eapol_test with TLS fails (nothing sent to freeradius)

freerad list.radius at tiri.li
Sun Jul 26 19:20:04 CEST 2015


Thank you,  I fixed this connection issue,

radtest works:

# radtest testuser password 10.160.4.50:1812 0 testing123
Sending Access-Request of id 168 to 10.160.4.50 port 1812
        User-Name = "testuser"
        User-Password = "password"
        NAS-IP-Address = 10.160.4.5
        NAS-Port = 0
rad_recv: Access-Accept packet from host 10.160.4.50 port 1812, id=168,
length=20

and this works as well:

# ./rad_eap_test -H 10.160.4.50 -P 1812 -S testing123 -u wlan_test -p test
-m IEEE8021X -e TTLS -2 MSCHAPV2 -v
access-accept; 0
RADIUS message: code=2 (Access-Accept) identifier=7 length=171
   Attribute 26 (Vendor-Specific) length=58
      Value: 00 00 01 37 11 34 87 08 07 b4 32 1c a0 90 3d d0 2f 33 20 e7 9b
ff 7b 57 e6 27 ca 60 5a ed 17 ad a4 bd 9d 36 dc 22 1b e6 e3 34 51 71 2d c0
18 dc 30 c1 a1 e4 30 2a 26 8d
   Attribute 26 (Vendor-Specific) length=58
      Value: 00 00 01 37 10 34 88 6f bb bb 92 9a ab 8e c1 4b ef 05 50 2e 09
b4 21 7f 42 40 50 26 a4 03 79 c9 fc cd d4 52 78 9b 95 22 13 8d 24 0f 42 8c
55 a8 c6 9f a2 66 cc 9e 7d 8f
   Attribute 79 (EAP-Message) length=6
      Value: 03 07 00 04
   Attribute 80 (Message-Authenticator) length=18
      Value: 1a 9e 14 93 ea 42 4c 5b 06 32 6e e2 18 93 b3 65
   Attribute 1 (User-Name) length=11
      Value: 'wlan_test'

But only with the client-certs there I get another error.:

# ./rad_eap_test -H 10.160.4.50 -P 1812 -S testing123 -u wlan_test -p test
-m IEEE8021X -e TLS -2 MSCHAPV2 -v -j client.pem -k client.unenc.key -a
ca.pem
access-reject; 2

# bin/eapol_test -c rad_eap_test.txt -a10.160.4.50 -p1812 -stesting123 -t5
-M70:6f:6c:69:73:68
Reading configuration file 'rad_eap_test.txt'
Line: 1 - start of a new network block
ssid - hexdump_ascii(len=7):
     65 64 75 72 6f 61 6d                              eduroam
key_mgmt: 0x8
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00
00
ca_cert - hexdump_ascii(len=6):
     63 61 2e 70 65 6d                                 ca.pem
identity - hexdump_ascii(len=9):
     77 6c 61 6e 5f 74 65 73 74                        wlan_test
client_cert - hexdump_ascii(len=10):
     63 6c 69 65 6e 74 2e 70 65 6d                     client.pem
private_key - hexdump_ascii(len=16):
     63 6c 69 65 6e 74 2e 75 6e 65 6e 63 2e 6b 65 79   client.unenc.key
Priority group 0
   id=0 ssid='eduroam'
Authentication server 10.160.4.50:1812
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=9):
     77 6c 61 6e 5f 74 65 73 74                        wlan_test
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=14)
TX EAP -> RADIUS - hexdump(len=14): 02 00 00 0e 01 77 6c 61 6e 5f 74 65 73
74
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=9): 77 6c 61 6e
5f 74 65 73 74
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=126
   Attribute 1 (User-Name) length=11
      Value: 'wlan_test'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '70-6F-6C-69-73-68'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=16
      Value: 02 00 00 0e 01 77 6c 61 6e 5f 74 65 73 74
   Attribute 80 (Message-Authenticator) length=18
      Value: 23 92 e7 04 cb 9c 9b 24 df 26 f8 36 ca 3f 63 d2
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
Received 93 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=93
   Attribute 18 (?Unknown?) length=29
   Attribute 79 (EAP-Message) length=8
      Value: 01 01 00 06 19 20
   Attribute 80 (Message-Authenticator) length=18
      Value: 78 5c 04 dd fb c5 12 b0 60 fd d7 04 7b 13 1f 33
   Attribute 24 (State) length=18
      Value: 2b fd 86 79 2b fc 9f 32 b9 81 fa ab 41 70 b1 d3
STA 70:6f:6c:69:73:68: Received RADIUS packet matched with a pending
request, round trip time 0.01 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=1 len=6) from RADIUS server:
EAP-Request-PEAP (25)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=25 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: configuration does not allow: vendor 0 method 25
EAP: vendor 0 method 25 not allowed
EAP: Building EAP-Nak (requested type 25 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=1): 0d
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 0d
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=136
   Attribute 1 (User-Name) length=11
      Value: 'wlan_test'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '70-6F-6C-69-73-68'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=8
      Value: 02 01 00 06 03 0d
   Attribute 24 (State) length=18
      Value: 2b fd 86 79 2b fc 9f 32 b9 81 fa ab 41 70 b1 d3
   Attribute 80 (Message-Authenticator) length=18
      Value: bb 77 ac a8 bd 32 2b 71 88 0d 66 4e 0f 75 d4 9f
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
Received 93 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=1 length=93
   Attribute 18 (?Unknown?) length=29
   Attribute 79 (EAP-Message) length=8
      Value: 01 02 00 06 0d 20
   Attribute 80 (Message-Authenticator) length=18
      Value: 4e a3 29 63 43 2c 68 cd 32 22 19 1f 90 03 21 7d
   Attribute 24 (State) length=18
      Value: 2b fd 86 79 2a ff 8b 32 b9 81 fa ab 41 70 b1 d3
STA 70:6f:6c:69:73:68: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=2 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: Trusted root certificate(s) loaded
OpenSSL: tls_connection_client_cert - SSL_use_certificate_file (DER) failed
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:140C800D:SSL
routines:SSL_use_certificate_file:ASN1 lib
OpenSSL: SSL_use_certificate_file (PEM) --> OK
OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed
error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
OpenSSL: pending error: error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:0D09A00D:asn1 encoding
routines:d2i_PrivateKey:ASN1 lib
OpenSSL: pending error: error:140CB00D:SSL
routines:SSL_use_PrivateKey_file:ASN1 lib
OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK
SSL: Private key loaded successfully
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-TLS: Start
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect initialization
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client hello A
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server hello A
SSL: SSL_connect - want more data
SSL: 87 bytes pending from ssl_out
SSL: 87 bytes left to be sent out (of total 87 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=93)
TX EAP -> RADIUS - hexdump(len=93): 02 02 00 5d 0d 00 16 03 01 00 52 01 00
00 4e 03 01 55 b5 14 c7 26 b9 84 25 8a 51 da 5a 9d d2 e4 6f 03 01 5f ca 25
cf 72 e7 bf a7 a0 60 5c 99 6a 75 00 00 26 00 39 00 38 00 35 00 16 00 13 00
0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06
00 03 02 01 00
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=2 length=223
   Attribute 1 (User-Name) length=11
      Value: 'wlan_test'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '70-6F-6C-69-73-68'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=95
      Value: 02 02 00 5d 0d 00 16 03 01 00 52 01 00 00 4e 03 01 55 b5 14 c7
26 b9 84 25 8a 51 da 5a 9d d2 e4 6f 03 01 5f ca 25 cf 72 e7 bf a7 a0 60 5c
99 6a 75 00 00 26 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00
05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 02 01 00
   Attribute 24 (State) length=18
      Value: 2b fd 86 79 2a ff 8b 32 b9 81 fa ab 41 70 b1 d3
   Attribute 80 (Message-Authenticator) length=18
      Value: 3c 66 64 f9 40 5a 2b fd f2 58 9c c5 22 04 79 d0
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
Received 1119 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=2 length=1119
   Attribute 18 (?Unknown?) length=29
   Attribute 79 (EAP-Message) length=255
      Value: 01 03 04 00 0d c0 00 00 0a e7 16 03 01 00 2a 02 00 00 26 03 01
07 79 5d af 37 90 bf b2 dd c3 0f c0 3a 48 e8 2d 48 b4 77 22 2d 35 ef 68 2d
09 98 39 19 24 b5 38 00 00 39 00 16 03 01 08 0a 0b 00 08 06 00 08 03 00 03
91 30 82 03 8d 30 82 02 75 a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86
f7 0d 01 01 04 05 00 30 7f 31 0b 30 09 06 03 55 04 06 13 02 44 45 31 10 30
0e 06 03 55 04 08 13 07 48 61 6d 62 75 72 67 31 15 30 13 06 03 55 04 07 13
0c 53 63 68 77 61 72 7a 65 6e 62 65 6b 31 12 30 10 06 03 55 04 0a 13 09 74
69 72 69 20 47 6d 62 48 31 21 30 1f 06 09 2a 86 48 86 f7 0d 01 09 01 16 12
63 61 40 68 6f 74 73 70 6f 74 2e 74 69 72 69 2e 6c 69 31 10 30 0e 06 03 55
04 03 13 07 74 69 72 69 20 43 41 30 1e 17 0d 31 35 30 37 32 35 31 39 31 33
34 39 5a 17 0d 31 36
   Attribute 79 (EAP-Message) length=255
      Value: 30 37 32 34 31 39 31 33 34 39 5a 30 7c 31 0b 30 09 06 03 55 04
06 13 02 44 45 31 10 30 0e 06 03 55 04 08 13 07 48 61 6d 62 75 72 67 31 12
30 10 06 03 55 04 0a 13 09 74 69 72 69 20 47 6d 62 48 31 20 30 1e 06 03 55
04 03 13 17 74 69 72 69 20 52 61 64 69 75 73 20 43 65 72 74 69 66 69 63 61
74 65 31 25 30 23 06 09 2a 86 48 86 f7 0d 01 09 01 16 16 72 61 64 69 75 73
40 68 6f 74 73 70 6f 74 2e 74 69 72 69 2e 6c 69 30 82 01 22 30 0d 06 09 2a
86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c1
d1 37 62 2c ec 8d 1f 14 60 36 14 80 4e a4 ca c9 bd e4 09 2f 50 87 45 a3 9a
b6 1f 77 03 bc 2f 6f 97 e2 2e 59 d2 76 ec 58 9c 64 ab db 53 30 2e 95 dd 68
58 86 01 0b 9d 2f e5 0c 47 ae a9 77 dd e5 69 53 75 77 3c cc cd 13 86 a7 72
86 63 7e 34 e5 bc b4
   Attribute 79 (EAP-Message) length=255
      Value: 86 7f b4 5a 59 48 00 52 07 5c 1e ca a3 72 97 84 a2 01 f7 55 77
7a f2 68 7e 2e 96 81 04 d0 37 a6 c4 25 f6 bd f6 0a c8 cf e1 2a dc 6d 45 66
df 04 2d e3 59 e2 bf 89 a6 62 0e 15 11 98 65 1e 02 31 f0 1a cb dc 4b e2 7f
7b 5f f7 53 ff 00 ff b0 10 7b be ab 65 63 51 70 bb 85 68 3d 3d 08 08 f7 2d
a5 a7 d8 1b 1f f0 1b 3a 1d 0c 93 9a b9 aa b4 01 95 24 60 3a 3b 8c 6f 9b ca
0b 8a 10 78 13 69 c9 b5 09 72 7a b9 3d 7e 32 74 62 82 8e c9 70 ae 02 c2 fa
ec 4e a3 1d bd 0f e3 8f ce 71 76 21 9c 5c 5a 34 24 91 cd 48 85 59 65 49 11
fa 8b 02 03 01 00 01 a3 17 30 15 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b
06 01 05 05 07 03 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 82 01
01 00 13 49 bf 30 e7 bc 3b 1e fc a2 07 0b 74 6e 26 88 98 bc c0 73 53 50 b5
8f 34 63 e4 f8 e7 a8
   Attribute 79 (EAP-Message) length=255
      Value: e9 09 98 ce b0 b1 68 1c 16 3e 10 74 2b 89 71 b0 17 9e e0 ef 7b
5c a7 b1 13 74 31 25 d2 65 3b d3 67 00 85 1a f4 3d dc 1f c4 94 0e d3 34 76
0f 69 1d 3e a2 64 11 55 e3 8f 7c 4f 5e 33 4f 76 cd fe 68 8f 03 2d ff f2 4a
f3 41 d0 4c 85 c2 ab e6 21 56 00 3d 2c 44 bf be 27 6d 52 50 45 14 e3 84 3b
7d b0 eb 1c 74 5e be df 32 07 ff 5f 7e 49 af eb 3a 85 22 dd c9 76 98 74 b6
2b ce f9 8e e6 74 d6 6a 3c 24 2d e9 97 79 44 f7 0c 08 23 86 66 fe ca ec f6
f2 80 7e 9e 7d 5d f8 15 33 40 91 fe 52 05 05 02 e4 4f e1 b6 2c 32 c6 70 4b
e9 44 26 28 5a eb 09 ef 08 93 63 86 a4 e0 e4 5f 5d b4 d6 75 43 0b 3b a5 45
b1 f0 22 b1 90 5b 36 98 2a bc 0a 8b f7 88 b8 e9 fa 95 89 06 14 e2 51 f4 45
a4 4c 80 10 2d 00 04 6c 30 82 04 68 30 82 03 50 a0 03 02 01 02 02 09 00 9d
28 85 27 5c ee bb c8
   Attribute 79 (EAP-Message) length=14
      Value: 30 0d 06 09 2a 86 48 86 f7 0d 01 01
   Attribute 80 (Message-Authenticator) length=18
      Value: 84 f7 52 cf 49 0c d3 ea 05 8f 1b c1 22 4d e9 f7
   Attribute 24 (State) length=18
      Value: 2b fd 86 79 29 fe 8b 32 b9 81 fa ab 41 70 b1 d3
STA 70:6f:6c:69:73:68: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=3 len=1024) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=3 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=1024) - Flags 0xc0
SSL: TLS Message Length: 2791
SSL: Need 1777 bytes more input data
SSL: Building ACK
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 03 00 06 0d 00
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=3 length=136
   Attribute 1 (User-Name) length=11
      Value: 'wlan_test'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '70-6F-6C-69-73-68'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=8
      Value: 02 03 00 06 0d 00
   Attribute 24 (State) length=18
      Value: 2b fd 86 79 29 fe 8b 32 b9 81 fa ab 41 70 b1 d3
   Attribute 80 (Message-Authenticator) length=18
      Value: 92 f5 ba e4 8e ce aa 5c 2c e7 31 86 45 02 bd ac
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
Received 1119 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=3 length=1119
   Attribute 18 (?Unknown?) length=29
   Attribute 79 (EAP-Message) length=255
      Value: 01 04 04 00 0d c0 00 00 0a e7 0b 05 00 30 7f 31 0b 30 09 06 03
55 04 06 13 02 44 45 31 10 30 0e 06 03 55 04 08 13 07 48 61 6d 62 75 72 67
31 15 30 13 06 03 55 04 07 13 0c 53 63 68 77 61 72 7a 65 6e 62 65 6b 31 12
30 10 06 03 55 04 0a 13 09 74 69 72 69 20 47 6d 62 48 31 21 30 1f 06 09 2a
86 48 86 f7 0d 01 09 01 16 12 63 61 40 68 6f 74 73 70 6f 74 2e 74 69 72 69
2e 6c 69 31 10 30 0e 06 03 55 04 03 13 07 74 69 72 69 20 43 41 30 1e 17 0d
31 35 30 37 32 35 31 39 31 33 34 39 5a 17 0d 31 36 30 37 32 34 31 39 31 33
34 39 5a 30 7f 31 0b 30 09 06 03 55 04 06 13 02 44 45 31 10 30 0e 06 03 55
04 08 13 07 48 61 6d 62 75 72 67 31 15 30 13 06 03 55 04 07 13 0c 53 63 68
77 61 72 7a 65 6e 62 65 6b 31 12 30 10 06 03 55 04 0a 13 09 74 69 72 69 20
47 6d 62 48 31 21 30
   Attribute 79 (EAP-Message) length=255
      Value: 1f 06 09 2a 86 48 86 f7 0d 01 09 01 16 12 63 61 40 68 6f 74 73
70 6f 74 2e 74 69 72 69 2e 6c 69 31 10 30 0e 06 03 55 04 03 13 07 74 69 72
69 20 43 41 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82
01 0f 00 30 82 01 0a 02 82 01 01 00 98 72 7c 23 ad ed 34 5a fa e7 57 54 ea
9b b3 a7 dc 79 49 f2 6b 69 44 f9 82 33 c2 e5 ed 1e 5c 72 0c 35 85 66 ae c7
cc f6 1f c4 57 98 26 ef ce 15 37 a4 65 eb 8e 02 df 12 4f f2 81 40 d4 ad 19
a5 57 3c 6d 0d 67 95 2f 2f ee cc fb 42 23 21 86 c0 0e b6 a0 59 0c d0 fa c2
3c 3e 87 35 15 20 b7 7c 0e 14 2e 02 10 52 2a 30 98 a5 03 ab 74 66 0d 61 80
1d 36 22 97 d8 a8 1c 56 21 4d 03 6d 60 f1 1d 43 81 9c fd ba a7 36 e3 b9 f1
0e 35 06 77 f5 e0 cf 14 e4 85 63 88 47 7f a7 a2 ea 15 20 b6 ac c4 95 ca 29
de 77 a1 a3 90 c1 ae
   Attribute 79 (EAP-Message) length=255
      Value: 0a 0e 5b f6 c3 d6 f7 af 85 60 3b de 8a 61 62 2d 34 62 c9 c2 bd
ba 96 89 3c fe 72 c3 f6 63 14 44 58 46 3a 20 1f 34 cf 6d 00 9c 03 91 6a 47
99 ae 50 04 8a a1 20 39 c3 b8 14 89 8a 23 c9 f1 05 37 f7 d8 f5 be 50 5e 87
3c 3e f5 a4 44 1d 08 f2 0d af 6f 17 ca 81 11 02 03 01 00 01 a3 81 e6 30 81
e3 30 1d 06 03 55 1d 0e 04 16 04 14 13 6c 09 d8 13 ec 30 d4 8c 30 f5 91 54
9d 15 26 d1 43 91 75 30 81 b3 06 03 55 1d 23 04 81 ab 30 81 a8 80 14 13 6c
09 d8 13 ec 30 d4 8c 30 f5 91 54 9d 15 26 d1 43 91 75 a1 81 84 a4 81 81 30
7f 31 0b 30 09 06 03 55 04 06 13 02 44 45 31 10 30 0e 06 03 55 04 08 13 07
48 61 6d 62 75 72 67 31 15 30 13 06 03 55 04 07 13 0c 53 63 68 77 61 72 7a
65 6e 62 65 6b 31 12 30 10 06 03 55 04 0a 13 09 74 69 72 69 20 47 6d 62 48
31 21 30 1f 06 09 2a
   Attribute 79 (EAP-Message) length=255
      Value: 86 48 86 f7 0d 01 09 01 16 12 63 61 40 68 6f 74 73 70 6f 74 2e
74 69 72 69 2e 6c 69 31 10 30 0e 06 03 55 04 03 13 07 74 69 72 69 20 43 41
82 09 00 9d 28 85 27 5c ee bb c8 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff
30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 55 5a ad e0 4c
2e f5 07 a9 0f 7a f3 48 30 86 a8 14 23 16 aa b2 7f 54 eb 95 df 32 eb 9e 0e
e4 fd 30 c2 cf 9e 30 50 8a 85 13 1b da ca 42 cb 5c dd cd 5f f1 79 37 80 cb
71 b9 90 0b 1d e1 6b 2b 65 8d 39 33 ab 25 ae c0 85 bf ae 2c ed 2e 02 4a 3b
74 65 36 7e 09 af 5b 3f c0 32 38 53 51 71 02 74 fe 46 49 47 ab 19 78 4f ec
49 2c 62 ad a1 bf a2 b7 45 b8 cb cc 7d 58 f1 54 af 7b 39 6f 24 58 5f 80 a8
48 13 9c e3 7d 31 52 ed 3d 07 dc a6 56 fe 9f 0a cb 14 fd 43 74 e3 63 da 9d
4d a9 b4 de c4 7a f9
   Attribute 79 (EAP-Message) length=14
      Value: ef 98 a0 f8 74 f8 58 79 d1 44 1d b5
   Attribute 80 (Message-Authenticator) length=18
      Value: e7 45 fa 5e a1 d9 fc a9 4e ee 5e ad d4 4b 64 dd
   Attribute 24 (State) length=18
      Value: 2b fd 86 79 28 f9 8b 32 b9 81 fa ab 41 70 b1 d3
STA 70:6f:6c:69:73:68: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=4 len=1024) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=4 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=1024) - Flags 0xc0
SSL: TLS Message Length: 2791
SSL: Need 763 bytes more input data
SSL: Building ACK
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 04 00 06 0d 00
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=4 length=136
   Attribute 1 (User-Name) length=11
      Value: 'wlan_test'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '70-6F-6C-69-73-68'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=8
      Value: 02 04 00 06 0d 00
   Attribute 24 (State) length=18
      Value: 2b fd 86 79 28 f9 8b 32 b9 81 fa ab 41 70 b1 d3
   Attribute 80 (Message-Authenticator) length=18
      Value: 25 11 bc dc 14 92 5a a0 90 1a 46 fd 90 e0 4e 9a
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
Received 866 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=4 length=866
   Attribute 18 (?Unknown?) length=29
   Attribute 79 (EAP-Message) length=255
      Value: 01 05 03 05 0d 80 00 00 0a e7 28 dd 70 b5 67 7c 5f b0 0c d4 f0
e6 00 89 c0 d7 6d ab a7 8b 91 d9 da 9a bc 6c e4 2a 5f 1d 30 91 29 1e 9f 7f
40 83 8c b4 b6 4c 0c 86 80 23 33 5b 65 64 8b d6 2f 96 ce 87 80 ad 2e 85 71
6a 7c 51 a2 b5 46 e4 ba 2a d7 dc a2 fb 81 76 78 c0 b8 8c 20 34 16 03 01 02
0c 0c 00 02 08 00 80 fe c9 bd c0 30 01 8a d3 d1 bc e0 42 0b fe c7 cf 29 62
9b 1b e5 44 a4 40 46 63 b3 1c d7 c1 75 f5 3b 80 76 78 0a 98 37 48 e7 6b 6d
7d 93 dd 22 5a c2 a4 b1 92 db d9 bc 34 f3 d4 1b 76 16 22 0c fe 01 06 0f f4
ae f7 9e 57 80 f8 f2 9e b8 2c 7f b3 31 21 b1 4a 17 8a 6b d8 70 d6 3f 84 0f
fa 46 59 22 07 62 e8 9c ed a1 eb 7e 3f 2a 28 a6 31 48 75 cc a1 27 fc 95 e9
39 21 ac f7 2f 42 01 07 27 c3 00 01 02 00 7f e1 90 83 31 3a a8 7e 27 c5 f5
48 27 5e 78 79 62 95
   Attribute 79 (EAP-Message) length=255
      Value: 82 21 8b 67 12 39 8f 2f 36 6d 00 b5 64 56 1b 77 4e d8 db 62 97
e2 bc 67 a4 85 4c 4b 5e 5d 32 73 b9 4d 32 dd 16 98 4e e8 d0 6d 22 49 0b 42
48 ba bd 32 aa 3c 04 98 12 ad 00 42 b4 08 1e 3f 29 18 f6 b2 51 f9 de 44 56
5a ae 5f a9 0b ae f7 2b f8 4a 26 c4 2e 60 2c ce 12 b8 89 3a 6b f6 61 a5 e5
ac 9a 47 cc 1c 2a de 6c 44 84 e1 43 cb 77 01 00 b9 2c 13 29 81 8d 9a 92 a1
f5 be 9e bd 67 a9 de 7a 91 5d bf 62 5a 71 8e 1b ee 20 dd d4 99 d7 7d 50 4f
75 1f 6d fc 46 a8 98 14 51 d9 cd 7c c4 76 1f 69 08 a1 3a 70 fc f2 1f 1d 57
1c 01 24 fd 68 a4 4a 02 b0 c2 23 05 7d 8c 88 b2 4a 25 af ce 19 1a 91 f3 e0
c3 83 56 c6 27 bd c2 a3 fa 80 3d b3 b6 b6 06 cd 78 68 f1 ff 5e be db ae 55
f9 6d 42 2a 3f c2 c5 54 5e 6f da ca 81 ed 94 21 09 da 75 f1 48 ba 91 4f 03
57 71 d0 b6 3f 0f cf
   Attribute 79 (EAP-Message) length=255
      Value: 09 31 b4 53 00 7f a5 70 e8 4d c5 da 0f 9e eb 43 5e e2 3c 47 20
b7 ad fe ca ed 75 e7 0e a6 bd 4f 44 13 18 09 07 17 2b d3 01 62 ca c3 b7 31
52 f3 ae 22 be e1 12 00 ad f5 c1 6b fb 8d 7c 26 76 77 9e bd 13 bb ee fb a8
70 39 3c d8 00 54 42 c2 c8 d7 66 bb b5 d4 79 7e 0f 62 91 71 7c db c1 9f f1
59 fa 1a 7a 0b 4e 42 39 98 af a3 85 5f 9a 8e 28 75 d3 a4 16 03 01 00 93 0d
00 00 8b 05 03 04 01 02 40 00 83 00 81 30 7f 31 0b 30 09 06 03 55 04 06 13
02 44 45 31 10 30 0e 06 03 55 04 08 13 07 48 61 6d 62 75 72 67 31 15 30 13
06 03 55 04 07 13 0c 53 63 68 77 61 72 7a 65 6e 62 65 6b 31 12 30 10 06 03
55 04 0a 13 09 74 69 72 69 20 47 6d 62 48 31 21 30 1f 06 09 2a 86 48 86 f7
0d 01 09 01 16 12 63 61 40 68 6f 74 73 70 6f 74 2e 74 69 72 69 2e 6c 69 31
10 30 0e 06 03 55 04
   Attribute 79 (EAP-Message) length=16
      Value: 03 13 07 74 69 72 69 20 43 41 0e 00 00 00
   Attribute 80 (Message-Authenticator) length=18
      Value: a8 b7 03 ec fd 3e b3 d7 8a e7 6d dd ff ce 69 77
   Attribute 24 (State) length=18
      Value: 2b fd 86 79 2f f8 8b 32 b9 81 fa ab 41 70 b1 d3
STA 70:6f:6c:69:73:68: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=5 len=773) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=5 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=773) - Flags 0x80
SSL: TLS Message Length: 2791
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server hello A
TLS: Certificate verification failed, error 7 (certificate signature
failure) depth 1 for '/C=DE/ST=Hamburg/L=Schwarzenbek/O=tiri
GmbH/emailAddress=ca at hotspot.tiri.li/CN=tiri CA'
SSL: (where=0x4008 ret=0x233)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: tls_connection_handshake - SSL_connect error:0D0C50A1:asn1
encoding routines:ASN1_item_verify:unknown message digest algorithm
OpenSSL: pending error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
SSL: 7 bytes pending from ssl_out
SSL: Failed - tls_out available to report error
SSL: 7 bytes left to be sent out (of total 7 bytes)
EAP-TLS: TLS processing failed
EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=13)
TX EAP -> RADIUS - hexdump(len=13): 02 05 00 0d 0d 00 15 03 01 00 02 02 33
Encapsulating EAP message into a RADIUS packet
  Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=5 length=143
   Attribute 1 (User-Name) length=11
      Value: 'wlan_test'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '70-6F-6C-69-73-68'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=15
      Value: 02 05 00 0d 0d 00 15 03 01 00 02 02 33
   Attribute 24 (State) length=18
      Value: 2b fd 86 79 2f f8 8b 32 b9 81 fa ab 41 70 b1 d3
   Attribute 80 (Message-Authenticator) length=18
      Value: 13 6e 38 a0 3a 44 e6 de 86 bf 1e c4 59 07 00 dc
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
Received 73 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=5 length=73
   Attribute 18 (?Unknown?) length=29
   Attribute 79 (EAP-Message) length=6
      Value: 04 05 00 04
   Attribute 80 (Message-Authenticator) length=18
      Value: 29 77 d1 81 e8 60 08 eb 22 84 e3 cf bc 48 94 d7
STA 70:6f:6c:69:73:68: Received RADIUS packet matched with a pending
request, round trip time 1.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=5 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE

(see log09.txt)

But there is still something missing.
How is password for user "wlan_test" being transmitted?

Best regards,
Thomas.
-------------- next part --------------
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 14:57:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
	user = "freerad"
	group = "freerad"
	allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
	name = "freeradius"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/freeradius"
	run_dir = "/var/run/freeradius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/freeradius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	pidfile = "/var/run/freeradius/freeradius.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
	retry_delay = 5
	retry_count = 3
	default_fallback = no
	dead_time = 120
	wake_all_if_all_dead = no
 }
 home_server localhost {
	ipaddr = 127.0.0.1
	port = 1812
	type = "auth"
	secret = "testing123"
	response_window = 20
	max_outstanding = 65536
	require_message_authenticator = yes
	zombie_period = 40
	status_check = "status-server"
	ping_interval = 30
	check_interval = 30
	num_answers_to_alive = 3
	num_pings_to_alive = 3
	revive_interval = 120
	status_check_timeout = 4
  coa {
	irt = 2
	mrt = 16
	mrc = 5
	mrd = 30
  }
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
 realm example.com {
	auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "WLAN4zyxel"
	nastype = "other"
 }
 client 10.160.199.11 {
	require_message_authenticator = no
	secret = "WLAN4zyxel"
 }
 client 10.160.4.5 {
	require_message_authenticator = no
	secret = "testing123"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
  exec {
	wait = no
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
  expiration {
	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
  logintime {
	reply-message = "You are calling outside your allowed timespan  "
	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
 modules {
  Module: Creating Auth-Type = Perl
  Module: Creating Auth-Type = digest
  Module: Creating Post-Auth-Type = Perl
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_perl
 Module: Instantiating module "perl" from file /etc/freeradius/modules/perl
  perl {
	module = "/etc/freeradius/tiri_rlm_perl.pl"
	func_authorize = "authorize"
	func_authenticate = "authenticate"
	func_accounting = "accounting"
	func_preacct = "preacct"
	func_checksimul = "checksimul"
	func_detach = "detach"
	func_xlat = "xlat"
	func_pre_proxy = "pre_proxy"
	func_post_proxy = "post_proxy"
	func_post_auth = "post_auth"
	func_recv_coa = "recv_coa"
	func_send_coa = "send_coa"
  }
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
  pap {
	encryption_scheme = "auto"
	auto_header = yes
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
  mschap {
	use_mppe = yes
	require_encryption = no
	require_strong = no
	with_ntdomain_hack = no
	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-SWBT} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
	allow_retry = yes
  }
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
  unix {
	radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
  eap {
	default_eap_type = "peap"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "
	auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	CA_path = "/etc/freeradius/certs"
	pem_file_type = yes
	private_key_file = "/etc/freeradius/certs/server.key"
	certificate_file = "/etc/freeradius/certs/server.pem"
	CA_file = "/etc/freeradius/certs/ca.pem"
	private_key_password = "WLAN4hotspot"
	dh_file = "/etc/freeradius/certs/dh"
	random_file = "/dev/urandom"
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
	make_cert_command = "/etc/freeradius/certs/bootstrap"
	ecdh_curve = "prime256v1"
    cache {
	enable = no
	lifetime = 24
	max_entries = 255
    }
    verify {
	tmpdir = "/tmp/freeradius"
	client = "/usr/bin/openssl verify -CAfile /etc/freeradius/certs/ca.pem -CApath /etc/freeradius/certs %{TLS-Client-Cert-Filename}"
    }
    ocsp {
	enable = no
	override_cert_url = yes
	url = "http://127.0.0.1/ocsp/"
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
	default_eap_type = "md5"
	copy_request_to_tunnel = yes
	use_tunneled_reply = no
	virtual_server = "inner-tunnel"
	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
	default_eap_type = "mschapv2"
	copy_request_to_tunnel = yes
	use_tunneled_reply = no
	proxy_tunneled_request_as_eap = yes
	virtual_server = "inner-tunnel"
	soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
	send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
  preprocess {
	huntgroups = "/etc/freeradius/huntgroups"
	hints = "/etc/freeradius/hints"
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_detail
 Module: Instantiating module "auth_log" from file /etc/freeradius/modules/detail.log
  detail auth_log {
	detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
  realm suffix {
	format = "suffix"
	delimiter = "@"
	ignore_default = no
	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/freeradius/modules/files
  files {
	usersfile = "/etc/freeradius/users"
	acctusersfile = "/etc/freeradius/acct_users"
	preproxy_usersfile = "/etc/freeradius/preproxy_users"
	compat = "no"
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
  detail {
	detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
  radutmp {
	filename = "/var/log/freeradius/radutmp"
	username = "%{User-Name}"
	case_sensitive = yes
	check_with_nas = yes
	perm = 384
	callerid = yes
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.accounting_response {
	attrsfile = "/etc/freeradius/attrs.accounting_response"
	key = "%{User-Name}"
	relaxed = no
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_reject {
	attrsfile = "/etc/freeradius/attrs.access_reject"
	key = "%{User-Name}"
	relaxed = no
  }
 } # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
 modules {
  Module: Creating Post-Proxy-Type = Fail
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
listen {
	type = "auth"
	ipaddr = 127.0.0.1
	port = 18120
}
 ... adding new socket proxy address * port 39991
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.160.4.5 port 11306, id=0, length=126
	User-Name = "wlan_test"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x0200000e01776c616e5f74657374
	Message-Authenticator = 0x2392e704cb9c9b24df26f836ca3f63d2
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] 	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] 	expand: %t -> Sun Jul 26 19:12:28 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_perl: RAD_REQUEST: EAP-Message = 0x0200000e01776c616e5f74657374
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: Message-Authenticator = 0x2392e704cb9c9b24df26f836ca3f63d2
rlm_perl: RAD_REQUEST: Framed-MTU = 1400
rlm_perl: RAD_REQUEST: Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: RAD_REQUEST: EAP-Type = Identity
rlm_perl: RAD_REQUEST: User-Name = wlan_test
rlm_perl: RAD_REQUEST: Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair EAP-Message = 0x0200000e01776c616e5f74657374
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Message-Authenticator = 0x2392e704cb9c9b24df26f836ca3f63d2
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair User-Name = wlan_test
rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Reply-Message = rlm_perl authorize function
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.160.4.5 port 11306
	Reply-Message = "rlm_perl authorize function"
	EAP-Message = 0x010100061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x2bfd86792bfc9f32b981faab4170b1d3
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 11306, id=1, length=136
	User-Name = "wlan_test"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x02010006030d
	State = 0x2bfd86792bfc9f32b981faab4170b1d3
	Message-Authenticator = 0xbb77aca8bd322b71880d664e0f75d49f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] 	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] 	expand: %t -> Sun Jul 26 19:12:28 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_perl: RAD_REQUEST: EAP-Message = 0x02010006030d
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: Message-Authenticator = 0xbb77aca8bd322b71880d664e0f75d49f
rlm_perl: RAD_REQUEST: Framed-MTU = 1400
rlm_perl: RAD_REQUEST: Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: RAD_REQUEST: EAP-Type = NAK
rlm_perl: RAD_REQUEST: User-Name = wlan_test
rlm_perl: RAD_REQUEST: State = 0x2bfd86792bfc9f32b981faab4170b1d3
rlm_perl: RAD_REQUEST: Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair EAP-Message = 0x02010006030d
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Message-Authenticator = 0xbb77aca8bd322b71880d664e0f75d49f
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: Added pair EAP-Type = NAK
rlm_perl: Added pair User-Name = wlan_test
rlm_perl: Added pair State = 0x2bfd86792bfc9f32b981faab4170b1d3
rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Reply-Message = rlm_perl authorize function
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.160.4.5 port 11306
	Reply-Message = "rlm_perl authorize function"
	EAP-Message = 0x010200060d20
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x2bfd86792aff8b32b981faab4170b1d3
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 11306, id=2, length=223
	User-Name = "wlan_test"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x0202005d0d0016030100520100004e030155b514c726b984258a51da5a9dd2e46f03015fca25cf72e7bfa7a0605c996a7500002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100
	State = 0x2bfd86792aff8b32b981faab4170b1d3
	Message-Authenticator = 0x3c6664f9405a2bfdf2589cc5220479d0
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] 	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] 	expand: %t -> Sun Jul 26 19:12:28 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 93
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_perl: RAD_REQUEST: EAP-Message = 0x0202005d0d0016030100520100004e030155b514c726b984258a51da5a9dd2e46f03015fca25cf72e7bfa7a0605c996a7500002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: Message-Authenticator = 0x3c6664f9405a2bfdf2589cc5220479d0
rlm_perl: RAD_REQUEST: Framed-MTU = 1400
rlm_perl: RAD_REQUEST: Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: RAD_REQUEST: EAP-Type = EAP-TLS
rlm_perl: RAD_REQUEST: User-Name = wlan_test
rlm_perl: RAD_REQUEST: State = 0x2bfd86792aff8b32b981faab4170b1d3
rlm_perl: RAD_REQUEST: Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair EAP-Message = 0x0202005d0d0016030100520100004e030155b514c726b984258a51da5a9dd2e46f03015fca25cf72e7bfa7a0605c996a7500002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Message-Authenticator = 0x3c6664f9405a2bfdf2589cc5220479d0
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: Added pair EAP-Type = EAP-TLS
rlm_perl: Added pair User-Name = wlan_test
rlm_perl: Added pair State = 0x2bfd86792aff8b32b981faab4170b1d3
rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Reply-Message = rlm_perl authorize function
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7 
[tls] Done initial handshake
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0052], ClientHello  
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 080a], Certificate  
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 020c], ServerKeyExchange  
[tls]     TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 0093], CertificateRequest  
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[tls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 2 to 10.160.4.5 port 11306
	Reply-Message = "rlm_perl authorize function"
	EAP-Message = 0x010304000dc000000ae7160301002a02000026030107795daf3790bfb2ddc30fc03a48e82d48b477222d35ef682d0998391924b53800003900160301080a0b0008060008030003913082038d30820275a003020102020101300d06092a864886f70d0101040500307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d62483121301f06092a864886f70d0109011612636140686f7473706f742e746972692e6c693110300e0603550403130774697269204341301e170d3135303732353139313334395a170d3136
	EAP-Message = 0x303732343139313334395a307c310b30090603550406130244453110300e0603550408130748616d6275726731123010060355040a13097469726920476d62483120301e0603550403131774697269205261646975732043657274696669636174653125302306092a864886f70d010901161672616469757340686f7473706f742e746972692e6c6930820122300d06092a864886f70d01010105000382010f003082010a0282010100c1d137622cec8d1f14603614804ea4cac9bde4092f508745a39ab61f7703bc2f6f97e22e59d276ec589c64abdb53302e95dd685886010b9d2fe50c47aea977dde5695375773ccccd1386a77286637e34e5bcb4
	EAP-Message = 0x867fb45a59480052075c1ecaa3729784a201f755777af2687e2e968104d037a6c425f6bdf60ac8cfe12adc6d4566df042de359e2bf89a6620e151198651e0231f01acbdc4be27f7b5ff753ff00ffb0107bbeab65635170bb85683d3d0808f72da5a7d81b1ff01b3a1d0c939ab9aab4019524603a3b8c6f9bca0b8a10781369c9b509727ab93d7e327462828ec970ae02c2faec4ea31dbd0fe38fce7176219c5c5a342491cd488559654911fa8b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101001349bf30e7bc3b1efca2070b746e268898bcc0735350b58f3463e4f8e7a8
	EAP-Message = 0xe90998ceb0b1681c163e10742b8971b0179ee0ef7b5ca7b113743125d2653bd36700851af43ddc1fc4940ed334760f691d3ea2641155e38f7c4f5e334f76cdfe688f032dfff24af341d04c85c2abe62156003d2c44bfbe276d52504514e3843b7db0eb1c745ebedf3207ff5f7e49afeb3a8522ddc9769874b62bcef98ee674d66a3c242de9977944f70c08238666fecaecf6f2807e9e7d5df815334091fe52050502e44fe1b62c32c6704be94426285aeb09ef08936386a4e0e45f5db4d675430b3ba545b1f022b1905b36982abc0a8bf788b8e9fa95890614e251f445a44c80102d00046c3082046830820350a0030201020209009d2885275ceebbc8
	EAP-Message = 0x300d06092a864886f70d0101
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x2bfd867929fe8b32b981faab4170b1d3
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 11306, id=3, length=136
	User-Name = "wlan_test"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x020300060d00
	State = 0x2bfd867929fe8b32b981faab4170b1d3
	Message-Authenticator = 0x92f5bae48eceaa5c2ce731864502bdac
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] 	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] 	expand: %t -> Sun Jul 26 19:12:28 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_perl: RAD_REQUEST: EAP-Message = 0x020300060d00
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: Message-Authenticator = 0x92f5bae48eceaa5c2ce731864502bdac
rlm_perl: RAD_REQUEST: Framed-MTU = 1400
rlm_perl: RAD_REQUEST: Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: RAD_REQUEST: EAP-Type = EAP-TLS
rlm_perl: RAD_REQUEST: User-Name = wlan_test
rlm_perl: RAD_REQUEST: State = 0x2bfd867929fe8b32b981faab4170b1d3
rlm_perl: RAD_REQUEST: Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair EAP-Message = 0x020300060d00
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Message-Authenticator = 0x92f5bae48eceaa5c2ce731864502bdac
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: Added pair EAP-Type = EAP-TLS
rlm_perl: Added pair User-Name = wlan_test
rlm_perl: Added pair State = 0x2bfd867929fe8b32b981faab4170b1d3
rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Reply-Message = rlm_perl authorize function
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1 
[tls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 3 to 10.160.4.5 port 11306
	Reply-Message = "rlm_perl authorize function"
	EAP-Message = 0x010404000dc000000ae70b0500307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d62483121301f06092a864886f70d0109011612636140686f7473706f742e746972692e6c693110300e0603550403130774697269204341301e170d3135303732353139313334395a170d3136303732343139313334395a307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d6248312130
	EAP-Message = 0x1f06092a864886f70d0109011612636140686f7473706f742e746972692e6c693110300e060355040313077469726920434130820122300d06092a864886f70d01010105000382010f003082010a028201010098727c23aded345afae75754ea9bb3a7dc7949f26b6944f98233c2e5ed1e5c720c358566aec7ccf61fc4579826efce1537a465eb8e02df124ff28140d4ad19a5573c6d0d67952f2feeccfb42232186c00eb6a0590cd0fac23c3e87351520b77c0e142e0210522a3098a503ab74660d61801d362297d8a81c56214d036d60f11d43819cfdbaa736e3b9f10e350677f5e0cf14e4856388477fa7a2ea1520b6acc495ca29de77a1a390c1ae
	EAP-Message = 0x0a0e5bf6c3d6f7af85603bde8a61622d3462c9c2bdba96893cfe72c3f663144458463a201f34cf6d009c03916a4799ae50048aa12039c3b814898a23c9f10537f7d8f5be505e873c3ef5a4441d08f20daf6f17ca81110203010001a381e63081e3301d0603551d0e04160414136c09d813ec30d48c30f591549d1526d14391753081b30603551d230481ab3081a88014136c09d813ec30d48c30f591549d1526d1439175a18184a48181307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d62483121301f06092a
	EAP-Message = 0x864886f70d0109011612636140686f7473706f742e746972692e6c693110300e06035504031307746972692043418209009d2885275ceebbc8300c0603551d13040530030101ff300d06092a864886f70d01010b05000382010100555aade04c2ef507a90f7af3483086a8142316aab27f54eb95df32eb9e0ee4fd30c2cf9e30508a85131bdaca42cb5cddcd5ff1793780cb71b9900b1de16b2b658d3933ab25aec085bfae2ced2e024a3b7465367e09af5b3fc032385351710274fe464947ab19784fec492c62ada1bfa2b745b8cbcc7d58f154af7b396f24585f80a848139ce37d3152ed3d07dca656fe9f0acb14fd4374e363da9d4da9b4dec47af9
	EAP-Message = 0xef98a0f874f85879d1441db5
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x2bfd867928f98b32b981faab4170b1d3
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 11306, id=4, length=136
	User-Name = "wlan_test"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x020400060d00
	State = 0x2bfd867928f98b32b981faab4170b1d3
	Message-Authenticator = 0x2511bcdc14925aa0901a46fd90e04e9a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] 	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] 	expand: %t -> Sun Jul 26 19:12:28 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_perl: RAD_REQUEST: EAP-Message = 0x020400060d00
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: Message-Authenticator = 0x2511bcdc14925aa0901a46fd90e04e9a
rlm_perl: RAD_REQUEST: Framed-MTU = 1400
rlm_perl: RAD_REQUEST: Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: RAD_REQUEST: EAP-Type = EAP-TLS
rlm_perl: RAD_REQUEST: User-Name = wlan_test
rlm_perl: RAD_REQUEST: State = 0x2bfd867928f98b32b981faab4170b1d3
rlm_perl: RAD_REQUEST: Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair EAP-Message = 0x020400060d00
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Message-Authenticator = 0x2511bcdc14925aa0901a46fd90e04e9a
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: Added pair EAP-Type = EAP-TLS
rlm_perl: Added pair User-Name = wlan_test
rlm_perl: Added pair State = 0x2bfd867928f98b32b981faab4170b1d3
rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Reply-Message = rlm_perl authorize function
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1 
[tls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 4 to 10.160.4.5 port 11306
	Reply-Message = "rlm_perl authorize function"
	EAP-Message = 0x010503050d8000000ae728dd70b5677c5fb00cd4f0e60089c0d76daba78b91d9da9abc6ce42a5f1d3091291e9f7f40838cb4b64c0c868023335b65648bd62f96ce8780ad2e85716a7c51a2b546e4ba2ad7dca2fb817678c0b88c2034160301020c0c0002080080fec9bdc030018ad3d1bce0420bfec7cf29629b1be544a4404663b31cd7c175f53b8076780a983748e76b6d7d93dd225ac2a4b192dbd9bc34f3d41b7616220cfe01060ff4aef79e5780f8f29eb82c7fb33121b14a178a6bd870d63f840ffa4659220762e89ceda1eb7e3f2a28a6314875cca127fc95e93921acf72f42010727c3000102007fe19083313aa87e27c5f548275e78796295
	EAP-Message = 0x82218b6712398f2f366d00b564561b774ed8db6297e2bc67a4854c4b5e5d3273b94d32dd16984ee8d06d22490b4248babd32aa3c049812ad0042b4081e3f2918f6b251f9de44565aae5fa90baef72bf84a26c42e602cce12b8893a6bf661a5e5ac9a47cc1c2ade6c4484e143cb770100b92c1329818d9a92a1f5be9ebd67a9de7a915dbf625a718e1bee20ddd499d77d504f751f6dfc46a8981451d9cd7cc4761f6908a13a70fcf21f1d571c0124fd68a44a02b0c223057d8c88b24a25afce191a91f3e0c38356c627bdc2a3fa803db3b6b606cd7868f1ff5ebedbae55f96d422a3fc2c5545e6fdaca81ed942109da75f148ba914f035771d0b63f0fcf
	EAP-Message = 0x0931b453007fa570e84dc5da0f9eeb435ee23c4720b7adfecaed75e70ea6bd4f4413180907172bd30162cac3b73152f3ae22bee11200adf5c16bfb8d7c2676779ebd13bbeefba870393cd8005442c2c8d766bbb5d4797e0f6291717cdbc19ff159fa1a7a0b4e423998afa3855f9a8e2875d3a416030100930d00008b05030401024000830081307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d62483121301f06092a864886f70d0109011612636140686f7473706f742e746972692e6c693110300e06035504
	EAP-Message = 0x031307746972692043410e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x2bfd86792ff88b32b981faab4170b1d3
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 11306, id=5, length=143
	User-Name = "wlan_test"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 11Mbps 802.11b"
	EAP-Message = 0x0205000d0d0015030100020233
	State = 0x2bfd86792ff88b32b981faab4170b1d3
	Message-Authenticator = 0x136e38a03a44e6de86bf1ec4590700dc
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] 	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] 	expand: %t -> Sun Jul 26 19:12:28 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_perl: RAD_REQUEST: EAP-Message = 0x0205000d0d0015030100020233
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: Message-Authenticator = 0x136e38a03a44e6de86bf1ec4590700dc
rlm_perl: RAD_REQUEST: Framed-MTU = 1400
rlm_perl: RAD_REQUEST: Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: RAD_REQUEST: EAP-Type = EAP-TLS
rlm_perl: RAD_REQUEST: User-Name = wlan_test
rlm_perl: RAD_REQUEST: State = 0x2bfd86792ff88b32b981faab4170b1d3
rlm_perl: RAD_REQUEST: Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair EAP-Message = 0x0205000d0d0015030100020233
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair Message-Authenticator = 0x136e38a03a44e6de86bf1ec4590700dc
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: Added pair EAP-Type = EAP-TLS
rlm_perl: Added pair User-Name = wlan_test
rlm_perl: Added pair State = 0x2bfd86792ff88b32b981faab4170b1d3
rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Reply-Message = rlm_perl authorize function
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7 
[tls] Done initial handshake
[tls] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error  
TLS Alert read:fatal:decrypt error
    TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4 
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> wlan_test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 5 to 10.160.4.5 port 11306
	Reply-Message = "rlm_perl authorize function"
	EAP-Message = 0x04050004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +5
Cleaning up request 1 ID 1 with timestamp +5
Cleaning up request 2 ID 2 with timestamp +5
Cleaning up request 3 ID 3 with timestamp +5
Cleaning up request 4 ID 4 with timestamp +5
Waking up in 1.0 seconds.
Cleaning up request 5 ID 5 with timestamp +5
Ready to process requests.


More information about the Freeradius-Users mailing list