CUI not working with PEAP
Krause, Kilian
krause at tik.uni-stuttgart.de
Sat Mar 7 23:33:18 CET 2015
Hi,
using Debian wheezy-backports FreeRADIUS 2.2.5 version with default config and just adding a local user gives me a valid CUI (adding CUI just in authorize for sites-enabled/default and post-auth/inner-tunnel using default policy.conf) with a correct reply in the outer tunnel. Changing the request to PEAP however doesn't yield a CUI at all.
Debug is as follows:
freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 129.69.5.130 {
require_message_authenticator = no
secret = ...
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file £Ýç?
modules {
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key"
certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = ...
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Loading virtual module cui_authorize
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Loading virtual module cui_postauth
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 46437
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=0, length=116
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0x2e831f87883573e120673176e349c655
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 129.69.5.130 port 50355
EAP-Message = 0x010100160410f78837ff9e55c8ab98d9e42bab671589
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e30f2c1d9b347c7ccf2b2608d1
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=1, length=126
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020100060319
State = 0x0f2d19e30f2c1d9b347c7ccf2b2608d1
Message-Authenticator = 0x38e3eb7dcafc3d7d6a39dc6fd8ffe5ea
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 1 to 129.69.5.130 port 50355
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e30e2f009b347c7ccf2b2608d1
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=2, length=343
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020200df1980000000d516030100d0010000cc0301202d5c0a4582c1acc323588a1b7ae0c6535cb58ef150ce34b83eeec1ee5a6fb200005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101
State = 0x0f2d19e30e2f009b347c7ccf2b2608d1
Message-Authenticator = 0x8b1028261e559aa78f0284321166af04
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 223
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 213
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00d0], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 003e], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 1523], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 2 to 129.69.5.130 port 50355
EAP-Message = 0x0103040019c0000017c4160301003e0200003a030154fb79c1e9674eb557038e64688e7684cf87dfba1f6970a06c8d229f76f11bf800c014000012ff01000100000b000403000102000f00010116030115230b00151f00151c00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d01
EAP-Message = 0x0901161763612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a
EAP-Message = 0x677f7fb69954c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8
EAP-Message = 0xde531e313244d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d4756502
EAP-Message = 0x03010001a382026630820262
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e30d2e009b347c7ccf2b2608d1
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=3, length=126
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020300061900
State = 0x0f2d19e30d2e009b347c7ccf2b2608d1
Message-Authenticator = 0xde0a02b59599394e6180743d793f8acb
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 3 to 129.69.5.130 port 50355
EAP-Message = 0x010403fc1940304f0603551d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d
EAP-Message = 0x0603551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e69
EAP-Message = 0x2d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de543255
EAP-Message = 0x84da860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e3640806400057a308205763082045ea00302010202071790610927c34d300d06092a864886f70d01010b0500305a310b300906035504061302444531133011060355040a130a44464e2d56657265696e3110300e060355040b130744464e2d504b49312430220603550403131b44464e2d56657265696e2050434120
EAP-Message = 0x476c6f62616c202d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e30c29009b347c7ccf2b2608d1
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=4, length=126
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020400061900
State = 0x0f2d19e30c29009b347c7ccf2b2608d1
Message-Authenticator = 0x3fed3380bdf089961004f7686fd7614b
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 4 to 129.69.5.130 port 50355
EAP-Message = 0x010503fc194020473031301e170d3134303531323135303633335a170d3139303730393233353930305a308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763612d67303140756e692d7374757474676172742e646530820122300d06092a864886f70d01010105000382010f003082010a0282010100b46256163df5c1a01ea5a8a947d0e42c1ff12f00c8e4981c7911e0
EAP-Message = 0x1d993904dbd0921cc5c9e56187707d936c71c8c9ac6b78b6c26fbbe2d74bfe222a081c1fd695f4cf875998959be6399d4a8cd105d55c6dc027fe5af3c91df7d1cb7f22bfb755c3741cb3d9e9f2c419ab3f7b23fe0bb32cede77581583ee98f5bed0b184b6b35ff90c86b5c108e6033c2863f66cac0a37b52a19dcf73d1df5929e69ba3a6911bed34abdfe3fac11ef4afeb179f62de6d7d3fa19de826e02cdaab6babb1f3f513fc8788ffb57e5f7ddcbe6031bed66a690cbec898879bb24d114190b003a8c4bb2f243be5777f715c5292580fb52fc3acbb82c0cd9502bf7bf6c6dc5fb365ab0203010001a38202043082020030120603551d130101ff04
EAP-Message = 0x0830060101ff020101300e0603551d0f0101ff04040302010630110603551d20040a300830060604551d2000301d0603551d0e04160414bdad275a2c37cf0d441f721aaab73799112e0204301f0603551d2304183016801449b7c6cfe83d1f7fea447b1329f7f10a703ede6430220603551d11041b3019811763612d67303140756e692d7374757474676172742e64653081880603551d1f048180307e303da03ba0398637687474703a2f2f636470312e7063612e64666e2e64652f676c6f62616c2d726f6f742d63612f7075622f63726c2f636163726c2e63726c303da03ba0398637687474703a2f2f636470322e7063612e64666e2e64652f676c
EAP-Message = 0x6f62616c2d726f6f742d63612f7075622f63726c2f636163726c2e63726c3081d706082b060105050701010481ca3081c7303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304706082b06010505073002863b687474703a2f2f636470312e7063612e64666e2e64652f676c6f62616c2d726f6f742d63612f7075622f6361636572742f6361636572742e637274304706082b06010505073002863b687474703a2f2f636470322e7063612e64666e2e64652f676c6f62616c2d726f6f742d63612f7075622f6361636572742f6361636572742e637274300d06092a
EAP-Message = 0x864886f70d01010b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e30b28009b347c7ccf2b2608d1
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=5, length=126
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020500061900
State = 0x0f2d19e30b28009b347c7ccf2b2608d1
Message-Authenticator = 0x59f590ded9d0e7ef154b49fd0304986e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 5 to 129.69.5.130 port 50355
EAP-Message = 0x010603fc194005000382010100d5ae2dd26b47df2bc8d51f89856a1e56fbef13c02ff900b885098e17136c896a999b4271698583b75783228784124092bfd9e75827e2436ab9771be8d1ca241722e2a078455cdd1b0c9b18dc0f987be1ab8dab9e2c9faf494f83d175812f26ecf8a3be1270aafa6cb92afda457989a4443fa4516e8fefa0ca479bd93ca992c81987da6b023f9e4bf9a88ed635bb889162d2e07d55d7e2499b4293ed50627fc0959f4b6082cd8bed0e4750545d7f8ee794a627d8589c1ff59ae21913616b21222c3a198935800b3676db35d191d82dbc606ab8f5e2f1ffbd911e6db4b842ac0744d22b2441adfea05616570c56b2741ef
EAP-Message = 0x7bcea928a1a2ec296b092f59ff41ee7b0004d9308204d5308203bda0030201020208504ec6f53d11b464300d06092a864886f70d01010b05003071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f742043412032301e170d3134303732323132303832365a170d3139303730393233353930305a305a310b300906035504061302444531133011060355040a130a44464e2d56657265696e3110300e060355040b13074446
EAP-Message = 0x4e2d504b49312430220603550403131b44464e2d56657265696e2050434120476c6f62616c202d2047303130820122300d06092a864886f70d01010105000382010f003082010a0282010100e99bc36785f90daef58d54c39650353d62e96e4ced94d7005b952274d420eb348fd6ecc031040b9981e2a614d252a02823848b7489045e5be0e278c178cb16cb2835397b2d9045d0eda0007a7cbf4a0e1b00c386e95c2b31117b0cf38224438c1c388b6a68009aeedc4f78abd2c6139b76adeede26e8ef01af740fc109a2f66bcebdd3cd14304ff5e5e3a4c8629b821a0327300d0265604dedd109232a96355827d376c671b6901dc4edff35867d6f33b3
EAP-Message = 0xdb0fc511c28a83a1945d416bd8d210f54cfdca51acd9bdef9283bbdaeb8b16565643cfe1d5133da61f2730cd4954dbc913349a7175c56ceaa70b98f9219d27af3ea33939486a8cadc999fbc312f2bd0203010001a382018630820182300e0603551d0f0101ff040403020106301d0603551d0e0416041449b7c6cfe83d1f7fea447b1329f7f10a703ede64301f0603551d2304183016801431c3791bbaf553d717e0897a2d176c0ab32b9d3330120603551d130101ff040830060101ff02010230620603551d20045b30593011060f2b0601040181ad21822c01010402023011060f2b0601040181ad21822c01010403003011060f2b0601040181ad21
EAP-Message = 0x822c010104030130
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e30a2b009b347c7ccf2b2608d1
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=6, length=126
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020600061900
State = 0x0f2d19e30a2b009b347c7ccf2b2608d1
Message-Authenticator = 0x1a54ac252d668f7d538e7b6555b61a70
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 6 to 129.69.5.130 port 50355
EAP-Message = 0x010703fc19400f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e303e0603551d1f043730353033a031a02f862d687474703a2f2f706b69303333362e74656c657365632e64652f726c2f44545f524f4f545f43415f322e63726c307806082b06010505070101046c306a302c06082b060105050730018620687474703a2f2f6f637370303333362e74656c657365632e64652f6f63737072303a06082b06010505073002862e687474703a2f2f706b69303333362e74656c657365632e64652f6372742f44545f524f4f545f43415f322e636572300d06092a864886f70d01010b05000382010100632028fd9c218672be39
EAP-Message = 0x4659393225bca9019b0dccca7d419c866d0a6e2cb3135975b133921b612716ffc3b2d53582fb842a0149bd66bb662fb2c2065d6e3f6ee3015a5bca43635c95b6e131a71fd5075f4de665824e32f9c37c7a4bcd4d5c74ee21f27502ec523ed2c96ad390236e496735be7f4d56a4eccc2fcfb7a197a8723ec9bc40d65aa4083dd6bc82c3b7b7328eb12c8e6a6db7350219cff539445863a7240010b0bbfc4eaf6e2f38bba557493fd86e506f2c9796dc1d469a6589cfaeccf2e5d99f53b33ea12f92a9d80bc6841f04c6eb1ee89f7db57ba502f124c524631134cc5a93202a79883a254290a9653b7c86d312152329fc2cdacc395b54170003a33082039f
EAP-Message = 0x30820287a003020102020126300d06092a864886f70d01010505003071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f742043412032301e170d3939303730393132313130305a170d3139303730393233353930305a3071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e74657231
EAP-Message = 0x2330210603550403131a44657574736368652054656c656b6f6d20526f6f74204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100ab0ba335e08b2914b11485af3c10e4396f355d4aaeddea618d9549f46f64a31a6066a4a9402284d9d4a5e578930e6801adb94d5c3aced3b8a84240dfcfa3ba82596a921bac1c9ada082b2527f9692347f1e0eb2c7a9bf51302d07e347cc29e3c0059abf5da0cf5323c2bac50dad6c3de8394caa80c99320e0848565b6afbdae1585801495f72413c1506018e5dadaab893b4cd9eeba7e86a2d5234db3aef5c7551dadbf331f9ee719832c45415440cf99b55edaddf1808a0
EAP-Message = 0xa3868a49ee53058f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e3092a009b347c7ccf2b2608d1
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=7, length=126
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020700061900
State = 0x0f2d19e3092a009b347c7ccf2b2608d1
Message-Authenticator = 0xe411b216f44884216f98ff81933162c1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 7 to 129.69.5.130 port 50355
EAP-Message = 0x010803fc1900194cd5de58799bd26a1c42abc5d5a7cf680f96e4e161987661c8917cd63e00e2915087e19d0ae6ad97d21dc63a7dcbbcda0334d58e5b01f56a07b716b66e4a7f0203010001a3423040301d0603551d0e0416041431c3791bbaf553d717e0897a2d176c0ab32b9d33300f0603551d13040830060101ff020105300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100946459ad3964e729eb13fe5ac38b1357c80424f07477c060e367fbe989a683bf96827c6ed4c33def9e806ebb29b4987ab13b54eb3917477e1a8e0bfc1f31593104b2ce17f32cc7623655e222d88955b49848aa64fad61c36d844
EAP-Message = 0x785a5a233a5797f57a304fae9f6a4c4b2b8ea003e33ee0a9d4d27bd2b3a8e2723cad9eff8059e49b45b4f63bb0cd39199832e5ea216190e431218e34b1f72f354a8510dae78a3721be5963e0f285883153d45414857079f42e067727752f1fb88af9fec5bad836e483ece765b7bf635af346af819437d4418cd623d61ecff5681b4463a25abaa73559a1e570059b0e235799940a6dba3963288692f31884d8fbd1cf05566457160301024b0c000247030017410443f3dbbc7e14dd9cfeb2546660732128b40f7230fc42ae3ae138d70a1d6d4b6a92cce9054b8ecf7252f5f8db98e0b3b51b2d62f1dd8184b2772cad7d6f1f55c10200a7718ffa5d184f
EAP-Message = 0x43e9ad4eac8f9ff23e43bad304e793b068c65d33f22353c0942e8aae60b45460c73aacec16f28152b53a69cffc181d4b9202d9d522791788852d5c6a9734b5e3bf9f7bb9acf2077acc42fdf4162c86a445da1711dd67088dfd9430395b1fc460f44af09a125f98dc91c0d4b5d214e972965a1a2b61dbc7e15d0d53633f6c59507630536faa45188fedf7c96f15f4157e199eccff49fd907f6cc188632f9ba2fcd86bcba8058c1bc0a15175f14376bc9fd03d4df5d5aca7dcb7b160ed160ec8141071065746fee1cb3d2dcf5d1e46687124886cee61b2668dc6a3fefd8dcdaeab8edd5d83b1a18b1ea3d5e5ee466f3d2a7b21419938ad1cd371ec23b903
EAP-Message = 0x98052989ae6349f50f61fe35a5f9fa8a938133a451f1e83fc60ee09d23a280ffdbe7cc59bb0c24e4bf064022dc3c2ae3ed0342ef5f2bf7469150d52536de6efa53997e0399b9b8f015bfb3605845ae40bfcf44491e4cac7a6bcce7e3d5ccec0171a6d742eb01f6b99b6f69332e3ffbd94a5c89c44b958bdb73c735b9f262dfa5a428e56a8288806923d893bebb1e1f63b5cb0afcadd05fbdc7621255625c4f3465aef004856965bf167c5954b23ba91b3f92f8e74b08c64fa6cb2221a6029accf291248fad252650431e449943b8d2958bec548aedf87869c64e5e43948b34546a59ffdafff91a7fbb21590acf33826c6efdb1ca88ffdde9597d50a316
EAP-Message = 0x030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e30825009b347c7ccf2b2608d1
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=8, length=264
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020800901980000000861603010046100000424104a2cd2a9f4a021cb6e92f80290a54c6ecad35b4c5b5c6772758337ad984bcd00aef2daadf43bfb86cd065ba1b02174c0f0c56143aaeed365657919f367380706e14030100010116030100308694539e26113878b883f895257741161738149e6e369e48581ada4a8d7a92ebc1ca2a7ed829aa2cfb90c8148aa73c48
State = 0x0f2d19e30825009b347c7ccf2b2608d1
Message-Authenticator = 0x952f4074b413c1eb75ef0feab136135f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 8 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 8 to 129.69.5.130 port 50355
EAP-Message = 0x010900411900140301000101160301003034af026b166e872b5fe303e7203e2c348ace34dc6cbbe50264f1745e625011fc26954934a51195d432680193f003d7a9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e30724009b347c7ccf2b2608d1
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=9, length=126
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020900061900
State = 0x0f2d19e30724009b347c7ccf2b2608d1
Message-Authenticator = 0x1b9f0c4b7d818951c0ed5941913a1a0a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 9 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 9 to 129.69.5.130 port 50355
EAP-Message = 0x010a002b190017030100209af10d28c429a73c78e3be5c68b925a2d74aa39f8b3a2b44b2336b0da1a4d62c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e30627009b347c7ccf2b2608d1
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=10, length=200
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020a00501900170301002065f6bcc0a100bbce627903cca630123cb8579957b0977235caefd7f0f49d5c941703010020fdc7d7495f3813c254736b434aa291bd50ef7fab33de7797f27636db651f6169
State = 0x0f2d19e30627009b347c7ccf2b2608d1
Message-Authenticator = 0x39e21bdfb0b9d7c8a1853fed184f3998
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 10 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test
[peap] Got inner identity 'test'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x020a00090174657374
server {
[peap] Setting User-Name to test
Sending tunneled request
EAP-Message = 0x020a00090174657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 10 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010b001e1a010b001910fa9328be424d72285b6ac13a224bf4c374657374
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73ef44ad73e45ee6b34d60cb680fe623
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010b001e1a010b001910fa9328be424d72285b6ac13a224bf4c374657374
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73ef44ad73e45ee6b34d60cb680fe623
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 10 to 129.69.5.130 port 50355
EAP-Message = 0x010b003b190017030100308541d28e870b121d89635844c9c96a06e5866f4b58c3fd77808763fdee4e392c04b66f7b43bdfeec46c11ae41d04bef1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e30526009b347c7ccf2b2608d1
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=11, length=248
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020b0080190017030100205b05db516f17b12bcb8ddebd93af9d53567c610c34b1e0b54f585c87a357eb911703010050f298cc24dc0994f57883b2911ca56bef4f188cc63eb0cfa9a4baacb2699c6bb7ef4e7ef12b803c0b29dd4747e448d9c9db397bdbb75430ba7ad5cc6700fe9dc7da89a49750314b6396fbf3ecf9cd1a88
State = 0x0f2d19e30526009b347c7ccf2b2608d1
Message-Authenticator = 0xd8cdd5cd1dda8de7df9eb7cb9c5d139a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 11 length 128
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020b003f1a020b003a31e9ffdcee4bbc78bc70f699c7b7d18a6a0000000000000000e1bfee3110af879278f74e833f924d04bbcf3e2b6abfaefa0074657374
server {
[peap] Setting User-Name to test
Sending tunneled request
EAP-Message = 0x020b003f1a020b003a31e9ffdcee4bbc78bc70f699c7b7d18a6a0000000000000000e1bfee3110af879278f74e833f924d04bbcf3e2b6abfaefa0074657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test"
State = 0x73ef44ad73e45ee6b34d60cb680fe623
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 11 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: test
[mschap] Client is using MS-CHAPv2 for test, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010c00331a030b002e533d30443045354133374237353435393138303937373141463136313142353741453941304136453343
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73ef44ad72e35ee6b34d60cb680fe623
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010c00331a030b002e533d30443045354133374237353435393138303937373141463136313142353741453941304136453343
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73ef44ad72e35ee6b34d60cb680fe623
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 11 to 129.69.5.130 port 50355
EAP-Message = 0x010c005b19001703010050b7ef8497271c47f35e588dcf625984fdee9a02890622c77d75be45f645f1d71195d8d689cdbcf85ac87b088a878064fcd20f47c2d35fee47f3102eb2ed82939bf67ac21ef90f9a6c813b237688f84e3a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e30421009b347c7ccf2b2608d1
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=12, length=200
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020c005019001703010020ca23be428a79d9e7be29a585406e4c0f603ea3a45ec2d4c31a650aafbd6b351b1703010020eed02b9ddbc4581e2714ba17dde909e852b162ecde7744834de3fdd29b38c2ac
State = 0x0f2d19e30421009b347c7ccf2b2608d1
Message-Authenticator = 0x1c260dc2248591419a9a2ad1c69a3ef7
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 12 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020c00061a03
server {
[peap] Setting User-Name to test
Sending tunneled request
EAP-Message = 0x020c00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test"
State = 0x73ef44ad72e35ee6b34d60cb680fe623
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 12 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
+group post-auth {
++policy cui_postauth {
+++? if (FreeRadius-Proxied-To == 127.0.0.1)
? Evaluating (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE
+++? if (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE
+++if (FreeRadius-Proxied-To == 127.0.0.1) {
++++? if (outer.request:Chargeable-User-Identity)
? Evaluating (outer.request:Chargeable-User-Identity) -> TRUE
++++? if (outer.request:Chargeable-User-Identity) -> TRUE
++++if (outer.request:Chargeable-User-Identity) {
+++++update outer.reply {
expand: cui_hash_key -> cui_hash_key
expand: %{config:cui_hash_key}%{User-Name} -> test...test
expand: %{md5:%{config:cui_hash_key}%{User-Name}} -> af9ff6128f1d96175837a8c519a96afb
+++++} # update outer.reply = noop
++++} # if (outer.request:Chargeable-User-Identity) = noop
+++} # if (FreeRadius-Proxied-To == 127.0.0.1) = noop
+++ ... skipping else for request 12: Preceding "if" was taken
++} # policy cui_postauth = noop
+} # group post-auth = noop
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xe4dc1a26c353c090f67b6bf6bd188dc7
MS-MPPE-Recv-Key = 0x272ed321f8edd9f5d647b617dfd8331b
EAP-Message = 0x030c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xe4dc1a26c353c090f67b6bf6bd188dc7
MS-MPPE-Recv-Key = 0x272ed321f8edd9f5d647b617dfd8331b
EAP-Message = 0x030c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 12 to 129.69.5.130 port 50355
Chargeable-User-Identity = "af9ff6128f1d96175837a8c519a96afb"
EAP-Message = 0x010d002b190017030100204cba8110b0ea82dc9972b79b9d38cb2222ba46e3b92aa013d7128d8edaf550f0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f2d19e30320009b347c7ccf2b2608d1
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 129.69.5.130 port 50355, id=13, length=200
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "check_radius"
EAP-Message = 0x020d005019001703010020d1d31246b21acf81673a91a3e1cd7faef80cbf395c4f10008ae4581aca6068f017030100209cc273c58db0b0c8c45243c2012b6a44b3a9bd0d9c914bd8b63197736b036226
State = 0x0f2d19e30320009b347c7ccf2b2608d1
Message-Authenticator = 0xf9bf51fcbcf37c785131d8d7665515fd
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 13 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 13 to 129.69.5.130 port 50355
MS-MPPE-Recv-Key = 0xe6f5c1dbed02dc3b0209016ac4e3a47c134397edcb19159e6d14a9d348265773
MS-MPPE-Send-Key = 0x4378e43173b72fc85dafb172e56307ffc75f73459a1b36bca059a21274cd0266
EAP-Message = 0x030d0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "anonymous"
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
Do you reckon that with PEAP we'd need use_tunneled_reply?
Off-topic: why does the debug tell me:
"server { # from file £Ýç?"
with such a weird file name?
TIA!
Best,
Kilian
More information about the Freeradius-Users
mailing list