rlm_passwd fails Stripped-User-Name check when in inner-tunnel mode (PEAP)
Tim Chen
gphoto6 at gmail.com
Thu Nov 12 12:14:32 CET 2015
On Thu, Nov 12, 2015 at 4:47 PM, Matthew Newton <mcn4 at leicester.ac.uk>
wrote:
> On Thu, Nov 12, 2015 at 03:15:10PM +0800, Tim Chen wrote:
> > +group authorize {
> > ++[preprocess] = ok
> > ++[passwdf1] = notfound
> ^^^
>
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] Looking up realm "eduroam.example.edu" for User-Name = "
> > john at eduroam.example.edu"
> > [suffix] Found realm "eduroam.example.edu"
> > [suffix] Adding Stripped-User-Name = "john"
> ^^^
>
> > [suffix] Adding Realm = "eduroam.example.edu"
> > [suffix] Proxying request from user john to realm eduroam.example.edu
> > [suffix] Preparing to proxy authentication request to realm "
> > eduroam.example.edu"
> > ++[suffix] = updated
>
>
> You're calling passwdf1 before Stripped-User-Name is defined by
> suffix.
>
> Move passwdf1 after the call to suffix in both inner & outer.
>
> Cheers
>
> Matthew
>
>
Dear Matthew,
I've move passwdf1 after suffix in both inner & outer. (after the "files")
But it seems the same situation:
1. PAP with/without domain(realm) PASSED
2. MSCHAP with/without domain(realm) PASSED
3. EAP(PEAP)
I use eapol_test to test
identity="john" PASS
identity="john at eduroam.example.edu" FAIL!!
Would you please give me some more hint?
Thanks for your time.
Eric Chang
rad_recv: Access-Request packet from host XXX port 60597, id=0, length=126
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0xeeca830d9bace15bd26bba26b68a040d
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] file_common
++[files] = noop
++[passwdf1] = notfound
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to XXX port 60597
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe0b8c466e0b9dd7c53f14170d6c10b8a
Finished request 18.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 60597, id=1, length=349
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020100db1980000000d116030100cc010000c80301342f621a43418e1f4a1f83fbd1d7f98e3eb86f95fc8f660bb6324aa0abc507bc00005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000045000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011000f000101
State = 0xe0b8c466e0b9dd7c53f14170d6c10b8a
Message-Authenticator = 0x99ccdc81eedada43581f99d7d8eab825
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 219
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 209
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00cc], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 1411], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 1 to XXX port 60597
EAP-Message =
0x0102040019c00000166716030100310200002d0301564472ede77c9b3d69871dd755169704e06c896cc1c230d9d673e975253012c4000039000005ff0100010016030114110b00140d00140a00056d3082056930820451a003020102021047df00000000068f47a297480cbfa807300d06092a864886f70d01010b0500306f310b300906035504061302545731123010060355040a130954414957414e2d4341311a3018060355040b13115365637572652053534c205375622d43413130302e0603550403132754574341205365637572652053534c2043657274696669636174696f6e20417574686f72697479301e170d3135303630383035333333
EAP-Message =
0x355a170d3136303630383135353935395a30818b310b3009060355040613025457310f300d06035504080c0654616977616e310f300d06035504070c0654616970656931233021060355040a0c1a4e6174696f6e616c2054616977616e20556e697665727369747931183016060355040b0c0f436f6d70757465722043656e746572311b301906035504030c12656475726f616d2e6e74752e6564752e747730820122300d06092a864886f70d01010105000382010f003082010a0282010100f1765133c1c57f8c043d22b71804729c7fc2631e0699374d43f8bc3b914c15722dc36020da16d028a4d1890c3a5271b7c1a72e7deea72d37946a1fc6e9
EAP-Message =
0x0b8bd477e6a71ab5353f8f81166fbf6cd4c2d531b677bf273d663603b5a60b265a968a261b0a1b8d5207daaf0bedccc670a7f4ad0e5a05fdd46bffed86abeed89857307cd50b55a4f0843523e57f9555427830d48eef368d037eb3dc685d511659a21ce557a53537c08dc552529ed64da0849833637f3507ebb58788272a526c7d19d8a51fa50f0558490737bb0e45b025c166783b3b1c279fa16c9de9576089c21869f103202b93c5a315b7c80d93b043fb946ab94576c6310f6cdedb721de25f8c6d0203010001a38201e2308201de301f0603551d23041830168014f807c26824ff8595cbdb1ee3339c2a4f9720567b30290603551d0e042204208d
EAP-Message =
0x8ae0e0ca30409af8cef50a525ae9b18d6e669ad46cff8f48595468a084089f30560603551d1f044f304d304ba049a0478645687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f73736c7365727665722f53656375726573736c5f7265766f6b655f736861325f323031342e63726c301d0603551d11041630148212656475726f616d2e6e74752e6564752e747730818106082b0601050507010104753073304406082b060105050730028638687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f6361636572742f7365637572655f736861325f323031342e637274302b06082b06010505073001861f6874
EAP-Message = 0x74703a2f2f7477636173736c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe0b8c466e1badd7c53f14170d6c10b8a
Finished request 19.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 60597, id=2, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200061900
State = 0xe0b8c466e1badd7c53f14170d6c10b8a
Message-Authenticator = 0x36c0b2ca90211d3c2c9dca6de4022ca4
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 2 to XXX port 60597
EAP-Message =
0x010303fc19406f6373702e747763612e636f6d2e74772f305b0603551d20045430523050060b2b0601040182bf250101193041301b06082b06010505070201160f7777772e747763612e636f6d2e7477302206082b0601050507020230161a145265737472696374696f6e203d332e322e302e3130090603551d1304023000300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300d06092a864886f70d01010b050003820101001de810ca6c43b1feecba2817c78c853072af9e8ae8e0a5b6f4fb32b8e84423621eca6282a322434081ee26572c9d99b63246da8083f09b4ae4b3d5
EAP-Message =
0x02c02e30cff30300a17483a98ef819f4eea6cb7711ad9bcfb9dcd8428b99069f6075894fb22ea7a2d2f2bc2111acd6cdf1c803abcc6e642951e5447f9ce3779620e7f39fff05efa5e5697037b57349868aa15cfaab3d2e184907f947d1753709450e663cad3439cf8875102f7d27ad8d5115c79a85075bb988a2c450664414f4a55bd5a16e8b8b4411b3566315c5674d6476a9c8a688f02bdd4984a5c42b086275a537f8dcc62efc4cde6f3590cbd336249300e6e16153de8209d19d77743b566928b95b330005b5308205b130820399a003020102021040013353e40000000000000cc36e888d300d06092a864886f70d01010b05003051310b300906
EAP-Message =
0x035504061302545731123010060355040a130954414957414e2d43413110300e060355040b1307526f6f74204341311c301a060355040313135457434120476c6f62616c20526f6f74204341301e170d3134313032383037323735365a170d3234313032383135353935395a306f310b300906035504061302545731123010060355040a130954414957414e2d4341311a3018060355040b13115365637572652053534c205375622d43413130302e0603550403132754574341205365637572652053534c2043657274696669636174696f6e20417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101
EAP-Message =
0x00dbe0fe5153a201a6cf6a8e5da951096a167e4a1412b3114a26281b2f23528bc10dab1855e3a65cf2ed1af5632efab16a22866166ced21cd78f844568bc1333b80e270e466a578c363f8f2f84e8d4dd95290c55009dbd2efa52246be2a78569d1a45331bdffc65888b2c967e1fa55680e7d025c2e03237946b8a2e87678e64153d9d79f462acda6dd9c0450d49069237e03fb86dc9b4edc0116bf147d440bb31b6077b4260b4b9f01956a908683352e9b82d2d6c40531509a2868184d32bc930bf609813d7a680fa7d3f174f8d11e2e3664e11e2fd395ce9bc94678b28769564aadb0ab0bf6d10f92abe906e1550e0e1eb9b19359ae27fd6fe551a7e7
EAP-Message = 0xbc05244502030100
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe0b8c466e2bbdd7c53f14170d6c10b8a
Finished request 20.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 60597, id=3, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061900
State = 0xe0b8c466e2bbdd7c53f14170d6c10b8a
Message-Authenticator = 0x5f5a7d1a7b0015e5627e9666c2f0efb8
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 3 to XXX port 60597
EAP-Message =
0x010403fc194001a382016530820161301f0603551d2304183016801448dbcdde8ee949725a88e8b1d83d07b3b96b6650301d0603551d0e04160414f807c26824ff8595cbdb1ee3339c2a4f9720567b300e0603551d0f0101ff04040302010630380603551d200431302f302d0604551d20003025302306082b060105050702011617687474703a2f2f7777772e747763612e636f6d2e74772f30490603551d1f04423040303ea03ca03a8638687474703a2f2f526f6f7443412e747763612e636f6d2e74772f545743415243412f676c6f62616c5f7265766f6b655f343039362e63726c30120603551d130101ff040830060101ff020100307606082b
EAP-Message =
0x06010505070101046a3068303c06082b060105050730028630687474703a2f2f73736c7365727665722e747763612e636f6d2e74772f6361636572742f726f6f74343039362e637274302806082b06010505073001861c687474703a2f2f726f6f746f6373702e747763612e636f6d2e74772f300d06092a864886f70d01010b050003820201009e80281ad40477c7e497cb3b7f10c26c9562edcbdfa42c11da641a141a7876e92bfc4b7ebf9a98ee19a31368960c219bfbd5587161da48caf935cdffcd584258f1f218cec7a532d8918491510a8ac5bf4129746dc461e0be03eb6b194a19ddf01a657cc8534701095d95b76d1e72bf2fc32eb36e1d11
EAP-Message =
0x8f7eb3dbd2fdfb2fb9f076ef9630e52fbf5e4ac15fb656523e727ad11185960188b10e6d8d8cadb2302a148c4bf009cca59e7c2c838091f08978d5e03b1b51d9802dea638fd4760ceed62819731447e3a1e0e07aea73c3513ee0ac611328a368e1eac1b3f7704568a63e0d06c4be5fdc1f9ab22adcd9bf3eed2c4b0590a44d92670e7c240fefb7cc9bcfda4e9cf3ca33afc4d274d17303a3163b23eb5277fe97c72effbc9dd56505f89854a0f0d4e5229db2b684ef5757eeb3df55d8da4bb7ddc05fccb00dc38299afeb2ea953f10bbb9dbe5afb9afab0a31df35c1f556258c27725e467b5dcbda0a1acbedb511a15381dd31a7a07804c459dd3b401ff
EAP-Message =
0x654d77dfeefc3e6b7d2266ac68994f021f144c117092d6c20a62a6886beb6642dcbc75cbd11d7caaec8763eea865b29ad5e659b147230e812b8fcb2d21df96f102bbc6909b3189e2c3be8d1ff832fb96899b1710c4c73213706480c9cc6b8f93b08af62d2927bc398e6d6fe684c30028705f010bccb6d2c18aeaa04ea46419fe18ee4487e2117f05bb0efbdc6700055d3082055930820441a003020102021040013353e40000000000000cca5d1b69300d06092a864886f70d01010b0500305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c
EAP-Message = 0x215457434120526f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe0b8c466e3bcdd7c53f14170d6c10b8a
Finished request 21.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 60597, id=4, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0xe0b8c466e3bcdd7c53f14170d6c10b8a
Message-Authenticator = 0xf9b17f3e26b5b05b17d438eb094b12d9
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 4 to XXX port 60597
EAP-Message =
0x010503fc19406f742043657274696669636174696f6e20417574686f72697479301e170d3134313032383037333833315a170d3330313032383135353935395a3051310b300906035504061302545731123010060355040a130954414957414e2d43413110300e060355040b1307526f6f74204341311c301a060355040313135457434120476c6f62616c20526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b005dbc8eb8cc46e8a21ef8e4d9c710a1f5270ed6d829c97c5d74c4e4549cb4042b512346c19c274a4315f850297ec43330a53d29c8c8eb7b879db2bd56af28e66c4ee2b010792d4b3
EAP-Message =
0xd002df50f655af660ecbe047602f2b323935523a2883f87b16c618b862d6472591cef019124dad63f5d33f755f29f0a1301c2aa098a615bdeefd1936f0e291438ffacad61027494cefddc1f185709bcaeaa85a43fc6d866f73e93745a9f036c7cc88751ebb6c06ff9b6b3e17ec61aa717cc61da2f749e915b53cd6a161f511f7056f1dfd11bed03007c229b0094e26dce3a2a8916a1fc29145885ce598b871a51519c97c7511cc70744f2d9b1d9144fd5628a0febb866ac8fa5c0b58dcc64b76c8ab22d9730fa5f45a02893f4f9e2282eea274532a3d5327691d6c8e322c6400266361364ea346b73f7db32dac6d90a295a2cecfda82e707341996e9b8
EAP-Message =
0x21aa297ea638be8e294a2166791fb3c3b50967ded6d40746f32adae6223760cb81b60fa00fe9c8957fbf5591057acf3d15c06fde09940183d7341bcc40a5f0b89b67d598913ba784789526a45a08f82b74b400043cdfb8148ee8dfa98d6c6792331dc0b7d2ec92c8be09bf2c29056f026b9eefbcbf2abc5bc0508f41707187b24db704a984a332afaeee6b178bb2b1fe6ce1908c88a89748cec84dcbf306cf5f6a0a42b11e1e772f8ea0e6920e06fc0522d226e131517d32dc0f0203010001a382011d30820119301f0603551d230418301680146a385b268dde8b5af24f7a54831918e30835a6ba301d0603551d0e0416041448dbcdde8ee949725a88
EAP-Message =
0xe8b1d83d07b3b96b6650300e0603551d0f0101ff04040302010630380603551d200431302f302d0604551d20003025302306082b060105050702011617687474703a2f2f7777772e747763612e636f6d2e74772f30420603551d1f043b30393037a035a0338631687474703a2f2f526f6f7443412e747763612e636f6d2e74772f545743415243412f7265766f6b655f323034382e63726c300f0603551d130101ff040530030101ff303806082b06010505070101042c302a302806082b06010505073001861c687474703a2f2f726f6f746f6373702e747763612e636f6d2e74772f300d06092a864886f70d01010b05000382010100290b6ec494dc
EAP-Message = 0x6259937a5a4c5ddc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe0b8c466e4bddd7c53f14170d6c10b8a
Finished request 22.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 60597, id=5, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500061900
State = 0xe0b8c466e4bddd7c53f14170d6c10b8a
Message-Authenticator = 0x65f499ed0355542a4c7e35a66f8f0e5f
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 5 to XXX port 60597
EAP-Message =
0x010603fc1940993e8ea8fbf9a08f1bd927706df82e5e48696117401089aa03b81ccbdfbc6c28541fc521f54b96bffc4c47ca0b77c3cc667b6fb9360869f9c191ed8fd69ea222e882b789c8aad020e74aac232b2f4ff64f146bf17a45a187c871e7a7a4b9806bc9cecd8a259ccdd309a532fa24d1517f3c319947ea1fa76f6e84cdaed8ae356ad6cbe0be13c1a231cbee1fe926dfb706c60d450ae7ab45571eb7019b31f5f205404586d8021bd04b21db2082e322e94fe35d2bc439121728c6b967b17de1b27c76e53684da745eac38b66bf8eea103c4b0c45c124c6f06da3a4465b636970c1879d04697331fab52a8cede57b4281338b7ac00037f3082
EAP-Message =
0x037b30820263a003020102020101300d06092a864886f70d0101050500305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c215457434120526f6f742043657274696669636174696f6e20417574686f72697479301e170d3038303832383037323433335a170d3330313233313135353935395a305f310b300906035504061302545731123010060355040a0c0954414957414e2d43413110300e060355040b0c07526f6f74204341312a302806035504030c215457434120526f6f742043657274696669636174696f6e20417574686f7269
EAP-Message =
0x747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b07e72b8a40394e6a7de0938914a114087a77c5964147bb51110ddfebfd5c0bb56e28525f435720ff853d041e14401c2b41cc33142164785332276b20a6f0fe525504f8586bebf982e10671ebe1105860590c459d07c7810b0805cb7e1c72b75cb7c9faeb5d19d233763a7dc42a22d92041b50c17bb83e1bc956048b2f529bada956e9c1ffada9588730b681f79745fc19573b2b6fe447f49945fe1df1f897a3881d371c5c8fe076259a50f8a054ff44907623d232c6c3ab06bffcfbbff3ad7d9262025b29d335a3939a4364605db2fa32ff3b04af4d406af9c7
EAP-Message =
0xe3ef23fd6bcbe50f8b380dee0afcfe0f989f3031dd6c5265f98b81be22e11c5803ba911b89070203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a385b268dde8b5af24f7a54831918e30835a6ba300d06092a864886f70d010105050003820101003cd5773ddadf89ba870c08546a205092beb0413db92664830a2fe840c097282782304ac993ff6ae7a6007f89429ad611e553ce2fccf2da05c4fee250c43a867dccda7e10093b92352a53b2feeb2b05d96c5de6d0efd36a669e1528857ae88200ac1ea709695642d3685118be549abf4441ba49be20ba695ceeb8
EAP-Message = 0x77cdce6c1fad8396
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe0b8c466e5bedd7c53f14170d6c10b8a
Finished request 23.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 60597, id=6, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020600061900
State = 0xe0b8c466e5bedd7c53f14170d6c10b8a
Message-Authenticator = 0x972dd2cbfac6b409f039e2c7cc7b3f54
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 6 to XXX port 60597
EAP-Message =
0x0107029f1900187d0eb5143984f128e92da39e7b1e7a725a83b3796fefb4fcd00aa5584f46dffb6d7959f2842252ae0fccfb7c3be76aca4761c37af8d392041fb82084e1365416c740de3b8a73dcdfc6094cdfecdaffd45342a1c9f2621d22833c97c5f9196227ac6522d7d33cc6e58eb253cc49cebc30fe7b0e3390fbedd214911f07af160301020d0c0002090080f330e182461ac1124f5b50a47f973caee6024b9aca5a451cc1b5e663f16bb9063f4a7b1393c2393e28a59080f9aa96bc7abb8119a7e4eb4692accd80ece3018dabf5f0b5e8124b3e2cb69bdf96f52b26ca06ae45cadc31676bb17115261819095027a73b5151fc761d574fe44ec3
EAP-Message =
0x14452195733585d8170a671a713ee4875e2b0001020080aa33eb607ca6e2cd3431adcc0d49160ecbc0909755d7e59b757a31ffd85bc43c053c05461253a9c4fb3ab5819eb133be48e8b44a2f0dd9bb32ab1a5705840a39a83d6ff4a8d34d1ab5da87d6582b1784807dfa311a4a9ed8678a37797833f1c42c98574b6a674b48383b6bc15d513846262f7704e38678740c4673d9bcda83900100267489ded2f9e59849d4de7af7ecfe6ff178226722d490524e6b76dbcbe0a7630313475f957b2b94a69062a261693fa004ebf67b580f8e8dd36d3319b7c34c98a1b0b5377756188c3cd449d29ca91966d577a5b8c764c8abe4e5dcb737c2c1a4ac58c93b
EAP-Message =
0x6dc0c8bd7ff20def0f8ed9cce4d29f3ed99f708d73ca7249e4b981dad6258c65e335d46918f81f52cc785aa3813037a674a42f6c30322c3b58b3efa3109fea962e9586b11404ae9cb2c025277a49a8102591047636949157619b3998a9fcf0e01ec62733396646ca2206b48296d08d2b29c1f2c5110a61b767b6220f862e4b344b9a709a2dcce25000f861eb039bf417587478effd60c9dc39d2ac9f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe0b8c466e6bfdd7c53f14170d6c10b8a
Finished request 24.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 60597, id=7, length=338
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020700d01980000000c6160301008610000082008037397ea3303c05783518b52aa03a549dbf5637e7fc3906c1ac0707900db32c27bbaf83b72577d47aaf906d58e96190767bab1d837158ee2a161ea38aff71af01162661d5b39a6728e9fb7669549ae95ee1fd32d374b3bab766c15e5f1f2a5589e440a64449eb328135f72645800d04c3fa7282c8786acb3a721ed8d727084d4f1403010001011603010030ccf5680511f68785678ac1c7280c613ad90ce602c19e3f36904f96f184b9a95c909f49e6fa2dc7ed0b326d4779e74c8b
State = 0xe0b8c466e6bfdd7c53f14170d6c10b8a
Message-Authenticator = 0x04e75b2199d6ae19b4d3f930ea273643
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 7 length 208
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 7 to XXX port 60597
EAP-Message =
0x0108004119001403010001011603010030b5f3deeb1e46572a001ab0cb62e8dc83560ab61f641703b38f764aa1f1234cff61201fb1c1ad1af68d4f05000eee1f74
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe0b8c466e7b0dd7c53f14170d6c10b8a
Finished request 25.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 60597, id=8, length=136
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020800061900
State = 0xe0b8c466e7b0dd7c53f14170d6c10b8a
Message-Authenticator = 0x97a7b696c186dfae46ddd95b9d548ee9
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 8 to XXX port 60597
EAP-Message =
0x0109002b19001703010020ff86faf97d4639be9426719ee0aba567e35a0230dc5cb6ef05bb66d87323a248
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe0b8c466e8b1dd7c53f14170d6c10b8a
Finished request 26.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 60597, id=9, length=226
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0209006019001703010020747c93ea7fa927528d70d44e59bc1b5716ebd3d8a7c08e22b87d86f366cde4f717030100309611d052aa27d02f06fbea6f19b6dcb81b30014c3df2d631a442a4a1fe31ce5d94316956f284761e2fe0adee9daeb47f
State = 0xe0b8c466e8b1dd7c53f14170d6c10b8a
Message-Authenticator = 0x079f64a6b49baec478c02318e85be3dc
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 9 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - john at eduroam.example.edu
[peap] Got inner identity 'john at eduroam.example.edu'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message =
0x0209001b016a736340656475726f616d2e6e74752e6564752e7477
server {
[peap] Setting User-Name to john at eduroam.example.edu
Sending tunneled request
EAP-Message =
0x0209001b016a736340656475726f616d2e6e74752e6564752e7477
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "john at eduroam.example.edu"
server inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "eduroam.example.edu" for User-Name = "
john at eduroam.example.edu"
[suffix] Found realm "eduroam.example.edu"
[suffix] Adding Stripped-User-Name = "john"
[suffix] Adding Realm = "eduroam.example.edu"
[suffix] Proxying request from user john to realm eduroam.example.edu
[suffix] Preparing to proxy authentication request to realm "
eduroam.example.edu"
++[suffix] = updated
++update control {
++} # update control = noop
[eap] EAP packet type response id 9 length 27
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] file_common
++[files] = noop
++[passwdf1] = notfound
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a00301a010a002b10e5300e4995aa18fb84d46e244cfe1b076a736340656475726f616d2e6e74752e6564752e7477
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x03fe26c403f43cfffff39b292568cd04
[peap] Got tunneled reply RADIUS code Access-Challenge
EAP-Message =
0x010a00301a010a002b10e5300e4995aa18fb84d46e244cfe1b076a736340656475726f616d2e6e74752e6564752e7477
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x03fe26c403f43cfffff39b292568cd04
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 9 to XXX port 60597
EAP-Message =
0x010a005b190017030100504829958debd5ce8970ef192d93cfa56ea96b69f702aaec9b78d64ea5729ff05ff8f7a5655a119c700a34d725767b26f3d8814521afa27c93ea849de8c1c9dafbc7f785ddee4fb16af059b6d9fdace362
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe0b8c466e9b2dd7c53f14170d6c10b8a
Finished request 27.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 60597, id=10, length=290
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020a00a01900170301002062eb92c1a90dfdc1af592cc2e3f60d949193e5f5609e1f0270d3060aee06093f1703010070254b748e5c03ba5e3d602cbf39fb26a46ed697798a19afb33b812e7df239e1a7794ba430f03bfe66e4f546f8257649b0963081b115287955fc880599477bcf3a00323b8e1d877b0a39b3021295b05ccf55c59b8f9d21315407871433e5db1fcc42f9a1a0230d497bb08a0d0925ca7f99
State = 0xe0b8c466e9b2dd7c53f14170d6c10b8a
Message-Authenticator = 0x313531a5259dd06d861209a42032e394
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 10 length 160
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020a00511a020a004c31e1b79f474a6404288c4f3039eec9e25b0000000000000000127c91d50c70cba486931070b47e7713c173843e796cd384006a736340656475726f616d2e6e74752e6564752e7477
server {
[peap] Setting User-Name to john at eduroam.example.edu
Sending tunneled request
EAP-Message =
0x020a00511a020a004c31e1b79f474a6404288c4f3039eec9e25b0000000000000000127c91d50c70cba486931070b47e7713c173843e796cd384006a736340656475726f616d2e6e74752e6564752e7477
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "john at eduroam.example.edu"
State = 0x03fe26c403f43cfffff39b292568cd04
server inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "eduroam.example.edu" for User-Name = "
john at eduroam.example.edu"
[suffix] Found realm "eduroam.example.edu"
[suffix] Adding Stripped-User-Name = "john"
[suffix] Adding Realm = "eduroam.example.edu"
[suffix] Proxying request from user john to realm eduroam.example.edu
[suffix] Preparing to proxy authentication request to realm "
eduroam.example.edu"
++[suffix] = updated
++update control {
++} # update control = noop
[eap] EAP packet type response id 10 length 81
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] file_common
++[files] = noop
++[passwdf1] = notfound
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: john at eduroam.example.edu
[mschap] Client is using MS-CHAPv2 for john at eduroam.example.edu, we need
NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [john at eduroam.example.edu/<via Auth-Type = EAP>] (from
client network8 port 0 via TLS tunnel)
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} ->
john at eduroam.example.edu
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\nE=691 R=1"
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
MS-CHAP-Error = "\nE=691 R=1"
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 10 to XXX port 60597
EAP-Message =
0x010b002b1900170301002074a804afb0f47eeca2c61b96396601cad3bf914e77f9e7dfb4315d446ac8ba75
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe0b8c466eab3dd7c53f14170d6c10b8a
Finished request 28.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX port 60597, id=11, length=210
User-Name = "anonymous"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020b0050190017030100209042a6b24b30cd3562204ee125fa1ccb3c71936efd32a2bc1e6be929ce92ae471703010020e1fd5cd4e4c25e517f2eb8465409559b4288fbbf05f5c6805306a23fab161c3f
State = 0xe0b8c466eab3dd7c53f14170d6c10b8a
Message-Authenticator = 0xff197e1157b28e7cef9eacdcbc22d695
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 11 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from client network8
port 0 cli 02-00-00-00-00-01)
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject] expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 29 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 29
Sending Access-Reject of id 11 to XXX port 60597
EAP-Message = 0x040b0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 18 ID 0 with timestamp +116
Cleaning up request 19 ID 1 with timestamp +116
Cleaning up request 20 ID 2 with timestamp +116
Cleaning up request 21 ID 3 with timestamp +116
Cleaning up request 22 ID 4 with timestamp +116
Cleaning up request 23 ID 5 with timestamp +116
Cleaning up request 24 ID 6 with timestamp +116
Cleaning up request 25 ID 7 with timestamp +116
Cleaning up request 26 ID 8 with timestamp +116
Cleaning up request 27 ID 9 with timestamp +116
Cleaning up request 28 ID 10 with timestamp +116
Waking up in 0.9 seconds.
Cleaning up request 29 ID 11 with timestamp +116
Ready to process requests.
More information about the Freeradius-Users
mailing list