using external script in virtual server config

the2nd at otpme.org the2nd at otpme.org
Tue Jan 27 19:05:45 CET 2015


On 2015-01-27 14:17, Alan DeKok wrote:
> On Jan 27, 2015, at 3:56 AM, the2nd at otpme.org wrote:
>> btw. rlm_python examples do not show how to handle mschap requests. it 
>> would be of much help to have an example.
> 
>   No.
> 
>   Read RFC 2548.  Or, the source code to rlm_mschap.  This is already
> available to you.
> 
>> the output of authData i send in my last mail is just what i receive 
>> from rlm_python. there is nothing i have invented. its just a "log 
>> authData" from within the authenticate() function
> 
>   Which is YOUR MODULE.  And YOUR PYTHON CODE.  i.e. something you 
> invented.
> 
>   I’ll be clear.  I don’t wan to see that data.  I don’t know what
> “authData” is, and I don’t care.  You’re assuming that I magically
> know everything about what you’re doing, without you explaining it.


sorry i dont want to be rude but it's just not true what you say. 
authData is send from rlm_python to the authenticate() function of the 
module it loads. i just used the example prepaid.py module that comes 
with freeradius as a "template". and it does exactly what you call "my 
invention". it uses authData to get a tuple with authentication data 
(e.g. username and password):

http://fossies.org/dox/freeradius-server-2.2.6/prepaid_8py_source.html

so its not my code that sets this tuple and its nothing i have invented. 
and all i want to know is if it is possible to get "%{mschap:Challenge}" 
  and "%{mschap:NT-Response}" in this tuple to verify an mschap request 
just like it can be done with the ntlm_auth statement from within the 
mschap module.

and i think thats a valid use case when someone wants to integrate an 
otp solution with freeradius using rlm_python.

so here is the debug output of two request and the corresponding config.

the first one is using my python script as a replacement of ntlm_auth 
from within the mschap module and succeeds. the second one uses 
rlm_python and my module. you can see in the debug ouput whats in 
authData (one of the lines that starts with otpme.py) because i used the 
provided log function to log it.


# OTPme ntlm
mschap otpme_ntlm {
         ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm 
'%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' 
'%{%{otpme_ntlm:Challenge}:-00}' '%{%{otpme_ntlm:NT-Response}:-00}' 
'%{NAS-Identifier}' '%{Client-IP-Address}'"
}

python otpme_mod {
         module = otpme

         mod_instantiate = ${.module}
         func_instantiate = instantiate

         mod_detach = ${.module}
         func_detach = detach

         mod_authenticate = ${.module}
         func_authenticate = authenticate
}



         authenticate {
                 Auth-Type EAP {
                         eap
                 }

                 Auth-Type MS-CHAP {
                         otpme_ntlm
                 }
         }

         authorize {
                 eap
                 mschap
         }



radiusd: FreeRADIUS Version 2.2.5, for host i686-pc-linux-gnu, built on 
Jan 18 2015 at 12:00:30
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/cache
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/otpme
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/dhcp_sqlippool
including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /etc/raddb/modules/linelog
including configuration file 
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/radrelay
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/script
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/otpme
main {
	user = "radiusd"
	group = "radiusd"
	allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
	name = "radiusd"
	prefix = "/usr"
	localstatedir = "/var/lib"
	sbindir = "/usr/sbin"
	logdir = "/var/log/radius"
	run_dir = "/var/run/radiusd"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = no
  log {
  	stripped_names = no
  	auth = yes
  	auth_badpass = no
  	auth_goodpass = no
  }
  security {
  	max_attributes = 200
  	reject_delay = 1
  	status_server = no
  	allow_vulnerable_openssl = no
  }
}
radiusd: #### Loading Realms and Home Servers ####
  proxy server {
  	retry_delay = 5
  	retry_count = 3
  	default_fallback = no
  	dead_time = 120
  	wake_all_if_all_dead = no
  }
  home_server localhost {
  	ipaddr = 127.0.0.1
  	port = 1812
  	type = "auth"
  	secret = "testing123"
  	response_window = 20
  	max_outstanding = 65536
  	require_message_authenticator = yes
  	zombie_period = 40
  	status_check = "status-server"
  	ping_interval = 30
  	check_interval = 30
  	num_answers_to_alive = 3
  	num_pings_to_alive = 3
  	revive_interval = 120
  	status_check_timeout = 4
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
  }
  realm example.com {
	auth_pool = my_auth_failover
  }
  realm LOCAL {
  }
radiusd: #### Loading Clients ####
  client localhost {
  	ipaddr = 127.0.0.1
  	require_message_authenticator = no
  	secret = "test123"
  	nastype = "other"
  }
radiusd: #### Instantiating modules ####
  instantiate {
  Module: Linked to module rlm_exec
  Module: Instantiating module "exec" from file /etc/raddb/modules/exec
   exec {
   	wait = no
   	input_pairs = "request"
   	shell_escape = yes
   	timeout = 10
   }
  Module: Linked to module rlm_expr
  Module: Instantiating module "expr" from file /etc/raddb/modules/expr
  Module: Linked to module rlm_expiration
  Module: Instantiating module "expiration" from file 
/etc/raddb/modules/expiration
   expiration {
   	reply-message = "Password Has Expired  "
   }
  Module: Linked to module rlm_logintime
  Module: Instantiating module "logintime" from file 
/etc/raddb/modules/logintime
   logintime {
   	reply-message = "You are calling outside your allowed timespan  "
   	minimum-timeout = 60
   }
  }
radiusd: #### Loading Virtual Servers ####
server { # from file TÚJ·?
  modules {
  } # modules
} # server
server otpme { # from file /etc/raddb/sites-enabled/otpme
  modules {
   Module: Creating Auth-Type = OTPme
  Module: Checking authenticate {...} for more modules to load
  Module: Linked to module rlm_eap
  Module: Instantiating module "eap" from file /etc/raddb/eap.conf
   eap {
   	default_eap_type = "peap"
   	timer_expire = 60
   	ignore_unknown_eap_types = no
   	cisco_accounting_username_bug = no
   	max_sessions = 1024
   }
  Module: Linked to sub-module rlm_eap_md5
  Module: Instantiating eap-md5
  Module: Linked to sub-module rlm_eap_leap
  Module: Instantiating eap-leap
  Module: Linked to sub-module rlm_eap_gtc
  Module: Instantiating eap-gtc
    gtc {
    	challenge = "Password: "
    	auth_type = "PAP"
    }
  Module: Linked to sub-module rlm_eap_tls
  Module: Instantiating eap-tls
    tls {
    	rsa_key_exchange = no
    	dh_key_exchange = yes
    	rsa_key_length = 512
    	dh_key_length = 512
    	verify_depth = 0
    	CA_path = "/etc/raddb/certs"
    	pem_file_type = yes
    	private_key_file = "/etc/raddb/certs/server.pem"
    	certificate_file = "/etc/raddb/certs/server.pem"
    	private_key_password = "whatever"
    	dh_file = "/etc/raddb/certs/dh"
    	fragment_size = 1024
    	include_length = yes
    	check_crl = no
    	cipher_list = "DEFAULT"
    	make_cert_command = "/etc/raddb/certs/bootstrap"
    	virtual_server = "otpme"
    	ecdh_curve = "prime256v1"
     cache {
     	enable = no
     	lifetime = 24
     	max_entries = 255
     }
     verify {
     }
     ocsp {
     	enable = no
     	override_cert_url = yes
     	url = "http://127.0.0.1/ocsp/"
     	use_nonce = yes
     	timeout = 0
     	softfail = no
     }
    }
  Module: Linked to sub-module rlm_eap_ttls
  Module: Instantiating eap-ttls
    ttls {
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = no
    	virtual_server = "otpme"
    	include_length = yes
    }
  Module: Linked to sub-module rlm_eap_peap
  Module: Instantiating eap-peap
    peap {
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = yes
    	proxy_tunneled_request_as_eap = yes
    	virtual_server = "otpme"
    	soh = no
    }
  Module: Linked to sub-module rlm_eap_mschapv2
  Module: Instantiating eap-mschapv2
    mschapv2 {
    	with_ntdomain_hack = no
    	send_error = no
    }
  Module: Linked to module rlm_mschap
  Module: Instantiating module "otpme_ntlm" from file 
/etc/raddb/modules/otpme
   mschap otpme_ntlm {
   	use_mppe = yes
   	require_encryption = no
   	require_strong = no
   	with_ntdomain_hack = no
   	ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm 
'%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' 
'%{%{otpme_ntlm:Challenge}:-00}' '%{%{otpme_ntlm:NT-Response}:-00}' 
'%{NAS-Identifier}' '%{Client-IP-Address}'"
   	allow_retry = yes
   }
  Module: Linked to module rlm_python
  Module: Instantiating module "otpme_mod" from file 
/etc/raddb/modules/otpme
python_init done
   python otpme_mod {
   	mod_instantiate = "otpme"
   	func_instantiate = "instantiate"
   	mod_authenticate = "otpme"
   	func_authenticate = "authenticate"
   	mod_detach = "otpme"
   	func_detach = "detach"
   }
  Module: Checking authorize {...} for more modules to load
  Module: Instantiating module "mschap" from file 
/etc/raddb/modules/mschap
   mschap {
   	use_mppe = yes
   	require_encryption = no
   	require_strong = no
   	with_ntdomain_hack = no
   	allow_retry = yes
   }
  } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
   	type = "auth"
   	ipaddr = 10.219.195.1
   	port = 1812
   client 10.219.195.18 {
   	require_message_authenticator = no
   	secret = "123"
   	shortname = "host1"
   }
}
Listening on authentication address 10.219.195.1 port 1812 as server 
otpme
Ready to process requests.
otpme.py: OTPme config verfied successful.
otpme.py: Instantiated OTPme module.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=0, 
length=126
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x0200000e01746573747573657231
	Message-Authenticator = 0xc6a9d4db12aa9a3fa241a3810c655494
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 0 to 10.219.195.1 port 37538
	EAP-Message = 0x010100061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7563bf7e7562a6491fd890a063366da0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=1, 
length=352
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 
0x020100de190016030100d3010000cf0301a741278a0cfb95e7f7ad572b9e9003e26a0ec3d1cedb3a61ee7b35b95ad3c9f600005cc014c00a0039003800880087c00fc00500350084c013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc00200050004c012c00800160013c00dc003000a0015001200090014001100080006000300ff0201000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101
	State = 0x7563bf7e7562a6491fd890a063366da0
	Message-Authenticator = 0x06b5d1eac47be747a523dea518b88a2a
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 1 length 222
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00d3], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 003e], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 03b0], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 1 to 10.219.195.1 port 37538
	EAP-Message = 
0x0102040019c000000551160301003e0200003a030112a80abf015913dfd18591767af8d31a7421918e78e906539842667c9a347e4a00c014010012ff01000100000b000403000102000f00010116030103b00b0003ac0003a90003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043
	EAP-Message = 
0x6572746966696361746520417574686f72697479301e170d3132303231303230303231305a170d3133303230393230303231305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100f46fbd0d756be26abb5b67573414398205c75b8b1be90ccc43cf479af3c7f570486eb9fdb02a372634b4
	EAP-Message = 
0x050bd49743d559c1385ac25268b1bee7e0cee585acb8a5102811cb568f31bd6218b97efdc6be84a789697cea6a68dab56cd9e40f0867b4ec2b986610c608405e0b7c426fb8fe04da36c2732ed8aa14d0f4b53b69c6c07150fd4188ef935a66c030681cfe0d5ea6fa80045d8319c5a0b141e34926225185b384273a50058dc27d20beb6b78dc4ed76f694ffda1e3849b93755ec9bf02bf5a99ee9222835cc95f3bfced8a01b47d2c84ef6a86bea8b7251091fdf968cd084d1ea1c02658e535c2875e429af9ad21e1b5cda55e4d42ade8f1b82b31294830203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7
	EAP-Message = 
0x0d0101040500038201010019c7c020438aafabfe2ef98eb3ebd302687dae3411309deef7a228bcbdd1bfd2ae45c75a39a25ecd53599efc38a56e0a288ee208f7d129dd3daf9197e3b1bd93bfb2d0433eadfe846ac9c97a65f35d322df5e5458e7e49a99354e40410e95d8874862216107c02a51cd428a60755e41d0158e5a1fabb979f37432005e065f4533599dd248c67032723dca1b3acbcc775e775fd5e010d4405e86306fb1af2dc4da0af01f0f17c9a2d5e55d1e895d4ac185cb3371e648c1a1e71fd27080c1adf3804251dd0c75aea734be1fc83af0699d5a0c0f9f6d5afff00d688edf74177ad4357711e6d4eb5cca9b72eb493fb7c3a83b396
	EAP-Message = 0xad17d75da15a7cac2ecd58db
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7563bf7e7461a6491fd890a063366da0
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=2, 
length=136
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x020200061900
	State = 0x7563bf7e7461a6491fd890a063366da0
	Message-Authenticator = 0xf10086a8043a391d9f34e5f93ac3d50b
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 2 to 10.219.195.1 port 37538
	EAP-Message = 
0x0103016119006f2a160301014b0c0001470300174104313b9aa0b47dcbd72975dce05e6792a55cfd1795f077bf4fbcd4551aceb77ad0d9c4d7b18f1519161fe31fca376fef874ec04f7500e0a080a0a4206ac1e1181901008c409456515256c7de3459d577d98c718eb260e12a90f176144628753528a4dce40e66677fe27cf8755a3693ef0db80d6bdd8a543a718cb3934a5655ebbf4b5f493608cafd6c4b102edae1eb15b740c7c1afba58620f1fc02c44ca6a490ef703291d417c09bae2d842456ef205e48ceb5f2c782e0f523c895b0d0ea06d6f3ce3eb67377fe4a16f70e6474c096b03289227db4c2f12ec3cb5dffdeb7cf4bccdf21d714a610e
	EAP-Message = 
0x3fb128087eba6bf1a6acc03786ed2ff39ae3823f1e4f9e374204f03bfbbec021ce768b36d290f9666f60a8756cd061e70332b48dc4bac07e8c38abba380f561dd996017f4392e2199a5fa06c886057d47e170e42cc8c7a414f796a16030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7563bf7e7760a6491fd890a063366da0
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=3, 
length=270
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 
0x0203008c190016030100461000004241043c8e62e48361799a71777b230786c6ddbd899d9257d73d5fb4d730366671f8f166c0ea2577fcc68ed3e21899edf5b82f7e401f1cb99f7a973c2d35315c619c6d1403010001011603010030543bfb94bffc0be1b81e3e1268ac126fd2d73fb6306e806798e1d651ead4190a74e521db1561c4e16f1acdc896c4afb6
	State = 0x7563bf7e7760a6491fd890a063366da0
	Message-Authenticator = 0xc6e998f7aef0baef668d678ad3ffd5de
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 3 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 3 to 10.219.195.1 port 37538
	EAP-Message = 
0x0104004119001403010001011603010030dafc2aa3b8b15dcb31e8774f67876afb903a651d8f475b94647d45668ca9abde22ffbea12f0e799b6acc4b4900860181
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7563bf7e7667a6491fd890a063366da0
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=4, 
length=136
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x020400061900
	State = 0x7563bf7e7667a6491fd890a063366da0
	Message-Authenticator = 0x8e3735680df6daec47a50279795ae18c
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 4 to 10.219.195.1 port 37538
	EAP-Message = 
0x0105002b190017030100208fda5e20590d922d9602dbd0e299d5e1ef0027e5d663ef326913f07d313c790d
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7563bf7e7166a6491fd890a063366da0
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=5, 
length=226
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 
0x0205006019001703010020f3832f06ae8629d40538b61ce86c6b65a6801b4d6c40550d32837dc2aa108b2a1703010030c5e43a0106ae6b61e4d3277abb002bc86b7c0ebffba9c48199aecddad8885ad112753e1d114e2dd391572ace81722539
	State = 0x7563bf7e7166a6491fd890a063366da0
	Message-Authenticator = 0xf1cf3918a83a26b7efae51172bf43dfb
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 5 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testuser1
[peap] Got inner identity 'testuser1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
	EAP-Message = 0x0205000e01746573747573657231
server otpme {
[peap] Setting User-Name to testuser1
Sending tunneled request
	EAP-Message = 0x0205000e01746573747573657231
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 5 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group EAP = handled
} # server otpme
[peap] Got tunneled reply code 11
	EAP-Message = 
0x010600231a0106001e1084108f423e2fec5767ad08fc69bbd564746573747573657231
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbfdadb2bbfdcc100d33b37b4334ad1a9
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 
0x010600231a0106001e1084108f423e2fec5767ad08fc69bbd564746573747573657231
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbfdadb2bbfdcc100d33b37b4334ad1a9
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 5 to 10.219.195.1 port 37538
	EAP-Message = 
0x0106004b19001703010040a5594e26652fc133151ca57e9cbc052085294fc31795e67abdaf52d8b88e62fedbdb73905c7faa45de2062d5a9bdaf4291ee698b57b07f39609cac5d0cc44452
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7563bf7e7065a6491fd890a063366da0
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=6, 
length=274
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 
0x02060090190017030100206028167c17fb23fa70e50cb5672a1971e68abea603c5020ef8b19b08e5620ac317030100607afabbdd1caff01b58f4e307fbef41481f55ab7b4137d9f1807bd84a8ee609d235885d2c995004bd6bcaa467679d50c7e8706c383c326ae5cb6f573a651e2279568a55493eb3712e15b84ef90de1b0402743a46cc92a0b09bdaee4d5858a1bab
	State = 0x7563bf7e7065a6491fd890a063366da0
	Message-Authenticator = 0x82a114c11feb9e1259540ea7e6bab80e
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 6 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 
0x020600441a0206003f31c6209eb3e4f1c334ec156850e8e831c90000000000000000b30b7de20b87d7158c571ff2bbffa75e2751147babd02c7100746573747573657231
server otpme {
[peap] Setting User-Name to testuser1
Sending tunneled request
	EAP-Message = 
0x020600441a0206003f31c6209eb3e4f1c334ec156850e8e831c90000000000000000b30b7de20b87d7158c571ff2bbffa75e2751147babd02c7100746573747573657231
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "testuser1"
	State = 0xbfdadb2bbfdcc100d33b37b4334ad1a9
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 6 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/otpme
[mschapv2] +group MS-CHAP {
[otpme_ntlm] Creating challenge hash with username: testuser1
[otpme_ntlm] Client is using MS-CHAPv2 for testuser1, we need 
NT-Password
[otpme_ntlm] 	expand: %{Stripped-User-Name} ->
[otpme_ntlm] 	... expanding second conditional
[otpme_ntlm] 	expand: %{User-Name} -> testuser1
[otpme_ntlm] 	expand: %{%{User-Name}:-None} -> testuser1
[otpme_ntlm] 	expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> 
testuser1
[otpme_ntlm] Creating challenge hash with username: testuser1
[otpme_ntlm] 	expand: %{otpme_ntlm:Challenge} -> a9696cdff7c89500
[otpme_ntlm] 	expand: %{%{otpme_ntlm:Challenge}:-00} -> a9696cdff7c89500
[otpme_ntlm] 	expand: %{otpme_ntlm:NT-Response} -> 
b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71
[otpme_ntlm] 	expand: %{%{otpme_ntlm:NT-Response}:-00} -> 
b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71
[otpme_ntlm] 	expand: %{NAS-Identifier} ->
[otpme_ntlm] 	expand: %{Client-IP-Address} -> 10.219.195.1
Exec output: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4
Exec plaintext: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4
[otpme_ntlm] Exec: program returned: 0
[otpme_ntlm] adding MS-CHAPv2 MPPE keys
++[otpme_ntlm] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group EAP = handled
} # server otpme
[peap] Got tunneled reply code 11
	EAP-Message = 
0x010700331a0306002e533d30344339463830304333304639343241304638354242383238353431363743303646463436463744
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbfdadb2bbeddc100d33b37b4334ad1a9
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 
0x010700331a0306002e533d30344339463830304333304639343241304638354242383238353431363743303646463436463744
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbfdadb2bbeddc100d33b37b4334ad1a9
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 6 to 10.219.195.1 port 37538
	EAP-Message = 
0x0107005b19001703010050b81a606209effd7af621dd30534a25262dcd73b33bb75ecbe99f623722ea4b19c97b5d573dacc032fdecdff2a035a96501daa76d8e60c8e05c1dbabc576156be1695acabc01aaad9a50ab7fe1e403163
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7563bf7e7364a6491fd890a063366da0
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=7, 
length=210
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 
0x0207005019001703010020f1da00695d99bd592351f25e17e5cfc05b9d96fd110091997c4647c88e90256b1703010020d1fead54c4bf7c06d67f3146e1d450280bcbf7d5338190f43d98fb6171704322
	State = 0x7563bf7e7364a6491fd890a063366da0
	Message-Authenticator = 0xcdce9a9c5e9d1cf664f2543ff31f4e90
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x020700061a03
server otpme {
[peap] Setting User-Name to testuser1
Sending tunneled request
	EAP-Message = 0x020700061a03
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "testuser1"
	State = 0xbfdadb2bbeddc100d33b37b4334ad1a9
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group EAP = ok
Login OK: [testuser1] (from client host1 port 0 cli 02-00-00-00-00-01 
via TLS tunnel)
   WARNING: Empty post-auth section.  Using default return values.
} # server otpme
[peap] Got tunneled reply code 2
	MS-MPPE-Encryption-Policy = 0x00000001
	MS-MPPE-Encryption-Types = 0x00000006
	MS-MPPE-Send-Key = 0x6bf9caf3f1b3e8007b6775fa29593fc8
	MS-MPPE-Recv-Key = 0x3ccb89c970dc74d2c6926747980e8a29
	EAP-Message = 0x03070004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "testuser1"
[peap] Got tunneled reply RADIUS code 2
	MS-MPPE-Encryption-Policy = 0x00000001
	MS-MPPE-Encryption-Types = 0x00000006
	MS-MPPE-Send-Key = 0x6bf9caf3f1b3e8007b6775fa29593fc8
	MS-MPPE-Recv-Key = 0x3ccb89c970dc74d2c6926747980e8a29
	EAP-Message = 0x03070004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "testuser1"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 7 to 10.219.195.1 port 37538
	EAP-Message = 
0x0108003b19001703010030fdf7d5232e0e4e9a4e84310efa211c13c6c91e2e1fd52ff7b32d4a553db3776149177d11c40a5775df92fece70c5b47f
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x7563bf7e726ba6491fd890a063366da0
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=8, 
length=226
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 
0x020800601900170301002064fbbb5b85581cd88640e2d2cef6a2b4c933da3a036f165687094fd61ff8796d170301003045dcae79cc3449aaf7a524e7d9f7c341e524501c8004254369db68458339dfd3e87789d08cfa71428f400639bdbdf7ba
	State = 0x7563bf7e726ba6491fd890a063366da0
	Message-Authenticator = 0x8ceeb6ced09ceff25ff156dbf5daef45
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 8 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
	User-Name = "testuser1"
[eap] Freeing handler
++[eap] = ok
+} # group EAP = ok
Login OK: [testuser1] (from client host1 port 0 cli 02-00-00-00-00-01)
} # server otpme
   WARNING: Empty post-auth section.  Using default return values.
Sending Access-Accept of id 8 to 10.219.195.1 port 37538
	User-Name = "testuser1"
	MS-MPPE-Recv-Key = 
0x08dd033d2e35356c3aad01d0345683f412dcca316db9625ec07bdb697635d1e4
	MS-MPPE-Send-Key = 
0xcf24fb6cf74db5618f535c557eca41e00f8ad8fb82ff506fd1a690b498a23dbd
	EAP-Message = 0x03080004
	Message-Authenticator = 0x00000000000000000000000000000000
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.





         authenticate {
                 Auth-Type EAP {
                         eap
                 }

                 Auth-Type MS-CHAP {
                         update request {
                                Tmp-Octets-0 := "%{mschap:Challenge}"
                                Tmp-Octets-1 := "%{mschap:NT-Response}"
                         }
                         otpme_mod
                 }

         }

         authorize {
                 eap

                 update request {
                        Tmp-Octets-0 := "%{mschap:Challenge}"
                        Tmp-Octets-1 := "%{mschap:NT-Response}"
                 }


                 }
         }


radiusd: FreeRADIUS Version 2.2.5, for host i686-pc-linux-gnu, built on 
Jan 18 2015 at 12:00:30
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/cache
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/otpme
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/dhcp_sqlippool
including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /etc/raddb/modules/linelog
including configuration file 
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/radrelay
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/script
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/otpme
main {
	user = "radiusd"
	group = "radiusd"
	allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
	name = "radiusd"
	prefix = "/usr"
	localstatedir = "/var/lib"
	sbindir = "/usr/sbin"
	logdir = "/var/log/radius"
	run_dir = "/var/run/radiusd"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = no
  log {
  	stripped_names = no
  	auth = yes
  	auth_badpass = no
  	auth_goodpass = no
  }
  security {
  	max_attributes = 200
  	reject_delay = 1
  	status_server = no
  	allow_vulnerable_openssl = no
  }
}
radiusd: #### Loading Realms and Home Servers ####
  proxy server {
  	retry_delay = 5
  	retry_count = 3
  	default_fallback = no
  	dead_time = 120
  	wake_all_if_all_dead = no
  }
  home_server localhost {
  	ipaddr = 127.0.0.1
  	port = 1812
  	type = "auth"
  	secret = "testing123"
  	response_window = 20
  	max_outstanding = 65536
  	require_message_authenticator = yes
  	zombie_period = 40
  	status_check = "status-server"
  	ping_interval = 30
  	check_interval = 30
  	num_answers_to_alive = 3
  	num_pings_to_alive = 3
  	revive_interval = 120
  	status_check_timeout = 4
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
  }
  realm example.com {
	auth_pool = my_auth_failover
  }
  realm LOCAL {
  }
radiusd: #### Loading Clients ####
  client localhost {
  	ipaddr = 127.0.0.1
  	require_message_authenticator = no
  	secret = "test123"
  	nastype = "other"
  }
radiusd: #### Instantiating modules ####
  instantiate {
  Module: Linked to module rlm_exec
  Module: Instantiating module "exec" from file /etc/raddb/modules/exec
   exec {
   	wait = no
   	input_pairs = "request"
   	shell_escape = yes
   	timeout = 10
   }
  Module: Linked to module rlm_expr
  Module: Instantiating module "expr" from file /etc/raddb/modules/expr
  Module: Linked to module rlm_expiration
  Module: Instantiating module "expiration" from file 
/etc/raddb/modules/expiration
   expiration {
   	reply-message = "Password Has Expired  "
   }
  Module: Linked to module rlm_logintime
  Module: Instantiating module "logintime" from file 
/etc/raddb/modules/logintime
   logintime {
   	reply-message = "You are calling outside your allowed timespan  "
   	minimum-timeout = 60
   }
  }
radiusd: #### Loading Virtual Servers ####
server { # from file T:N·?
  modules {
  } # modules
} # server
server otpme { # from file /etc/raddb/sites-enabled/otpme
  modules {
   Module: Creating Auth-Type = OTPme
  Module: Checking authenticate {...} for more modules to load
  Module: Linked to module rlm_eap
  Module: Instantiating module "eap" from file /etc/raddb/eap.conf
   eap {
   	default_eap_type = "peap"
   	timer_expire = 60
   	ignore_unknown_eap_types = no
   	cisco_accounting_username_bug = no
   	max_sessions = 1024
   }
  Module: Linked to sub-module rlm_eap_md5
  Module: Instantiating eap-md5
  Module: Linked to sub-module rlm_eap_leap
  Module: Instantiating eap-leap
  Module: Linked to sub-module rlm_eap_gtc
  Module: Instantiating eap-gtc
    gtc {
    	challenge = "Password: "
    	auth_type = "PAP"
    }
  Module: Linked to sub-module rlm_eap_tls
  Module: Instantiating eap-tls
    tls {
    	rsa_key_exchange = no
    	dh_key_exchange = yes
    	rsa_key_length = 512
    	dh_key_length = 512
    	verify_depth = 0
    	CA_path = "/etc/raddb/certs"
    	pem_file_type = yes
    	private_key_file = "/etc/raddb/certs/server.pem"
    	certificate_file = "/etc/raddb/certs/server.pem"
    	private_key_password = "whatever"
    	dh_file = "/etc/raddb/certs/dh"
    	fragment_size = 1024
    	include_length = yes
    	check_crl = no
    	cipher_list = "DEFAULT"
    	make_cert_command = "/etc/raddb/certs/bootstrap"
    	virtual_server = "otpme"
    	ecdh_curve = "prime256v1"
     cache {
     	enable = no
     	lifetime = 24
     	max_entries = 255
     }
     verify {
     }
     ocsp {
     	enable = no
     	override_cert_url = yes
     	url = "http://127.0.0.1/ocsp/"
     	use_nonce = yes
     	timeout = 0
     	softfail = no
     }
    }
  Module: Linked to sub-module rlm_eap_ttls
  Module: Instantiating eap-ttls
    ttls {
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = no
    	virtual_server = "otpme"
    	include_length = yes
    }
  Module: Linked to sub-module rlm_eap_peap
  Module: Instantiating eap-peap
    peap {
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = yes
    	proxy_tunneled_request_as_eap = yes
    	virtual_server = "otpme"
    	soh = no
    }
  Module: Linked to sub-module rlm_eap_mschapv2
  Module: Instantiating eap-mschapv2
    mschapv2 {
    	with_ntdomain_hack = no
    	send_error = no
    }
  Module: Linked to module rlm_python
  Module: Instantiating module "otpme_mod" from file 
/etc/raddb/modules/otpme
python_init done
   python otpme_mod {
   	mod_instantiate = "otpme"
   	func_instantiate = "instantiate"
   	mod_authenticate = "otpme"
   	func_authenticate = "authenticate"
   	mod_detach = "otpme"
   	func_detach = "detach"
   }
  Module: Checking authorize {...} for more modules to load
  Module: Linked to module rlm_mschap
  Module: Instantiating module "mschap" from file 
/etc/raddb/modules/mschap
   mschap {
   	use_mppe = yes
   	require_encryption = no
   	require_strong = no
   	with_ntdomain_hack = no
   	allow_retry = yes
   }
  } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
   	type = "auth"
   	ipaddr = 10.219.195.1
   	port = 1812
   client 10.219.195.1 {
   	require_message_authenticator = no
   	secret = "123"
   	shortname = "host1"
   }
}
Listening on authentication address 10.219.195.1 port 1812 as server 
otpme
Ready to process requests.
otpme.py: OTPme config verfied successful.
otpme.py: Instantiated OTPme module.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=0, 
length=126
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x0200000e01746573747573657231
	Message-Authenticator = 0xcf54d7ba4a3e53ec15ab9662706461f1
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 0 to 10.219.195.1 port 33824
	EAP-Message = 0x010100061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x4b64a1994b65b8dfd5d7ed270cbb0d2f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=1, 
length=352
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 
0x020100de190016030100d3010000cf03016dd1fdb03ffdd213827520ea5f7c184dde487465683f7196aa5cbe666e837e3000005cc014c00a0039003800880087c00fc00500350084c013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc00200050004c012c00800160013c00dc003000a0015001200090014001100080006000300ff0201000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101
	State = 0x4b64a1994b65b8dfd5d7ed270cbb0d2f
	Message-Authenticator = 0x3263975944a89f7d15c2cdcfcea94db5
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 1 length 222
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00d3], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 003e], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 03b0], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 1 to 10.219.195.1 port 33824
	EAP-Message = 
0x0102040019c000000551160301003e0200003a0301e30c8c45a37d5610ca7ff2fbc4db6ebeea682cbbac43e98c8aadc1f7ecaee7f300c014010012ff01000100000b000403000102000f00010116030103b00b0003ac0003a90003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043
	EAP-Message = 
0x6572746966696361746520417574686f72697479301e170d3132303231303230303231305a170d3133303230393230303231305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100f46fbd0d756be26abb5b67573414398205c75b8b1be90ccc43cf479af3c7f570486eb9fdb02a372634b4
	EAP-Message = 
0x050bd49743d559c1385ac25268b1bee7e0cee585acb8a5102811cb568f31bd6218b97efdc6be84a789697cea6a68dab56cd9e40f0867b4ec2b986610c608405e0b7c426fb8fe04da36c2732ed8aa14d0f4b53b69c6c07150fd4188ef935a66c030681cfe0d5ea6fa80045d8319c5a0b141e34926225185b384273a50058dc27d20beb6b78dc4ed76f694ffda1e3849b93755ec9bf02bf5a99ee9222835cc95f3bfced8a01b47d2c84ef6a86bea8b7251091fdf968cd084d1ea1c02658e535c2875e429af9ad21e1b5cda55e4d42ade8f1b82b31294830203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7
	EAP-Message = 
0x0d0101040500038201010019c7c020438aafabfe2ef98eb3ebd302687dae3411309deef7a228bcbdd1bfd2ae45c75a39a25ecd53599efc38a56e0a288ee208f7d129dd3daf9197e3b1bd93bfb2d0433eadfe846ac9c97a65f35d322df5e5458e7e49a99354e40410e95d8874862216107c02a51cd428a60755e41d0158e5a1fabb979f37432005e065f4533599dd248c67032723dca1b3acbcc775e775fd5e010d4405e86306fb1af2dc4da0af01f0f17c9a2d5e55d1e895d4ac185cb3371e648c1a1e71fd27080c1adf3804251dd0c75aea734be1fc83af0699d5a0c0f9f6d5afff00d688edf74177ad4357711e6d4eb5cca9b72eb493fb7c3a83b396
	EAP-Message = 0xad17d75da15a7cac2ecd58db
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x4b64a1994a66b8dfd5d7ed270cbb0d2f
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=2, 
length=136
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x020200061900
	State = 0x4b64a1994a66b8dfd5d7ed270cbb0d2f
	Message-Authenticator = 0xd493ce90415969edf6127c50518c4732
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 2 to 10.219.195.1 port 33824
	EAP-Message = 
0x0103016119006f2a160301014b0c0001470300174104c35e1963d7c639e085a97c24ea72d92f1e54a9c3d40601612667935afed91c7e062825adabadbcaaa2e5877d536c97e1c7ff4dc71b6f858ef51ab39e994893a20100ed9a2ab740d608a5af8c78409adc8740485b9272dba98663bf51085574cbbb9b62498605e8e499b209a7d60b342b66cc358cf9d60f7aae06ef74a235029005b5cb2ac163eb10055f71cd1128d08f936a488f05a0a03f28d7273842619aa230a3369d9f2f4da9e9dc5e1b723cdad594c2be13d2565f09e35af1e538132fab155aaf1d4821c29865ae5713ba1ab4f83751b9d8fa86fb72fa6f654befc3d8b7501b7d85e8f2ae
	EAP-Message = 
0x5ae3f1212861427e208fc889607a04e9be505a4bebf43d98c1cdaf81f37d55d5e3af85e9dc6f5a62e947d766721825ad29b442a69f905c9c3e0eade42647199419879001f2ddb7e69a7dda56655e77a3ad2f1e37be2e84e64ff43616030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x4b64a1994967b8dfd5d7ed270cbb0d2f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=3, 
length=270
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 
0x0203008c190016030100461000004241042b60cdd4c6bdeb200c77d3d537f674a5631b755a80b7982bf733ce33320ca0407225180646fa6f0093ad6a5105188aceb1863f63f3c136aeef6c368e1502d95314030100010116030100301d71fea144c432c55f558ba0b49ff5aac18fdd3009aac62e72f7eb39968e8d48f96f2995dbe2c5710ad2f69464f980c2
	State = 0x4b64a1994967b8dfd5d7ed270cbb0d2f
	Message-Authenticator = 0x237e70a50554e023763eb64c066aec55
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 3 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 3 to 10.219.195.1 port 33824
	EAP-Message = 
0x01040041190014030100010116030100308c4cd23b129b4d6b112e48ee7cb711c51f995451c68db430c60ca062db367ee570205bff7eb8aafdd934683d574fcea4
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x4b64a1994860b8dfd5d7ed270cbb0d2f
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=4, 
length=136
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x020400061900
	State = 0x4b64a1994860b8dfd5d7ed270cbb0d2f
	Message-Authenticator = 0x69e82b0f4e465e073eae3a268b674f06
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 4 to 10.219.195.1 port 33824
	EAP-Message = 
0x0105002b1900170301002082cd7593171297731f9bb967c298eede87b931f7d0196983be108cd4531492cc
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x4b64a1994f61b8dfd5d7ed270cbb0d2f
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=5, 
length=226
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 
0x0205006019001703010020f274ddb4f22667dabece5f95d79dc8c045a661d70905a752d35466f03c2370da1703010030ac36bcde5cf6e84853efb3151ae374c0aa7ee14e9c8006e827780b890ba08a2dea53d647d1d7cc2e3566a9ec976b9510
	State = 0x4b64a1994f61b8dfd5d7ed270cbb0d2f
	Message-Authenticator = 0x03569fa4ad0362141f844f4a5996a0ad
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 5 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testuser1
[peap] Got inner identity 'testuser1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
	EAP-Message = 0x0205000e01746573747573657231
server otpme {
[peap] Setting User-Name to testuser1
Sending tunneled request
	EAP-Message = 0x0205000e01746573747573657231
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 5 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group EAP = handled
} # server otpme
[peap] Got tunneled reply code 11
	EAP-Message = 
0x010600231a0106001e109718a01768fd75c1209b1c257a4fd2be746573747573657231
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xef3dc50aef3bdf904f03abafc54a8a4c
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 
0x010600231a0106001e109718a01768fd75c1209b1c257a4fd2be746573747573657231
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xef3dc50aef3bdf904f03abafc54a8a4c
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 5 to 10.219.195.1 port 33824
	EAP-Message = 
0x0106004b190017030100406aa431b9b62079ba567d85b917f35ae0772924c9078e8f667416ecd10508d012726fe8dc02954fbadd6cd4765eb4f330a844677a7b942260db20f71f09470a41
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x4b64a1994e62b8dfd5d7ed270cbb0d2f
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=6, 
length=274
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 
0x02060090190017030100207a5f44949cd792d5be3b6de4a1138d8079d27c4ca89126a4d8e3fd3aaac5935e1703010060e4da27ea84d607fdb3157877e788ac0d83626bd5395d96a07e5e15657af37466f3b9924c963a823c3582b10a9e78f6a82412aeda1ee37e0fdce65d394e687036c68abf7502a489efa24de7049e236a6b4fc5f15756d873deab341407af3a1af2
	State = 0x4b64a1994e62b8dfd5d7ed270cbb0d2f
	Message-Authenticator = 0xdda1b35918197604282ed1da107008e8
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 6 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 
0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231
server otpme {
[peap] Setting User-Name to testuser1
Sending tunneled request
	EAP-Message = 
0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "testuser1"
	State = 0xef3dc50aef3bdf904f03abafc54a8a4c
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 6 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/otpme
[mschapv2] +group MS-CHAP {
[mschapv2] ++update request {
[mschapv2] Creating challenge hash with username: testuser1
[mschapv2] 	expand: %{mschap:Challenge} -> 7b0455c972d1cf5a
[mschapv2] 	expand: %{mschap:NT-Response} -> 
29e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be
[mschapv2] ++} # update request = noop
otpme.py: (('EAP-Message', 
'0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231'), 
('FreeRADIUS-Proxied-To', '127.0.0.1'), ('User-Name', '"testuser1"'), 
('State', '0xef3dc50aef3bdf904f03abafc54a8a4c'), ('NAS-IP-Address', 
'127.0.0.1'), ('Calling-Station-Id', '"02-00-00-00-00-01"'), 
('Framed-MTU', '1400'), ('NAS-Port-Type', 'Wireless-802.11'), 
('Connect-Info', '"CONNECT 11Mbps 802.11b"'), ('EAP-Type', 
'MS-CHAP-V2'), ('MS-CHAP-Challenge', 
'0x9718a01768fd75c1209b1c257a4fd2be'), ('MS-CHAP2-Response', 
'0x0665ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be'), 
('MS-CHAP-User-Name', '"testuser1"'), ('Tmp-Octets-0', 
'0x37623034353563393732643163663561'), ('Tmp-Octets-1', 
'0x323965353161646262353865613463613962663339643833323730303633396330663265656265666239383930306265'))
++[otpme_mod] = fail
+} # group MS-CHAP = fail
[eap] Freeing handler
++[eap] = reject
+} # group EAP = reject
Failed to authenticate the user.
Login incorrect: [testuser1] (from client host1 port 0 cli 
02-00-00-00-00-01 via TLS tunnel)
} # server otpme
[peap] Got tunneled reply code 3
	EAP-Message = 0x04060004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
	EAP-Message = 0x04060004
	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 6 to 10.219.195.1 port 33824
	EAP-Message = 
0x0107003b19001703010030bafab3f8b086bdb25e11ee4102f959f8a15afe60af25cb7ea51226f50fc22739f1360c3ae4f23b9c3bd64220403469b2
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x4b64a1994d63b8dfd5d7ed270cbb0d2f
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=7, 
length=226
	User-Name = "testuser1"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "02-00-00-00-00-01"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 
0x02070060190017030100201475fdf487cb7c5cdbc28275c523942e9478b881702b3715bf41f14e37fd571517030100309264cd7daa17a72f42129836e9fa9d36b3fc98994441970908d89a5fce9831c0cc84703d6d6a4c5d027561bd9da36fe7
	State = 0x4b64a1994d63b8dfd5d7ed270cbb0d2f
	Message-Authenticator = 0xa10e2442d21c4201b6110b4f3f0e9ef5
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 7 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject 
(again.)
[peap]  *** This means you need to read the PREVIOUS messages in the 
debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will 
tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group EAP = invalid
Failed to authenticate the user.
Login incorrect: [testuser1] (from client host1 port 0 cli 
02-00-00-00-00-01)
} # server otpme
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 7 to 10.219.195.1 port 33824
	EAP-Message = 0x04070004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.



More information about the Freeradius-Users mailing list