe41292cc5ddb41c7d68f1d3f0e7779cacfc23348eaf8900d91d57487bab0bbdfbe809cf5fba67328b954b56646118db9404c13c2d01f3f7fe1604f6301399b95e176f99f120d2ffe283b2cab70f27364bab3ed467d944a04c22d82c3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa20b346fa51921c0c95b38f2c20d4854
Finished request 16.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=196, length=273
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x021200601500170301002086c674dd2ffefa8889234702e7a8c8e06d5f9213c48b03ba4e2c0f4f6975f34617030100304ec807b42268cb18c83c767893d28b586714315a19969117ad3f9691358042bdf78b7c5d19e2fe62a757edbecb2bb42b
Message-Authenticator = 0x45d412d1a225a1bbda13a465655b1b1c
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xa20b346fa51921c0c95b38f2c20d4854
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 18 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x020200061a03
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x020200061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test at unistuttgart.de"
State = 0x090ccac9080ed0e190c6fcc2517b50c6
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "test at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 127
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [test at unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel)
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[ttls] Got tunneled reply code 2
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
EAP-Message = 0x03020004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test"
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
rlm_eap_ttls: Freeing handler for user test at unistuttgart.de
++[eap] = ok
+} # group authenticate = ok
Login OK: [anonymous at unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
++? if (reply:EAP-Session-Id)
? Evaluating (reply:EAP-Session-Id) -> TRUE
++? if (reply:EAP-Session-Id) -> TRUE
++if (reply:EAP-Session-Id) {
+++update reply {
expand: %{reply:EAP-Session-Id} ->
+++} # update reply = noop
++} # if (reply:EAP-Session-Id) = noop
+} # group post-auth = noop
Sending Access-Accept of id 196 to 172.18.198.32 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "125"
Cisco-AVPair = "linksec-policy=must-secure"
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test"
MS-MPPE-Recv-Key = 0x38cb476a152fb9548a6e8a3dd8c81434daa51847991fee6057e2e50df8e35be5
MS-MPPE-Send-Key = 0xf67728f2b63ebde0609ad4454aaeb497fbc28fe626b36f3c012c40f5dc86f7e1
EAP-Message = 0x03120004
EAP-Key-Name = ""
Finished request 17.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 9 ID 188 with timestamp +18
Cleaning up request 10 ID 189 with timestamp +18
Cleaning up request 11 ID 190 with timestamp +18
Cleaning up request 12 ID 191 with timestamp +18
Cleaning up request 13 ID 192 with timestamp +18
Cleaning up request 14 ID 193 with timestamp +18
Cleaning up request 15 ID 194 with timestamp +18
Cleaning up request 16 ID 195 with timestamp +18
Cleaning up request 17 ID 196 with timestamp +18
Ready to process requests.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=197, length=189
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x0201001e01616e6f6e796d6f757340756e697374757474676172742e6465
Message-Authenticator = 0x6348de93c52371a9fc759d6806f31df9
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 30
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 197 to 172.18.198.32 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd8d1ef1ed8d3f6e25cc3ffac739f7417
Finished request 18.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=198, length=309
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x02020084190016030100790100007503017622f9a142432084cd76856e66189134748597535fbcdb94ed3231bdd7c43069000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013
Message-Authenticator = 0x9351c781d5324661757a70de6384969d
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xd8d1ef1ed8d3f6e25cc3ffac739f7417
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0079], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0724], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 198 to 172.18.198.32 port 1645
EAP-Message = 0x0103040019c0000009c0160301003902000035030154f0e969eb79a220dfb3ee8b751449ac1315d25bffcade44a1b7f7d50e844fc500c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763
EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699
EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132
EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3
EAP-Message = 0x82026630820262304f060355
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd8d1ef1ed9d2f6e25cc3ffac739f7417
Finished request 19.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=199, length=183
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020300061900
Message-Authenticator = 0xce71e8303414b0a99057a2a4b575b414
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xd8d1ef1ed9d2f6e25cc3ffac739f7417
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 199 to 172.18.198.32 port 1645
EAP-Message = 0x010403fc19401d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d0603551d1f
EAP-Message = 0x048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d73747574
EAP-Message = 0x74676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584da860e15
EAP-Message = 0x39435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c0002470300174104d620da594729e91fb5dd14047bf01144bc82b2b6cce056d8ab88630b710a2a5359e42df193f81106bd76cfd2d46a0c30b4c7f2c85ca2306672fd6dc9abc42272020085bc64c68b9224bf7e1cf56db8542f6e94629af3897afceb313e4a9e5952219e1d657d7f83ef8bb392ab359ee9
EAP-Message = 0x8d39d9cc53c2045d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd8d1ef1edad5f6e25cc3ffac739f7417
Finished request 20.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=200, length=183
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020400061900
Message-Authenticator = 0x5cb3757710a9e1aa840f98a82e0cd4ac
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xd8d1ef1edad5f6e25cc3ffac739f7417
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 200 to 172.18.198.32 port 1645
EAP-Message = 0x010501da19009bea571da19c1199373837e252180d6597e0a925ea6b6e65dbf6b44a1b55fb9f89cbd8b6905580c1b0d90404d29d1fb170e1b52a9a9d6f61667f99967745f2195115aaed93b622d1e8a4998789a8045935726cc9405d2da7757f940b5c7eecc445d4099a37978369e6ee69843e183ee779fc2099b002fa94b619b9f51f1e37db4f289aee4f990a2515b5b449df99ac7cdf2c52c9183cf05eaef42acec2109f34d3a7a1e2cd2a1ef9b0ac8f76e531bb2167611ae990f2902a768dd4747a4fe84c2cfbb79e689d64497b8065c87448635201943eeb04d39f8b1754209c78037e50cf5619806cce2f71f55e40e7af4e6c70306cea855a86da
EAP-Message = 0x62b5a5f51d575c728e77200cc821911ca0a471cea55af9a7f1e82f6456e072c3372804fac2f37bdc819b3ba5d9577218f5f2d1261fb11473a47c3eb334bb06755b7089f353f55a331f52162546e53d43c472f7ef1e5c054053ab5808e9ab9a4ecc8b410219ee742af25c0ca87ef90a4e1bdbdfc8e2c009a0fd4a039cd1cc8fee81b24213c57d37e2496f55441fdcb40235ccc48af7ff6bbb3502c0a71e25762dd6d6aaf5e342a261abc0bb3451b7df7925f2bac8d52368d948046406b2ff6481607135ecb684ec3665e4c5bc3abb955dfc90090b16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd8d1ef1edbd4f6e25cc3ffac739f7417
Finished request 21.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=201, length=317
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x0205008c19001603010046100000424104c920e896bbdfb7b30714655ff17a0b5f26fca20f71c89b3847654bc60f16226f1c377af37c9941cc4b6bd52e1bec5605d7ef9fcf2f22a58e9c70e26cac5d90d714030100010116030100302d906f12f1aaa192ce35c8698ef5c1e533a66aea1911314665e7e68856e7b993b98701624db7317f7891d7ddd8215065
Message-Authenticator = 0x245c49b0c78d717defad473ea4995519
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xd8d1ef1edbd4f6e25cc3ffac739f7417
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 201 to 172.18.198.32 port 1645
EAP-Message = 0x010600411900140301000101160301003009aa5d4cf397842d682fffb1858ce9ea3c66a41b1d97d004f6ccfae16f183cbfbcd52e43881fbe31c76f0b1713e1b148
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd8d1ef1edcd7f6e25cc3ffac739f7417
Finished request 22.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=202, length=183
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020600061900
Message-Authenticator = 0xdcc682b2f47b466deb0a7bbf385835e5
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xd8d1ef1edcd7f6e25cc3ffac739f7417
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 202 to 172.18.198.32 port 1645
EAP-Message = 0x0107002b1900170301002021ad645902073d2033c2fa10a4b57dcd8a3c3920f23ccef4c5a28f494c7b3f3e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd8d1ef1eddd6f6e25cc3ffac739f7417
Finished request 23.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=203, length=273
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x02070060190017030100201556be55b047693bdf7ac1b410e42b9646e9b88d479c4f5b2544f5ce7d9e3cc11703010030e74b08c5ea2ebdebe3cb70ec39de0b36691903de2eca9725792d43d318f04ce76777955b0986b9c286e4a59762990074
Message-Authenticator = 0x9b6f8a5c745b216a6a50bfdbba7dc115
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xd8d1ef1eddd6f6e25cc3ffac739f7417
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 7 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test at unistuttgart.de
[peap] Got inner identity 'test at unistuttgart.de'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02070019017465737440756e697374757474676172742e6465
server {
[peap] Setting User-Name to test at unistuttgart.de
Sending tunneled request
EAP-Message = 0x02070019017465737440756e697374757474676172742e6465
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "test at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 7 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 127
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
EAP-Message = 0x0108002e1a01080029105e86fe5270171c649fe7f47a59cfea9f7465737440756e697374757474676172742e6465
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6abbdc356ab3c6f49b248f333ecdfdd5
[peap] Got tunneled reply RADIUS code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
EAP-Message = 0x0108002e1a01080029105e86fe5270171c649fe7f47a59cfea9f7465737440756e697374757474676172742e6465
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6abbdc356ab3c6f49b248f333ecdfdd5
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 203 to 172.18.198.32 port 1645
EAP-Message = 0x0108004b19001703010040397ebeacf4e455642e30eabd8219feff7872e3b1a8bfd14648f54cefb93dfe0bd84cc1c4a1bb7b18a53a245e87535aec16f4ff5778a61d0424f581a45e824199
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd8d1ef1eded9f6e25cc3ffac739f7417
Finished request 24.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=204, length=321
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x02080090190017030100202f4572bb50e17a435043848d867990437567c3f6492396aceeed491eb2a9b8e417030100603e7cae95cdd47e2c3f743414227bf71d16222ecb5916e7259e9afe6e63abdd5689a10ccba4070f4cf89eefcbce73d30a9b55f2cbe473828ba57f8d049525e300fcb4ef8049e7dfb9d627c2c2e2ced9ad4356f77789e3231132a7a6c9b0d2bc80
Message-Authenticator = 0x91e6a98a90553c5c25810947357b2a55
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xd8d1ef1eded9f6e25cc3ffac739f7417
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 8 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x0208004f1a0208004a317f04d58271cddee5b3b9ca7da908a1e4000000000000000092b8ad0318ad8053c26c7d83615c8d71b6b9c82db3a308ba007465737440756e697374757474676172742e6465
server {
[peap] Setting User-Name to test at unistuttgart.de
Sending tunneled request
EAP-Message = 0x0208004f1a0208004a317f04d58271cddee5b3b9ca7da908a1e4000000000000000092b8ad0318ad8053c26c7d83615c8d71b6b9c82db3a308ba007465737440756e697374757474676172742e6465
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test at unistuttgart.de"
State = 0x6abbdc356ab3c6f49b248f333ecdfdd5
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "test at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 8 length 79
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 127
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: test at unistuttgart.de
[mschap] Client is using MS-CHAPv2 for test at unistuttgart.de, we need NT-Password
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
EAP-Message = 0x010900331a0308002e533d32443234454533424334363741333242393939363246373841433442363541444135434244463342
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6abbdc356bb2c6f49b248f333ecdfdd5
[peap] Got tunneled reply RADIUS code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
EAP-Message = 0x010900331a0308002e533d32443234454533424334363741333242393939363246373841433442363541444135434244463342
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6abbdc356bb2c6f49b248f333ecdfdd5
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 204 to 172.18.198.32 port 1645
EAP-Message = 0x0109005b19001703010050ae7e8a81d91b5f11d34ba15bd0bab19aba25d742f03341ad33f4f49820c729255b0f8d928130a067432cdce260da9fa2e08aeeabfa72bbbc710ede11cb0c0080d11cdc60e3ed5469a049675d7c6c8e21
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd8d1ef1edfd8f6e25cc3ffac739f7417
Finished request 25.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=205, length=257
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x0209005019001703010020124448bbc9d32dc7684cfc084ad76fa4b0f28f4b8c90d5b1d4da59790bbc076a170301002037708ae0e37268260ebbc556d9a3808d960807a3cf7af6731a3ef88c13fa68bd
Message-Authenticator = 0x8dc62f26b9cb8cf28f604e372ab31131
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xd8d1ef1edfd8f6e25cc3ffac739f7417
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020900061a03
server {
[peap] Setting User-Name to test at unistuttgart.de
Sending tunneled request
EAP-Message = 0x020900061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test at unistuttgart.de"
State = 0x6abbdc356bb2c6f49b248f333ecdfdd5
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "test at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 127
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [test at unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel)
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test"
[peap] Got tunneled reply RADIUS code 2
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 205 to 172.18.198.32 port 1645
EAP-Message = 0x010a002b190017030100206d5bcfbdd0061220771b5ff0707bd0b82144de71932c2bcabb08eda4cbb6b789
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd8d1ef1ed0dbf6e25cc3ffac739f7417
Finished request 26.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=206, length=257
User-Name = "anonymous at unistuttgart.de"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "3C-08-F6-48-9D-01"
Calling-Station-Id = "00-15-17-51-6E-C8"
EAP-Message = 0x020a0050190017030100203b456f64e3ca70184d51b4fea6b118d82507cd740db868aaefd3bb3d855beaf41703010020657e7167a49b2260b3b59ea624d86b20e08bb64ccad18849adb7b82c359fe290
Message-Authenticator = 0xb85f02b163b10e348a035b1ee458cc72
NAS-Port-Type = Ethernet
NAS-Port = 50101
NAS-Port-Id = "GigabitEthernet1/0/1"
State = 0xd8d1ef1ed0dbf6e25cc3ffac739f7417
NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "unistuttgart.de" for User-Name = "anonymous at unistuttgart.de"
[suffix] Found realm "unistuttgart.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "unistuttgart.de"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 10 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "125"
Cisco-AVPair := "linksec-policy=must-secure"
User-Name = "test"
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [anonymous at unistuttgart.de] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
++? if (reply:EAP-Session-Id)
? Evaluating (reply:EAP-Session-Id) -> TRUE
++? if (reply:EAP-Session-Id) -> TRUE
++if (reply:EAP-Session-Id) {
+++update reply {
expand: %{reply:EAP-Session-Id} ->
+++} # update reply = noop
++} # if (reply:EAP-Session-Id) = noop
+} # group post-auth = noop
Sending Access-Accept of id 206 to 172.18.198.32 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "125"
Cisco-AVPair = "linksec-policy=must-secure"
User-Name = "test"
MS-MPPE-Recv-Key = 0x3c0aab819095f1282469005cc7f2e24e5c37a32a95c8b9b2784f784a881e59a5
MS-MPPE-Send-Key = 0x79674abf7fb0ed91dbec1190e36e9b677236bbaaeef59c63820b22eb0f9b271c
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
EAP-Key-Name = ""
Finished request 27.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 18 ID 197 with timestamp +35
Cleaning up request 19 ID 198 with timestamp +35
Cleaning up request 20 ID 199 with timestamp +35
Cleaning up request 21 ID 200 with timestamp +35
Cleaning up request 22 ID 201 with timestamp +35
Cleaning up request 23 ID 202 with timestamp +35
Cleaning up request 24 ID 203 with timestamp +35
Cleaning up request 25 ID 204 with timestamp +35
Cleaning up request 26 ID 205 with timestamp +35
Cleaning up request 27 ID 206 with timestamp +35
Ready to process requests.
-(snip)-
Thus, both TTLS-MSCHAPv2 and PEAP-MSCHAPv2 result in empty EAP-Key-Name.
Best regards,
Kilian
More information about the Freeradius-Users
mailing list