"WARNING: !! EAP session for state ... did not finish!", And Other Warnings
Jim Seymour
jseymour at LinxNet.com
Fri Oct 2 23:24:17 CEST 2015
On Fri, 2 Oct 2015 21:35:17 +0100
Matthew Newton <mcn4 at leicester.ac.uk> wrote:
[snip]
>
> Can you run
>
> radiusd -X | tee logfile
>
> then connect the laptop to the network, and then post the logfile
> to the list? Otherwise we've got nothing really to go on.
Wellll... Okay. It's gigantic, tho. Included below.
>
> Long shot, have you got the default EAP type (eap.conf) configured
> to the same on that you're using? Shouldn't cause this, but all I
> can think of without seeing any debug output.
Set to "peap" in eap.conf and set to "Microsoft: Protected EAP (PEAP)"
in the config on the laptop.
Here's the debug output...
freeradius: FreeRADIUS Version 2.2.9, for host i686-pc-linux-gnu, built on Oct 2 2015 at 07:12:08
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client 172.24.0.0/16 {
ipaddr = 172.24.0.0
netmask = 16
require_message_authenticator = no
secret = "xxxxxxxxxxxxxxxxxxxx"
shortname = "localhost"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = digest
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/ssl/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/skynet-n_wtccorp_com.key"
certificate_file = "/etc/ssl/certs/skynet-n_wtccorp_com.crt"
CA_file = "/etc/ssl/certs/skynet-n_wtccorp_com_ca.pem"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/ssl/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file /etc/freeradius/modules/detail.log
detail auth_log {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
ldap {
server = "localhost"
port = 389
password = "slurp2~maybe"
expect_password = yes
identity = "uid=radius,ou=People,dc=wtccorp,dc=com"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = yes
cacertfile = "/etc/ssl/certs/skynet-n_wtccorp_com_ca.pem"
require_cert = "allow"
}
basedn = "ou=People,dc=wtccorp,dc=com"
filter = "(uid=%{mschap:User-Name})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "userPassword"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x87ce2f8
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 56664
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=0, length=203
Message-Authenticator = 0xf3fee44722450f2f835bda228c2d88a6
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020000140177696e303035345c6a656666726579
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:26 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 20
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 172.24.0.48 port 1509
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x98bd762098bc6f3a092a404097a6cf8c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=1, length=340
Message-Authenticator = 0x179741121daee4790499573ef410e994
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x98bd762098bc6f3a092a404097a6cf8c
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0201008b198000000081160301007c010000780301560ef3ca1db6af18753547212e86a4c29231188ea25d38e9fc506a22d24e4ded204bac48082d3304551bb3dc2591a3abb1481a4b9e1f411604b120384460512c0d0018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:26 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 139
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 129
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 007c], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0899], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 1 to 172.24.0.48 port 1509
EAP-Message = 0x0102040019c000000a351603010039020000350301e3d36991a480cff0a07864e77a040402f7c8ffb3fa033663de15ee5670a7e1b600c01400000dff01000100000b00040300010216030108990b000895000892000469308204653082034da003020102020900db98278c91c043a9300d06092a864886f70d01010b05003081a5310b30090603550406130255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a30
EAP-Message = 0x2806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d301e170d3135303933303133323735335a170d3136303932393133323735335a3081c0310b30090603550406130255533111300f06035504080c084d6963686967616e3119301706035504070c104661726d696e67746f6e2048696c6c733121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077
EAP-Message = 0x656c6474656368636f72702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d2d1c7948966ed1341d267fc4f9cbb7296b538e6c723798db5cf417e57e0620f717df13563fa3ee95d91c6cbd0f2919d7cc0574e3525b145ce67bd29b491b13c0521b0d0790a9e1e153f8f5120ec29c3ef45e90eac80eceb1a72e4092484908d485fa92fa5707513fd6af7f510b56d1d0faaadb9e7cd299346fefef85bc2ea77fa161428c0c5282c5c55eff7e3eea1eb2174f802bf43d03232ada75c5e05ab926885f6f67667fab1d529a55db4bb05e1b96eb29372385b57e3b3a7adf39e856aff11f754675e831d57d5fdbacc
EAP-Message = 0x6c871053262f2b628752fb8fe5f810342b04f8a001177ebd1722fb02c1fe13ba9d97a5fbfe928d7b4e5ec19a8158f75d44d1c90203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604143fd748d1e67b96f55218a8d3506b1520021ead6f301f0603551d230418301680143edcdf7a0e78b6c903868bf018eb6df83782ab9d300d06092a864886f70d01010b05000382010100499ce5c07f4f002837484b1de16566030fd0a519c6f66b6600ddecacbb55c50be98fc448739e30aef582ac786a65a70b38f0a53c
EAP-Message = 0x205bb219d9d0950173a6e052
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x98bd762099bf6f3a092a404097a6cf8c
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=2, length=207
Message-Authenticator = 0xbd29cd2a85b34482305e73ddbeb9fc70
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x98bd762099bf6f3a092a404097a6cf8c
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020200061900
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:26 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 2 to 172.24.0.48 port 1509
EAP-Message = 0x010303fc1940b6da580861b855560215e1bcddc7cf7827141faabad978a814118c0396af66bb9de3c68f723e7daa398182692569baf4e2286c6ce5036cfc997577ecebc2727ff1ecbf4f7310651cf9ea2752d40b0ffa8f3d93d4e344fede5db5104358bd0361b15d3a673789d36d86caa0800071c88c6f149459efd07b25be0dd75ca2b2aa276c22bd6c8f7481af26b84dda57b527c3ed8889a96b232aba9105d1750cfd3fcf97c1ee8a9339d19ab87264461497c80c8adf4010e1a03fe4048cd611b4fdb0330004233082041f30820307a003020102020900db98278c91c043a8300d06092a864886f70d01010b05003081a5310b3009060355040613
EAP-Message = 0x0255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d301e170d3135303933303133323732315a170d3230303932383133323732315a3081a5310b30090603550406130255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f67792043
EAP-Message = 0x6f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c944842f637fef492dcb8b64ea061235ea559291b19a5ae5edc0ed30743c49f613d8e02b4f1c550e2a10a2949470e97d1bfa77fd2d72cf5705e203ab73384d91885043238a0a28aba3da3852a88569281c07f2625df0c9fc44bd7e2b74e1bd17b30e13a34ce06642eb8ea20eab0ac013b1e0295106d8
EAP-Message = 0xdebfec3c001b3f97c99db881f0bc8175bc2f8a06a57dd173f43d092f406832fa4d379b4e3d139fcd2b17ffc3d462ee2d1bb7f4170af942c0d04e00a7d9735378bca2b39c5442683a6a0311a8c0c24d4782e969362ea68480960546166f7683dde3e32638fb36b04b302198f997e2afb50880b63ffdff863a7812b4e9c0cc7ccda4424c344f3f7f180bf70203010001a350304e301d0603551d0e041604143edcdf7a0e78b6c903868bf018eb6df83782ab9d301f0603551d230418301680143edcdf7a0e78b6c903868bf018eb6df83782ab9d300c0603551d13040530030101ff300d06092a864886f70d01010b0500038201010059c531727c748cb0
EAP-Message = 0xa73687495c5cba6d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x98bd76209abe6f3a092a404097a6cf8c
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=3, length=207
Message-Authenticator = 0xff40c27f0968df6b3d4a998482366677
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x98bd76209abe6f3a092a404097a6cf8c
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020300061900
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:26 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 3 to 172.24.0.48 port 1509
EAP-Message = 0x0104024f1900e7d5270f188a0f21028c17db0c4d3a4838d86a59ff3eec796b43f0c60983ea0d40fd86610f59e6575677f9700434ca9aaea69f8849614008fd93ade3852afb2eef925278f3b28c615233ec17b84f3299944dcb6c776ef66cbb07c8a503ca018747ef169ce512d4b2f1a102b7f941d62239c3cd554545cc8a0662221db9c71caa130d342979bbe0b1ae33d10737740e92a776c525965e97d1f9ab305c7226f8f26c03063af5d76628eba9e851ae0f807182cd582cf834384de1df8b513aff09dcb8409ca58449b5c987a8f574139352b15b5b73e56114eac58602765d28ea98181c344c48f313d5a29a2f2accfb06d4b7160301014b0c00
EAP-Message = 0x0147030017410458221b4f9563c367cd6345bd1983dd5a0a1d2d9c0c3f3a688675135a2a3dd158eb7ce2a321395da49acebf6d58bb7bc638b6ac01ea1f1dacbbb3f1891effafa701002df95433bd6b5e8b9e54b46658f83af70565a8bacc68904416919cc68c38c00bb8d03e56d7b9825bcbc107f05a8505c371fe58f730e929a777ac59b5f8d8c3ffdb6c1cd8f18f3964224390d311b9d52e76817b0c33d34c42756e9726eb789ecc12975de7b3754bb382aee43ed892b392da09e278fd7b1c1b2a087fdd4ff4a3a9b68abec44550f6fbbedfc24c43eb889c23f921690d5005c4c0d6f09532e9c5fd19bd9f0fad6ec02b28579cdb08e69345d4cabd93
EAP-Message = 0x988e23bbfd7da569b3228fce00255d14115514e296d1cdcabfc471f6a93865e4727403723468dd50253baec481920b34f9bbd4b31d488db221f224bb73a98de198ce3c3bbaea63a73de0640d16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x98bd76209bb96f3a092a404097a6cf8c
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1509, id=4, length=207
Message-Authenticator = 0x6c8a80ed0cc51c66ebf5cb6850444872
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x98bd76209bb96f3a092a404097a6cf8c
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020400061900
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:26 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 4 to 172.24.0.48 port 1509
EAP-Message = 0x010500061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x98bd76209cb86f3a092a404097a6cf8c
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=0, length=203
Message-Authenticator = 0x121295a68b11c245e8e2f9154fbba8de
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020000140177696e303035345c6a656666726579
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:28 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 20
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 172.24.0.48 port 1510
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4465ca6b4464d3fe9d648e243ee182ad
Finished request 5.
Going to the next request
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=1, length=308
Message-Authenticator = 0xed6907899fefd56815ebca6b3afae42d
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x4465ca6b4464d3fe9d648e243ee182ad
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0201006b198000000061160301005c010000580301560ef3ccbf5284b3d32a2f4774af9d62f43b2ee8527a8caeff6653df745e5cef000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:28 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 97
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005c], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0899], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 1 to 172.24.0.48 port 1510
EAP-Message = 0x0102040019c000000a351603010039020000350301563f8767bca18f9ef80d326eb862a320de9154c43e762c9317971aa689858f3600c01400000dff01000100000b00040300010216030108990b000895000892000469308204653082034da003020102020900db98278c91c043a9300d06092a864886f70d01010b05003081a5310b30090603550406130255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a30
EAP-Message = 0x2806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d301e170d3135303933303133323735335a170d3136303932393133323735335a3081c0310b30090603550406130255533111300f06035504080c084d6963686967616e3119301706035504070c104661726d696e67746f6e2048696c6c733121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077
EAP-Message = 0x656c6474656368636f72702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d2d1c7948966ed1341d267fc4f9cbb7296b538e6c723798db5cf417e57e0620f717df13563fa3ee95d91c6cbd0f2919d7cc0574e3525b145ce67bd29b491b13c0521b0d0790a9e1e153f8f5120ec29c3ef45e90eac80eceb1a72e4092484908d485fa92fa5707513fd6af7f510b56d1d0faaadb9e7cd299346fefef85bc2ea77fa161428c0c5282c5c55eff7e3eea1eb2174f802bf43d03232ada75c5e05ab926885f6f67667fab1d529a55db4bb05e1b96eb29372385b57e3b3a7adf39e856aff11f754675e831d57d5fdbacc
EAP-Message = 0x6c871053262f2b628752fb8fe5f810342b04f8a001177ebd1722fb02c1fe13ba9d97a5fbfe928d7b4e5ec19a8158f75d44d1c90203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604143fd748d1e67b96f55218a8d3506b1520021ead6f301f0603551d230418301680143edcdf7a0e78b6c903868bf018eb6df83782ab9d300d06092a864886f70d01010b05000382010100499ce5c07f4f002837484b1de16566030fd0a519c6f66b6600ddecacbb55c50be98fc448739e30aef582ac786a65a70b38f0a53c
EAP-Message = 0x205bb219d9d0950173a6e052
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4465ca6b4567d3fe9d648e243ee182ad
Finished request 6.
Going to the next request
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=2, length=207
Message-Authenticator = 0xe82b5064a4f1a842ea017d1df9ed2249
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x4465ca6b4567d3fe9d648e243ee182ad
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020200061900
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:28 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 2 to 172.24.0.48 port 1510
EAP-Message = 0x010303fc1940b6da580861b855560215e1bcddc7cf7827141faabad978a814118c0396af66bb9de3c68f723e7daa398182692569baf4e2286c6ce5036cfc997577ecebc2727ff1ecbf4f7310651cf9ea2752d40b0ffa8f3d93d4e344fede5db5104358bd0361b15d3a673789d36d86caa0800071c88c6f149459efd07b25be0dd75ca2b2aa276c22bd6c8f7481af26b84dda57b527c3ed8889a96b232aba9105d1750cfd3fcf97c1ee8a9339d19ab87264461497c80c8adf4010e1a03fe4048cd611b4fdb0330004233082041f30820307a003020102020900db98278c91c043a8300d06092a864886f70d01010b05003081a5310b3009060355040613
EAP-Message = 0x0255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f677920436f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d301e170d3135303933303133323732315a170d3230303932383133323732315a3081a5310b30090603550406130255533111300f06035504080c084d6963686967616e3121301f060355040a0c1857656c64696e6720546563686e6f6c6f67792043
EAP-Message = 0x6f72702e31153013060355040b0c0c546563682e2043656e746572311d301b06035504030c14736b796e65742d6e2e777463636f72702e636f6d312a302806092a864886f70d010901161b686f73746d61737465724077656c6474656368636f72702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c944842f637fef492dcb8b64ea061235ea559291b19a5ae5edc0ed30743c49f613d8e02b4f1c550e2a10a2949470e97d1bfa77fd2d72cf5705e203ab73384d91885043238a0a28aba3da3852a88569281c07f2625df0c9fc44bd7e2b74e1bd17b30e13a34ce06642eb8ea20eab0ac013b1e0295106d8
EAP-Message = 0xdebfec3c001b3f97c99db881f0bc8175bc2f8a06a57dd173f43d092f406832fa4d379b4e3d139fcd2b17ffc3d462ee2d1bb7f4170af942c0d04e00a7d9735378bca2b39c5442683a6a0311a8c0c24d4782e969362ea68480960546166f7683dde3e32638fb36b04b302198f997e2afb50880b63ffdff863a7812b4e9c0cc7ccda4424c344f3f7f180bf70203010001a350304e301d0603551d0e041604143edcdf7a0e78b6c903868bf018eb6df83782ab9d301f0603551d230418301680143edcdf7a0e78b6c903868bf018eb6df83782ab9d300c0603551d13040530030101ff300d06092a864886f70d01010b0500038201010059c531727c748cb0
EAP-Message = 0xa73687495c5cba6d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4465ca6b4666d3fe9d648e243ee182ad
Finished request 7.
Going to the next request
Waking up in 2.8 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=3, length=207
Message-Authenticator = 0xa1bb90d986293276b7e1daa26bbb9422
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x4465ca6b4666d3fe9d648e243ee182ad
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020300061900
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:28 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 3 to 172.24.0.48 port 1510
EAP-Message = 0x0104024f1900e7d5270f188a0f21028c17db0c4d3a4838d86a59ff3eec796b43f0c60983ea0d40fd86610f59e6575677f9700434ca9aaea69f8849614008fd93ade3852afb2eef925278f3b28c615233ec17b84f3299944dcb6c776ef66cbb07c8a503ca018747ef169ce512d4b2f1a102b7f941d62239c3cd554545cc8a0662221db9c71caa130d342979bbe0b1ae33d10737740e92a776c525965e97d1f9ab305c7226f8f26c03063af5d76628eba9e851ae0f807182cd582cf834384de1df8b513aff09dcb8409ca58449b5c987a8f574139352b15b5b73e56114eac58602765d28ea98181c344c48f313d5a29a2f2accfb06d4b7160301014b0c00
EAP-Message = 0x01470300174104f94f27db84c936ece3f8f2dabd1578d95d6ac7a27dfb6daa83d62030d7be1f8298f1889a729c7ed1475895e8f796516031e5bb67c5779570fe2e3baa4fc59f980100656917d6493b86f841676412f995ab7e1ba7c1e28e39d94c08325c836b0887772396b6b04f6db1bcbc09f143184d3d37677a484de33a58e0b182788527dede27c5345dba9bd4e06dd487cb32c55e95efeab1cf8b4b5726b5950c473d5264c03ec379147429d3492e4695a1153ba005598749f4a9f13e3847148f3455cffc4121180cdc839bc84dccf2758f4d624583bf051e94fcaecded9834a0e7c632087051a0cada0de572368894b07c019e3e85a379e8df26
EAP-Message = 0x3c7a29973798e12add22ade92b3511a131fb4d81bfcdec1d7106d6c70b89fed598f1aca96b1ce9d45de544b8f2d96c2bde80f76ae69041e752e6ddbfcbafca70df67258cdeff72cc52f1958616030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4465ca6b4761d3fe9d648e243ee182ad
Finished request 8.
Going to the next request
Waking up in 2.8 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=4, length=345
Message-Authenticator = 0x8bc28ce67ea7ac4969fbf9ae2e9e208f
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x4465ca6b4761d3fe9d648e243ee182ad
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0204009019800000008616030100461000004241043c809efc0e0a2ca176b2606111d62bf84fc511208a5bf64b3017688baf469126994847f9f55b6a4a9a14f69a5cc2d9093ca45977068034173e49aa8c6567ef231403010001011603010030cfd781c88abc2f1f2308318db52c884dc33bb5034282e0be3ae40b6265ee2d415484e772c9889a03bfd6d113e8b7b925
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:28 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 4 to 172.24.0.48 port 1510
EAP-Message = 0x010500411900140301000101160301003013153c9bcbbbc61fdf54f31d9dc1f6e0f0688aed91c84831ea12d943c445d4bc36982989b0a1c12ffff77e06438851c7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4465ca6b4060d3fe9d648e243ee182ad
Finished request 9.
Going to the next request
Waking up in 2.8 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=5, length=207
Message-Authenticator = 0xe672cfd12303a02af4cd8bf93844cc0a
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x4465ca6b4060d3fe9d648e243ee182ad
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020500061900
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:28 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 5 to 172.24.0.48 port 1510
EAP-Message = 0x0106002b190017030100206e4c28c25fa0be9b294a675f54f4795ab01b00a6d1c9b7001d7da69b3807e510
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4465ca6b4163d3fe9d648e243ee182ad
Finished request 10.
Going to the next request
Waking up in 2.8 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=6, length=260
Message-Authenticator = 0xdbd26e3f6b395640e552601e0c30b267
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x4465ca6b4163d3fe9d648e243ee182ad
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0206003b19001703010030ace4d439a4ad129c9a846d74d6695ccaea39e77e2c524cf5065c69ae97d02d1c7dc9ec9c5a4e7d530ef19a7485a6d6f0
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:28 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 59
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - win0054\jeffrey
[peap] Got inner identity 'win0054\jeffrey'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x020600140177696e303035345c6a656666726579
server {
[peap] Setting User-Name to win0054\jeffrey
Sending tunneled request
EAP-Message = 0x020600140177696e303035345c6a656666726579
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "win0054\\jeffrey"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 6 length 20
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for win0054\jeffrey
[ldap] expand: (uid=%{mschap:User-Name}) -> (uid=jeffrey)
[ldap] expand: ou=People,dc=wtccorp,dc=com -> ou=People,dc=wtccorp,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to localhost:389, authentication 0
[ldap] setting TLS CACert File to /etc/ssl/certs/skynet-n_wtccorp_com_ca.pem
[ldap] starting TLS
[ldap] bind as uid=radius,ou=People,dc=wtccorp,dc=com/slurp2~maybe to localhost:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=People,dc=wtccorp,dc=com, with filter (uid=jeffrey)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] sambaAcctFlags -> SMB-Account-CTRL-TEXT == "[U]"
[ldap] sambaNTPassword -> NT-Password == 0x4338374239333639433331343843433241314331363738344134363645463435
[ldap] sambaLMPassword -> LM-Password == 0x3936393736373035453543463432463941414433423433354235313430344545
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010700291a01070024109974050545ffc02dfc8e72d8f44f439b77696e303035345c6a656666726579
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05a66f0605a1753bbd5d795e1c248c9d
[peap] Got tunneled reply RADIUS code Access-Challenge
EAP-Message = 0x010700291a01070024109974050545ffc02dfc8e72d8f44f439b77696e303035345c6a656666726579
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05a66f0605a1753bbd5d795e1c248c9d
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 6 to 172.24.0.48 port 1510
EAP-Message = 0x0107004b19001703010040a9546f8399001b6a8bd342e619ae8162f76fc837888a09fa384a010c9e2dee9268df149f6f8055970ae10d2cc4a47f0cac733dd468db1838054de093bc3dec3f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4465ca6b4262d3fe9d648e243ee182ad
Finished request 11.
Going to the next request
Waking up in 2.7 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=7, length=308
Message-Authenticator = 0x0ca2718b291fbbe28082bcdb84c545b7
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x4465ca6b4262d3fe9d648e243ee182ad
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0207006b190017030100609050f71be529e8a4298db7da8502b8faeadcba74fc99e9ddfe0960259c3f195a921fa28d69ba8df233282f6a29547be7c11310bccfed272c506a790337ba47b73fdd5ff2760bd67eb09d62a5a385bbf54ed00eb3066e8955bdf5f48dc46b93f3
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:28 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700421a0207003d31f613ab6b1e8f20d69b72000370a616000000000000000000a0ae9b346e3a9f3f939556588b676a35929c01f270327e77006a656666726579
server {
[peap] Setting User-Name to win0054\jeffrey
Sending tunneled request
EAP-Message = 0x020700421a0207003d31f613ab6b1e8f20d69b72000370a616000000000000000000a0ae9b346e3a9f3f939556588b676a35929c01f270327e77006a656666726579
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "win0054\\jeffrey"
State = 0x05a66f0605a1753bbd5d795e1c248c9d
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 7 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for win0054\jeffrey
[ldap] expand: (uid=%{mschap:User-Name}) -> (uid=jeffrey)
[ldap] expand: ou=People,dc=wtccorp,dc=com -> ou=People,dc=wtccorp,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=People,dc=wtccorp,dc=com, with filter (uid=jeffrey)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] sambaAcctFlags -> SMB-Account-CTRL-TEXT == "[U]"
[ldap] sambaNTPassword -> NT-Password == 0x4338374239333639433331343843433241314331363738344134363645463435
[ldap] sambaLMPassword -> LM-Password == 0x3936393736373035453543463432463941414433423433354235313430344545
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] WARNING: User-Name (win0054\jeffrey) is not the same as MS-CHAP Name (jeffrey) from EAP-MSCHAPv2
[mschap] Creating challenge hash with username: jeffrey
[mschap] Client is using MS-CHAPv2 for jeffrey, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010800331a0307002e533d41343938333341454445323745364436324232423838464442363141453031334334344641353133
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05a66f0604ae753bbd5d795e1c248c9d
[peap] Got tunneled reply RADIUS code Access-Challenge
EAP-Message = 0x010800331a0307002e533d41343938333341454445323745364436324232423838464442363141453031334334344641353133
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05a66f0604ae753bbd5d795e1c248c9d
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 7 to 172.24.0.48 port 1510
EAP-Message = 0x0108005b19001703010050e447287e8c32c97b3bba2d5ddcebbb2a7a5072606bb3985055cb0d1e42f19cab85b5e3ba2c1c3d5911d6088e96ba61543cb4a2730c2de449aca8322d707acff85d1c89e4719868c37ece12a7858d0ce0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4465ca6b436dd3fe9d648e243ee182ad
Finished request 12.
Going to the next request
Waking up in 2.7 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=8, length=244
Message-Authenticator = 0x1e3e0ca33e12a9b4057830f377b82244
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x4465ca6b436dd3fe9d648e243ee182ad
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0208002b1900170301002058ac08dc09598152957686e0d9ec0bfb4af9ed80b8e98be8b21c0d7ba2a73c78
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:28 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020800061a03
server {
[peap] Setting User-Name to win0054\jeffrey
Sending tunneled request
EAP-Message = 0x020800061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "win0054\\jeffrey"
State = 0x05a66f0604ae753bbd5d795e1c248c9d
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 8 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for win0054\jeffrey
[ldap] expand: (uid=%{mschap:User-Name}) -> (uid=jeffrey)
[ldap] expand: ou=People,dc=wtccorp,dc=com -> ou=People,dc=wtccorp,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=People,dc=wtccorp,dc=com, with filter (uid=jeffrey)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] sambaAcctFlags -> SMB-Account-CTRL-TEXT == "[U]"
[ldap] sambaNTPassword -> NT-Password == 0x4338374239333639433331343843433241314331363738344134363645463435
[ldap] sambaLMPassword -> LM-Password == 0x3936393736373035453543463432463941414433423433354235313430344545
[ldap] looking for reply items in directory...
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x14cdaa5dd80a97d68f9a273925682cff
MS-MPPE-Recv-Key = 0x0d3dced83362f21239048b9280abfc62
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "win0054\\jeffrey"
[peap] Got tunneled reply RADIUS code Access-Accept
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x14cdaa5dd80a97d68f9a273925682cff
MS-MPPE-Recv-Key = 0x0d3dced83362f21239048b9280abfc62
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "win0054\\jeffrey"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 8 to 172.24.0.48 port 1510
EAP-Message = 0x0109002b19001703010020789df7189a45a0b33091349b5e386e2fc1ff4a2f09623998d30272a775b4cb92
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4465ca6b4c6cd3fe9d648e243ee182ad
Finished request 13.
Going to the next request
Waking up in 2.7 seconds.
rad_recv: Access-Request packet from host 172.24.0.48 port 1510, id=9, length=244
Message-Authenticator = 0xc85bfd7428baa565719f188f4e6077f2
Service-Type = Framed-User
User-Name = "win0054\\jeffrey"
Framed-MTU = 1488
State = 0x4465ca6b4c6cd3fe9d648e243ee182ad
Called-Station-Id = "00-0F-B5-6E-31-73:fh-test-ap"
Calling-Station-Id = "00-1F-3C-B2-AD-72"
NAS-Identifier = "FWAG114"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0209002b190017030100201f684809b50701513be173c26cfb7cb773d3d2ff3af2d82a04e5aa5203930ec2
NAS-IP-Address = 0.0.0.0
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 172.24.0.48
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.24.0.48/auth-detail-20151002
[auth_log] expand: %t -> Fri Oct 2 17:14:28 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "win0054\jeffrey", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 9 to 172.24.0.48 port 1510
MS-MPPE-Recv-Key = 0xb6366ecd1300654a450cf0f52f17764ceef21afb49657ae5569ac80e7ac85529
MS-MPPE-Send-Key = 0xfe041f1c30415092e2a826a51a0ff7eff3d0fceac33d78f95f08a36ad310fec0
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "win0054\\jeffrey"
Finished request 14.
Going to the next request
Waking up in 2.7 seconds.
Cleaning up request 0 ID 0 with timestamp +32
Cleaning up request 1 ID 1 with timestamp +32
Cleaning up request 2 ID 2 with timestamp +32
Cleaning up request 3 ID 3 with timestamp +32
Cleaning up request 4 ID 4 with timestamp +32
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x98bd76209cb86f3a did not finish!
WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Waking up in 2.0 seconds.
Cleaning up request 5 ID 0 with timestamp +34
Cleaning up request 6 ID 1 with timestamp +34
Cleaning up request 7 ID 2 with timestamp +34
Cleaning up request 8 ID 3 with timestamp +34
Cleaning up request 9 ID 4 with timestamp +34
Cleaning up request 10 ID 5 with timestamp +34
Cleaning up request 11 ID 6 with timestamp +34
Cleaning up request 12 ID 7 with timestamp +34
Cleaning up request 13 ID 8 with timestamp +34
Cleaning up request 14 ID 9 with timestamp +34
Ready to process requests.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
More information about the Freeradius-Users
mailing list