rlm_passwd fails Stripped-User-Name check when in inner-tunnel mode (PEAP)
Tim Chen
gphoto6 at gmail.com
Thu Nov 12 08:07:38 CET 2015
On Thu, Nov 12, 2015 at 10:13 AM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Nov 11, 2015, at 8:02 PM, Tim Chen <gphoto6 at gmail.com> wrote:
> > 3. EAP(PEAP)
> > I use eapol_test to test
> > identity="john" PASS
> > identity="john at eduroam.example.edu" FAIL!!
> >
> > log from debug shows:
>
> What does ALL of the debug output show?
>
Dear Alan,
Thanks for your reply.
I do appreciate your effort and time.
Eric Chang
The full log is below:
rad_recv: Access-Request packet from host XXX port 51040, id=0, length=126
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0x5bea519b34ddad4362551e19ca0eccfc
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] file_common
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to XXX port 51040
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x123f7dd8123e6499db674645796856c2
Finished request 13.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 51040, id=1, length=349
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020100db1980000000d116030100cc010000c803010163200d2c7a6ef21da46a9647ef50895534b3e10bc1e464132424df97cc886d00005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000045000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011000f000101
State = 0x123f7dd8123e6499db674645796856c2
Message-Authenticator = 0xcb319b420119b4a7a9213e9ff6b1a53b
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 219
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 209
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00cc], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 1411], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 1 to XXX port 51040
EAP-Message =
0x0102040019c00000166716030100310200002d0301564422da43306ee47ebe6f5601eb14c1bae0c47a24db005cc33f370dbb2bd701000039000005ff0100010016030114110b00140d00140a00056d3082056930820451a003020102021047df00000000068f47a297480cbfa807300d06092a864886f70d01010b0500306f310b300906035504061302545731123010060355040a130954414957414e2d4341311a3018060355040b13115365637572652053534c205375622d43413130302e0603550403132754574341205365637572652053534c2043657274696669636174696f6e20417574686f72697479301e170d3135303630383035333333
EAP-Message =
0x355a170d3136303630383135353935395a30818b310b3009060355040613025457310f300d06035504080c0654616977616e310f300d06035504070c0654616970656931233021060355040a0c1a4e6174696f6e616c2054616977616e20556e697665727369747931183016060355040b0c0f436f6d70757465722043656e746572311b301906035504030c12656475726f616d2e6e74752e6564752e747730820122300d06092a864886f70d01010105000382010f003082010a0282010100f1765133c1c57f8c043d22b71804729c7fc2631e0699374d43f8bc3b914c15722dc36020da16d028a4d1890c3a5271b7c1a72e7deea72d37946a1fc6e9
EAP-Message =
0x0b8bd477e6a71ab5353f8f81166fbf6cd4c2d531b677bf273d663603b5a60b265a968a261b0a1b8d5207daaf0bedccc670a7f4ad0e5a05fdd46bffed86abeed89857307cd50b55a4f0843523e57f9555427830d48eef368d037eb3dc685d511659a21ce557a53537c08dc552529ed64da0849833637f3507ebb58788272a526c7d19d8a51fa50f0558490737bb0e45b025c166783b3b1c279fa16c9de9576089c21869f103202b93c5a315b7c80d93b043fb946ab94576c6310f6cdedb721de25f8c6d0203010001a38201e2308201de301f0603551d23041830168014f807c26824ff8595cbdb1ee3339c2a4f9720567b30290603551d0e042204208d
EAP-Message =
0x8ae0e0ca30409af8cef50a525ae9b18d6e669ad46cff8f48595468a084089f30560603551d1f044f304d304ba049a0478645687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f73736c7365727665722f53656375726573736c5f7265766f6b655f736861325f323031342e63726c301d0603551d11041630148212656475726f616d2e6e74752e6564752e747730818106082b0601050507010104753073304406082b060105050730028638687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f6361636572742f7365637572655f736861325f323031342e637274302b06082b06010505073001861f6874
EAP-Message = 0x74703a2f2f7477636173736c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x123f7dd8133d6499db674645796856c2
Finished request 14.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 51040, id=2, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200061900
State = 0x123f7dd8133d6499db674645796856c2
Message-Authenticator = 0x4bdbef62f727621c97b76a8046e60e19
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 2 to XXX port 51040
EAP-Message =
0x010303fc19406f6373702e747763612e636f6d2e74772f305b0603551d20045430523050060b2b0601040182bf250101193041301b06082b06010505070201160f7777772e747763612e636f6d2e7477302206082b0601050507020230161a145265737472696374696f6e203d332e322e302e3130090603551d1304023000300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b050003820101001de810ca6c43b1feecba2817c78c853072af9e8ae8e0a5b6f4fb32b8e84423621eca6282a322434081ee26572c9d99b63246da8083f09b4ae4b3d5
EAP-Message =
0x02c02e30cff30300a17483a98ef819f4eea6cb7711ad9bcfb9dcd8428b99069f6075894fb22ea7a2d2f2bc2111acd6cdf1c803abcc6e642951e5447f9ce3779620e7f39fff05efa5e5697037b57349868aa15cfaab3d2e184907f947d1753709450e663cad3439cf8875102f7d27ad8d5115c79a85075bb988a2c450664414f4a55bd5a16e8b8b4411b3566315c5674d6476a9c8a688f02bdd4984a5c42b086275a537f8dcc62efc4cde6f3590cbd336249300e6e16153de8209d19d77743b566928b95b330005b5308205b130820399a003020102021040013353e40000000000000cc36e888d300d06092a864886f70d01010b05003051310b300906
EAP-Message =
0x035504061302545731123010060355040a130954414957414e2d43413110300e060355040b1307526f6f74204341311c301a060355040313135457434120476c6f62616c20526f6f74204341301e170d3134313032383037323735365a170d3234313032383135353935395a306f310b300906035504061302545731123010060355040a130954414957414e2d4341311a3018060355040b13115365637572652053534c205375622d43413130302e0603550403132754574341205365637572652053534c2043657274696669636174696f6e20417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101
EAP-Message =
0x00dbe0fe5153a201a6cf6a8e5da951096a167e4a1412b3114a26281b2f23528bc10dab1855e3a65cf2ed1af5632efab16a22866166ced21cd78f844568bc1333b80e270e466a578c363f8f2f84e8d4dd95290c55009dbd2efa52246be2a78569d1a45331bdffc65888b2c967e1fa55680e7d025c2e03237946b8a2e87678e64153d9d79f462acda6dd9c0450d49069237e03fb86dc9b4edc0116bf147d440bb31b6077b4260b4b9f01956a908683352e9b82d2d6c40531509a2868184d32bc930bf609813d7a680fa7d3f174f8d11e2e3664e11e2fd395ce9bc94678b28769564aadb0ab0bf6d10f92abe906e1550e0e1eb9b19359ae27fd6fe551a7e7
EAP-Message = 0xbc05244502030100
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x123f7dd8103c6499db674645796856c2
Finished request 15.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 51040, id=3, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061900
State = 0x123f7dd8103c6499db674645796856c2
Message-Authenticator = 0x82d693f9024081535fc32547099a4d5b
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 3 to XXX port 51040
EAP-Message =
0x010403fc194001a382016530820161301f0603551d2304183016801448dbcdde8ee949725a88e8b1d83d07b3b96b6650301d0603551d0e04160414f807c26824ff8595cbdb1ee3339c2a4f9720567b300e0603551d0f0101ff04040302010630380603551d200431302f302d0604551d20003025302306082b060105050702011617687474703a2f2f7777772e747763612e636f6d2e74772f30490603551d1f04423040303ea03ca03a8638687474703a2f2f526f6f7443412e747763612e636f6d2e74772f545743415243412f676c6f62616c5f7265766f6b655f343039362e63726c30120603551d130101ff040830060101ff020100307606082b
EAP-Message =
0x06010505070101046a3068303c06082b060105050730028630687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f6361636572742f726f6f74343039362e637274302806082b06010505073001861c687474703a2f2f726f6f746f6373702e747763612e636f6d2e74772f300d06092a864886f70d01010b050003820201009e80281ad40477c7e497cb3b7f10c26c9562edcbdfa42c11da641a141a7876e92bfc4b7ebf9a98ee19a31368960c219bfbd5587161da48caf935cdffcd584258f1f218cec7a532d8918491510a8ac5bf4129746dc461e0be03eb6b194a19ddf01a657cc8534701095d95b76d1e72bf2fc32eb36e1d11
EAP-Message =
0x8f7eb3dbd2fdfb2fb9f076ef9630e52fbf5e4ac15fb656523e727ad11185960188b10e6d8d8cadb2302a148c4bf009cca59e7c2c838091f08978d5e03b1b51d9802dea638fd4760ceed62819731447e3a1e0e07aea73c3513ee0ac611328a368e1eac1b3f7704568a63e0d06c4be5fdc1f9ab22adcd9bf3eed2c4b0590a44d92670e7c240fefb7cc9bcfda4e9cf3ca33afc4d274d17303a3163b23eb5277fe97c72effbc9dd56505f89854a0f0d4e5229db2b684ef5757eeb3df55d8da4bb7ddc05fccb00dc38299afeb2ea953f10bbb9dbe5afb9afab0a31df35c1f556258c27725e467b5dcbda0a1acbedb511a15381dd31a7a07804c459dd3b401ff
EAP-Message =
0x654d77dfeefc3e6b7d2266ac68994f021f144c117092d6c20a62a6886beb6642dcbc75cbd11d7caaec8763eea865b29ad5e659b147230e812b8fcb2d21df96f102bbc6909b3189e2c3be8d1ff832fb96899b1710c4c73213706480c9cc6b8f93b08af62d2927bc398e6d6fe684c30028705f010bccb6d2c18aeaa04ea46419fe18ee4487e2117f05bb0efbdc6700055d3082055930820441a003020102021040013353e40000000000000cca5d1b69300d06092a864886f70d01010b0500305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c
EAP-Message = 0x215457434120526f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x123f7dd8113b6499db674645796856c2
Finished request 16.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 51040, id=4, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0x123f7dd8113b6499db674645796856c2
Message-Authenticator = 0x0303cea6372793b2de1f1bc329b4f56e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 4 to XXX port 51040
EAP-Message =
0x010503fc19406f742043657274696669636174696f6e20417574686f72697479301e170d3134313032383037333833315a170d3330313032383135353935395a3051310b300906035504061302545731123010060355040a130954414957414e2d43413110300e060355040b1307526f6f74204341311c301a060355040313135457434120476c6f62616c20526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b005dbc8eb8cc46e8a21ef8e4d9c710a1f5270ed6d829c97c5d74c4e4549cb4042b512346c19c274a4315f850297ec43330a53d29c8c8eb7b879db2bd56af28e66c4ee2b010792d4b3
EAP-Message =
0xd002df50f655af660ecbe047602f2b323935523a2883f87b16c618b862d6472591cef019124dad63f5d33f755f29f0a1301c2aa098a615bdeefd1936f0e291438ffacad61027494cefddc1f185709bcaeaa85a43fc6d866f73e93745a9f036c7cc88751ebb6c06ff9b6b3e17ec61aa717cc61da2f749e915b53cd6a161f511f7056f1dfd11bed03007c229b0094e26dce3a2a8916a1fc29145885ce598b871a51519c97c7511cc70744f2d9b1d9144fd5628a0febb866ac8fa5c0b58dcc64b76c8ab22d9730fa5f45a02893f4f9e2282eea274532a3d5327691d6c8e322c6400266361364ea346b73f7db32dac6d90a295a2cecfda82e707341996e9b8
EAP-Message =
0x21aa297ea638be8e294a2166791fb3c3b50967ded6d40746f32adae6223760cb81b60fa00fe9c8957fbf5591057acf3d15c06fde09940183d7341bcc40a5f0b89b67d598913ba784789526a45a08f82b74b400043cdfb8148ee8dfa98d6c6792331dc0b7d2ec92c8be09bf2c29056f026b9eefbcbf2abc5bc0508f41707187b24db704a984a332afaeee6b178bb2b1fe6ce1908c88a89748cec84dcbf306cf5f6a0a42b11e1e772f8ea0e6920e06fc0522d226e131517d32dc0f0203010001a382011d30820119301f0603551d230418301680146a385b268dde8b5af24f7a54831918e30835a6ba301d0603551d0e0416041448dbcdde8ee949725a88
EAP-Message =
0xe8b1d83d07b3b96b6650300e0603551d0f0101ff04040302010630380603551d200431302f302d0604551d20003025302306082b060105050702011617687474703a2f2f7777772e747763612e636f6d2e74772f30420603551d1f043b30393037a035a0338631687474703a2f2f526f6f7443412e747763612e636f6d2e74772f545743415243412f7265766f6b655f323034382e63726c300f0603551d130101ff040530030101ff303806082b06010505070101042c302a302806082b06010505073001861c687474703a2f2f726f6f746f6373702e747763612e636f6d2e74772f300d06092a864886f70d01010b05000382010100290b6ec494dc
EAP-Message = 0x6259937a5a4c5ddc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x123f7dd8163a6499db674645796856c2
Finished request 17.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 51040, id=5, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500061900
State = 0x123f7dd8163a6499db674645796856c2
Message-Authenticator = 0xe204b5d93312a25ce30bee127754b91b
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 5 to XXX port 51040
EAP-Message =
0x010603fc1940993e8ea8fbf9a08f1bd927706df82e5e48696117401089aa03b81ccbdfbc6c28541fc521f54b96bffc4c47ca0b77c3cc667b6fb9360869f9c191ed8fd69ea222e882b789c8aad020e74aac232b2f4ff64f146bf17a45a187c871e7a7a4b9806bc9cecd8a259ccdd309a532fa24d1517f3c319947ea1fa76f6e84cdaed8ae356ad6cbe0be13c1a231cbee1fe926dfb706c60d450ae7ab45571eb7019b31f5f205404586d8021bd04b21db2082e322e94fe35d2bc439121728c6b967b17de1b27c76e53684da745eac38b66bf8eea103c4b0c45c124c6f06da3a4465b636970c1879d04697331fab52a8cede57b4281338b7ac00037f3082
EAP-Message =
0x037b30820263a003020102020101300d06092a864886f70d0101050500305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c215457434120526f6f742043657274696669636174696f6e20417574686f72697479301e170d3038303832383037323433335a170d3330313233313135353935395a305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c215457434120526f6f742043657274696669636174696f6e20417574686f7269
EAP-Message =
0x747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b07e72b8a40394e6a7de0938914a114087a77c5964147bb51110ddfebfd5c0bb56e28525f435720ff853d041e14401c2b41cc33142164785332276b20a6f0fe525504f8586bebf982e10671ebe1105860590c459d07c7810b0805cb7e1c72b75cb7c9faeb5d19d233763a7dc42a22d92041b50c17bb83e1bc956048b2f529bada956e9c1ffada9588730b681f79745fc19573b2b6fe447f49945fe1df1f897a3881d371c5c8fe076259a50f8a054ff44907623d232c6c3ab06bffcfbbff3ad7d9262025b29d335a3939a4364605db2fa32ff3b04af4d406af9c7
EAP-Message =
0xe3ef23fd6bcbe50f8b380dee0afcfe0f989f3031dd6c5265f98b81be22e11c5803ba911b89070203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a385b268dde8b5af24f7a54831918e30835a6ba300d06092a864886f70d010105050003820101003cd5773ddadf89ba870c08546a205092beb0413db92664830a2fe840c097282782304ac993ff6ae7a6007f89429ad611e553ce2fccf2da05c4fee250c43a867dccda7e10093b92352a53b2feeb2b05d96c5de6d0efd36a669e1528857ae88200ac1ea709695642d3685118be549abf4441ba49be20ba695ceeb8
EAP-Message = 0x77cdce6c1fad8396
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x123f7dd817396499db674645796856c2
Finished request 18.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 51040, id=6, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020600061900
State = 0x123f7dd817396499db674645796856c2
Message-Authenticator = 0xe7ed960994f58e17bc9fa05dce1d1925
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 6 to XXX port 51040
EAP-Message =
0x0107029f1900187d0eb5143984f128e92da39e7b1e7a725a83b3796fefb4fcd00aa5584f46dffb6d7959f2842252ae0fccfb7c3be76aca4761c37af8d392041fb82084e1365416c740de3b8a73dcdfc6094cdfecdaffd45342a1c9f2621d22833c97c5f9196227ac6522d7d33cc6e58eb253cc49cebc30fe7b0e3390fbedd214911f07af160301020d0c0002090080f330e182461ac1124f5b50a47f973caee6024b9aca5a451cc1b5e663f16bb9063f4a7b1393c2393e28a59080f9aa96bc7abb8119a7e4eb4692accd80ece3018dabf5f0b5e8124b3e2cb69bdf96f52b26ca06ae45cadc31676bb17115261819095027a73b5151fc761d574fe44ec3
EAP-Message =
0x14452195733585d8170a671a713ee4875e2b00010200804ca495047b0637730e8958821bcbf46f0f5941eb8682d80c45d1523a850dc2074922389764b4b1bac6643bd178a0059162b4dff07356ad8a0db0e0bfa2c3ddb31fec0267fb8e3138a232083a51b22c8fea960a2f29c343b529ddc1db1b3ebcf7c3dc39b09a44e8cf1d1921fcdc8525ac61b9aef53e64289edc19dcc4b8143eee0100647fa8dd614a960a2ee91e81841008c20d248a5970e01f4f3ba488f28d4e7c47f9b92d1a06677dadf6da9266bd56c339d24ba9296f303cab6f7a2751fd5d7d5138e7f98624f242f963d2d4f94f4fedc33930686b4220399a5d72e5ba0a223736ab23c5d7
EAP-Message =
0xca39c5fd57386925decc90043196bfa67f470ef746d859245b74d448ad1e3f0e61d0cbd136ea7f9ac068dfc21cf83e5025546a3c26442a1bc4d4d9899483dec72117e84223d75cfa7d4c3d8b99a9b10679b81969af1552210f67cc3fec9bb1371a829eaef3600a0e0f281038023a33e5dc74f30d79156c39c866e844e90ea6b4b10402a5b5d4ba6a1cda7a79058be2ceb8f0c375b5875a3b5eda676616030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x123f7dd814386499db674645796856c2
Finished request 19.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 51040, id=7, length=338
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020700d01980000000c61603010086100000820080394f119e136d178e3a887856cd7bdd9cb38a8b8c36a5ffff1298f0b98d7a1b7f19c0a03ff3e8ab63e478ac8acd09964ff4962445e5bb13ae89576bd2a61cf277759d277da00002eb2e09749dbe07d9554e680dfa9c00bd0937e45edbe6cbe40994f379d17d71c270541692cc97e813240408531f5b86e87ce165c3d2ca044ea01403010001011603010030b640bc2f88f898b8cf69ec37297ea8108479b7450024adbcf480fde71d4205139f67dc0b9f6992f1b1c84dbf2846220e
State = 0x123f7dd814386499db674645796856c2
Message-Authenticator = 0x58d1e79d405942610f0ac057325e0a5e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 7 length 208
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 7 to XXX port 51040
EAP-Message =
0x01080041190014030100010116030100307753b8869b19d89771c9ab745f4b05b21d2b383b12e7203ba813998d83b5baf366f28ffb445daea13b54fc90cec2f8ec
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x123f7dd815376499db674645796856c2
Finished request 20.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 51040, id=8, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020800061900
State = 0x123f7dd815376499db674645796856c2
Message-Authenticator = 0xb5e70d01b36b4bcf122ad9fa8128cd72
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 8 to XXX port 51040
EAP-Message =
0x0109002b190017030100208dea6279f628c68de5d6ae30fee73441c6b8152b94f652d41139dfa73e548a4f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x123f7dd81a366499db674645796856c2
Finished request 21.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 51040, id=9, length=226
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02090060190017030100204bc502c8d5f473259c6b535aed81e8e7510bf09e7d5d4b6318d05312c0e3411e17030100305e3edc75cbb2915808290461c1f860f1edbfcd3ccedd3ddd37bbd0483a03ea7349ee28b698c1907ccf8cc81bcd89ffab
State = 0x123f7dd81a366499db674645796856c2
Message-Authenticator = 0xd3af56b3f49bfd8b6e9e17995286bad7
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 9 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - john at eduroam.example.edu
[peap] Got inner identity 'john at eduroam.example.edu'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message =
0x0209001b016a736340656475726f616d2e6e74752e6564752e7477
server {
[peap] Setting User-Name to john at eduroam.example.edu
Sending tunneled request
EAP-Message =
0x0209001b016a736340656475726f616d2e6e74752e6564752e7477
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "john at eduroam.example.edu"
server inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
+group authorize {
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "eduroam.ntu.edu.tw" for User-Name = "
john at eduroam.example.edu"
[suffix] Found realm "eduroam.ntu.edu.tw"
[suffix] Adding Stripped-User-Name = "john"
[suffix] Adding Realm = "eduroam.ntu.edu.tw"
[suffix] Proxying request from user john to realm eduroam.ntu.edu.tw
[suffix] Preparing to proxy authentication request to realm "
eduroam.ntu.edu.tw"
++[suffix] = updated
++update control {
++} # update control = noop
[eap] EAP packet type response id 9 length 27
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] file_common
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a00301a010a002b1047559114346c20f8a84a3fefd7765c876a736340656475726f616d2e6e74752e6564752e7477
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x67cd962467c78ced7501359b4f279129
[peap] Got tunneled reply RADIUS code Access-Challenge
EAP-Message =
0x010a00301a010a002b1047559114346c20f8a84a3fefd7765c876a736340656475726f616d2e6e74752e6564752e7477
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x67cd962467c78ced7501359b4f279129
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 9 to XXX port 51040
EAP-Message =
0x010a005b190017030100508c01aa75460100bb89de92c1823aa6673a02fc2ba20c6bb96d0264d0cc5abd7953d841c86dac72f5b18578e8df00da8ecd8bae3aa9878a5cf06838229159235c253bfbd61aea4599fd7a5ad205b6fb67
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x123f7dd81b356499db674645796856c2
Finished request 22.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 51040, id=10, length=290
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020a00a0190017030100202e56547a2cc961bed8bc6ef371a65ff5b2034788fa419fa76fda116e24b445a317030100709b304476ea3a228e109d7e7df1cd8a4bd1fa5779b205d200aec7d23c6641b15b734b64b56aace29f0623c5e914e2de7adf42b99d451617e655d5d3f58bed6b5c3a9869703129e8fcf56f6ac0f9ade0f2a4d5bea538ae2310897ce7da168c7bd2dbfd48d5706dbd148f412338c55bbaa3
State = 0x123f7dd81b356499db674645796856c2
Message-Authenticator = 0x5f2391cd4b87cb196fbf4beca8a1a7ae
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 10 length 160
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020a00511a020a004c315530e5eedb7545418c3519a5ebf9ec670000000000000000762feaaf2fdb62d38213f50c274d4194c7988bbd4b83e406006a736340656475726f616d2e6e74752e6564752e7477
server {
[peap] Setting User-Name to john at eduroam.example.edu
Sending tunneled request
EAP-Message =
0x020a00511a020a004c315530e5eedb7545418c3519a5ebf9ec670000000000000000762feaaf2fdb62d38213f50c274d4194c7988bbd4b83e406006a736340656475726f616d2e6e74752e6564752e7477
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "john at eduroam.example.edu"
State = 0x67cd962467c78ced7501359b4f279129
server inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
+group authorize {
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "eduroam.ntu.edu.tw" for User-Name = "
john at eduroam.example.edu"
[suffix] Found realm "eduroam.ntu.edu.tw"
[suffix] Adding Stripped-User-Name = "john"
[suffix] Adding Realm = "eduroam.ntu.edu.tw"
[suffix] Proxying request from user john to realm eduroam.ntu.edu.tw
[suffix] Preparing to proxy authentication request to realm "
eduroam.ntu.edu.tw"
++[suffix] = updated
++update control {
++} # update control = noop
[eap] EAP packet type response id 10 length 81
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] file_common
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: john at eduroam.example.edu
[mschap] Client is using MS-CHAPv2 for john at eduroam.example.edu, we need
NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [john at eduroam.example.edu/<via Auth-Type = EAP>] (from
client network8 port 0 via TLS tunnel)
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} ->
john at eduroam.example.edu
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\nE=691 R=1"
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
MS-CHAP-Error = "\nE=691 R=1"
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 10 to XXX port 51040
EAP-Message =
0x010b002b19001703010020e2240cd59f5612ce5e667e34bb3cb34443523681822bb75ce1cd20358a048fcf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x123f7dd818346499db674645796856c2
Finished request 23.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 51040, id=11, length=210
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020b005019001703010020cb75ba34cd48020825fd021fce778da64de08e3bf0fa81e4734ac990b516a87717030100204083e2262345cefa1f866b0718c521d50ab5dda17f7df067607c304d08d570e4
State = 0x123f7dd818346499db674645796856c2
Message-Authenticator = 0xadc935c13eeb9ee254dfcc65fcebd2cd
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 11 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client network8
port 0 cli 02-00-00-00-00-01)
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject] expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 24 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 24
Sending Access-Reject of id 11 to XXX port 51040
EAP-Message = 0x040b0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 13 ID 0 with timestamp +27
Cleaning up request 14 ID 1 with timestamp +27
Cleaning up request 15 ID 2 with timestamp +27
Cleaning up request 16 ID 3 with timestamp +27
Cleaning up request 17 ID 4 with timestamp +27
Cleaning up request 18 ID 5 with timestamp +27
Cleaning up request 19 ID 6 with timestamp +27
Cleaning up request 20 ID 7 with timestamp +27
Cleaning up request 21 ID 8 with timestamp +27
Cleaning up request 22 ID 9 with timestamp +27
Cleaning up request 23 ID 10 with timestamp +27
Waking up in 0.9 seconds.
Cleaning up request 24 ID 11 with timestamp +27
Ready to process requests.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list