iOS, Certificate and "Could not scan for wireless network"
Vito A. Smaldino
vitoantonio.smaldino at istruzione.it
Fri Oct 16 19:08:42 CEST 2015
Hi all,
in my test environment i'm facing this problem:
When i try to connect from an iPad (iOS 8.4 and 9.0) i receive the
Certificate immediately followed by the popup saying "Could not scan for
wireless network" ( http://www.smaldino.it/appo/IMG_1160.png )
Almost simultaneously FR ends with "Ready to process requests." and, even
if i close the popup and tap "Trust", it doesn't connect.
I visited
http://wiki.freeradius.org/guide/Certificate_Compatibility#eap-session-did-not-finish
but it refers to Windows problems and MTU size. In the log i found that the
Framed-MTU is set to 1400, is it small enough, or the problem is elsewhere?
And the last: sometimes after the popup and the "Trust" it connects! N.B.
FR and the AP are on the same LAN.
Thanks for the help.
V
radiusd: FreeRADIUS Version 2.2.8, for host i686-pc-linux-gnu, built on Sep
22 2015 at 21:42:30
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/eap.conf
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log"
run_dir = "/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/tmp/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = no
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = yes
dead_time = 120
wake_all_if_all_dead = no
}
realm LOCAL {
authhost = LOCAL
accthost = LOCAL
}
realm SMALDINO.LAN {
authhost = LOCAL
accthost = LOCAL
}
radiusd: #### Loading Clients ####
client 127.0.0.1 {
require_message_authenticator = no
secret = "ZeroShell"
shortname = "localhost"
nastype = "other"
}
client 192.0.0.0/8 {
require_message_authenticator = no
secret = "testing123"
shortname = "Cl192"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/radiusd.conf
mschap {
use_mppe = yes
require_encryption = no
require_strong = yes
with_ntdomain_hack = yes
allow_retry = yes
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/ssl/certs/trusted_CAs/"
pem_file_type = yes
private_key_file = "/var/register/system/radius/TLS/key.pem"
certificate_file = "/var/register/system/radius/TLS/cert.pem"
dh_file = "/etc/ssl/dh.pem"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
check_all_crl = no
ecdh_curve = "prime256v1"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = yes
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_attr_rewrite
Module: Instantiating module "routeradmin" from file
/etc/raddb/radiusd.conf
attr_rewrite routeradmin {
attribute = "User-Name"
searchfor = ".enab15."
searchin = "packet"
replacewith = "_enab15_"
append = no
ignore_case = yes
new_attribute = no
max_matches = 10
}
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/raddb/radiusd.conf
preprocess {
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = yes
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file /etc/raddb/radiusd.conf
detail auth_log {
detailfile = "/var/log/radius/reply"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/radiusd.conf
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/radiusd.conf
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/radiusd.conf
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
compat = "no"
}
reading pairlist file /etc/raddb/users
reading pairlist file /etc/raddb/acct_users
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/raddb/radiusd.conf
ldap {
server = "127.0.0.1"
port = 389
password = ""
expect_password = yes
identity = ""
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
basedn = "ou=Radius,dc=smaldino,dc=lan"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = "sn"
auto_header = no
access_attr = "dialupAccess"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in
the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
conns: 0x861cf48
Module: Linked to module rlm_exec
Module: Instantiating module "pppIP" from file /etc/raddb/radiusd.conf
exec pppIP {
wait = yes
program = "/root/kerbynet.cgi/scripts/pppIP"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/radiusd.conf
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file /etc/raddb/radiusd.conf
detail {
detailfile = "/dev/null"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
Module: Instantiating module "acct_store" from file /etc/raddb/radiusd.conf
exec acct_store {
wait = yes
program = "/root/kerbynet.cgi/scripts/acct_store"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "SessionLimits" from file
/etc/raddb/radiusd.conf
exec SessionLimits {
wait = yes
program = "/root/kerbynet.cgi/scripts/radius-session-limits"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
Module: Instantiating module "RadiusLog" from file /etc/raddb/radiusd.conf
exec RadiusLog {
wait = yes
program = "/root/kerbynet.cgi/scripts/RadiusLog"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
Module: Instantiating module "reply_log" from file /etc/raddb/radiusd.conf
detail reply_log {
detailfile = "/dev/null"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
escape_filenames = no
}
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=10,
length=185
User-Name = "test1 at smaldino.lan"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G"
Calling-Station-Id = "BC-3B-AF-C1-9B-41"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0200001701746573743140736d616c64696e6f2e6c616e
Message-Authenticator = 0x6d9e58408de63738f0cffcafff2cf992
# Executing section authorize from file /etc/raddb/radiusd.conf
+group authorize {
[routeradmin] expand: .enab15. -> .enab15.
routeradmin: Does not match: User-Name = test1 at smaldino.lan
++[routeradmin] = ok
++[preprocess] = ok
[auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply
[auth_log] /var/log/radius/reply expands to /var/log/radius/reply
[auth_log] expand: %t -> Fri Oct 16 17:30:49 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "smaldino.lan" for User-Name = "test1 at smaldino.lan
"
[suffix] Found realm "SMALDINO.LAN"
[suffix] Adding Stripped-User-Name = "test1"
[suffix] Adding Realm = "SMALDINO.LAN"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 0 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test1
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1)
[ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 127.0.0.1:389, authentication 0
[ldap] bind as / to 127.0.0.1:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter
(cn=test1)
[ldap] checking if remote access for test1 is allowed by dialupAccess
[ldap] Added User-Password = testa in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
Exec output:
[pppIP] Exec: program returned: 0
++[pppIP] = ok
+} # group authorize = updated
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 10 to 192.168.2.1 port 45290
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1c2aac6e1c3a7cd8f7bb7a7c9250742
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=11,
length=186
User-Name = "test1 at smaldino.lan"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G"
Calling-Station-Id = "BC-3B-AF-C1-9B-41"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020100060319
State = 0xe1c2aac6e1c3a7cd8f7bb7a7c9250742
Message-Authenticator = 0x8a2a41183e342309aa40ff4974455ba7
# Executing section authorize from file /etc/raddb/radiusd.conf
+group authorize {
[routeradmin] expand: .enab15. -> .enab15.
routeradmin: Does not match: User-Name = test1 at smaldino.lan
++[routeradmin] = ok
++[preprocess] = ok
[auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply
[auth_log] /var/log/radius/reply expands to /var/log/radius/reply
[auth_log] expand: %t -> Fri Oct 16 17:30:49 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "smaldino.lan" for User-Name = "test1 at smaldino.lan
"
[suffix] Found realm "SMALDINO.LAN"
[suffix] Adding Stripped-User-Name = "test1"
[suffix] Adding Realm = "SMALDINO.LAN"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test1
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1)
[ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter
(cn=test1)
[ldap] checking if remote access for test1 is allowed by dialupAccess
[ldap] Added User-Password = testa in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
Exec output:
[pppIP] Exec: program returned: 0
++[pppIP] = ok
+} # group authorize = updated
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 11 to 192.168.2.1 port 45290
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1c2aac6e0c0b3cd8f7bb7a7c9250742
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=12,
length=332
User-Name = "test1 at smaldino.lan"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G"
Calling-Station-Id = "BC-3B-AF-C1-9B-41"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0202009819800000008e160301008901000085030156211829e5957d201cda1bae922443901fe3790b6d9105a60794b4dce2fdfa7400004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c0005000401000012000a00080006001700180019000b00020100
State = 0xe1c2aac6e0c0b3cd8f7bb7a7c9250742
Message-Authenticator = 0x5dbd5564fcff2011be133c641c1ca2a6
# Executing section authorize from file /etc/raddb/radiusd.conf
+group authorize {
[routeradmin] expand: .enab15. -> .enab15.
routeradmin: Does not match: User-Name = test1 at smaldino.lan
++[routeradmin] = ok
++[preprocess] = ok
[auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply
[auth_log] /var/log/radius/reply expands to /var/log/radius/reply
[auth_log] expand: %t -> Fri Oct 16 17:30:49 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "smaldino.lan" for User-Name = "test1 at smaldino.lan
"
[suffix] Found realm "SMALDINO.LAN"
[suffix] Adding Stripped-User-Name = "test1"
[suffix] Adding Realm = "SMALDINO.LAN"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 152
[eap] Continuing tunnel setup.
++[eap] = ok
++[files] = noop
[ldap] performing user authorization for test1
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1)
[ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter
(cn=test1)
[ldap] checking if remote access for test1 is allowed by dialupAccess
[ldap] Added User-Password = testa in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
Exec output:
[pppIP] Exec: program returned: 0
++[pppIP] = ok
+} # group authorize = ok
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 142
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0089], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 06e1], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 12 to 192.168.2.1 port 45290
EAP-Message =
0x0103040019c00000093716030100310200002d0301562118299e15ea37dfa894c94cab3ea57e2e0972526b3d634e7bccb67425c007000039000005ff0100010016030106e10b0006dd0006da00033a308203363082021ea003020102020101300d06092a864886f70d010105050030403111300f060355040a1308736d616c64696e6f31173015060355040b130e7a65726f7368656c6c206635666131123010060355040313095a65726f5368656c6c301e170d3135313031353230343034365a170d3137313031343230343034365a3031310e300c060355040b1305486f737473311f301d060355040313167a65726f7368656c6c2e736d616c6469
EAP-Message =
0x6e6f2e6c616e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d1b539e54ef6cf74fe2f83f09b14154adeb5828c2e21394b1acc90e6824e477dddcdf3e4615ed251be9b11e48a6d159f86562f9bae4fb2a4471007d98505d164d21ae3c88e1572fa8cf1d9d1c3b64612ec7433bb4a3e08d4bb703a4fd6a9da5a646c0727259e748198fbe28ff24da657f8ea801054e50e780f5e3a7aeed4a3f6ae4645f0a62209085326da267594a046aeb65084fe76b75012b53ac5fdc33cfab216c74469d35fd25e7a5256b4a88537c51eee6d28b7f6dc4d08b526a4f1c7eeb65d14fa92c1cd41decef5be2f598b01d21129e5c064
EAP-Message =
0xa35282fc3b2c47b9f624f580c03c40738ae49660c45d9d530f8c7324a26b025f30c47fc0d53a28d4cf2d0203010001a34a3048301d0603551d250416301406082b0601050507030106082b0601050507030230270603551d110420301e82167a65726f7368656c6c2e736d616c64696e6f2e6c616e8704c0a802a9300d06092a864886f70d010105050003820101009d36d4d05d2b35426bdc0fe74f206f793de68df073b6ae57778b8db87c49605f52ea5a95bd9552ff623fc5f135e8b08b370cdf456d392e1cbc2d4a8c18f1c3b7ab3000bce401563fcd2374dce320dbbc3d4b21dd6acb56c74887387e196f41c7090cd7fd9d0fe74f7b260adbde44
EAP-Message =
0x214da1f97e1190c205ffe84af2ca8d10e0ee9692c2083f15670543ccbb56f86b56451d037e9cfe29d6df2837f2c8079d70b0a19af328e8b0e6ffb3d27043aadc2fd7822033ec6954616b209291b16e4b687b7b008bd60da8763ccddd0352dd8f795d6e28c5c5446da4d4014a4a8307b1f30c72655cd2e4a351a18456acf092800ae5526d900a90dfac92f4eadc27b95ab1bd00039a308203963082027ea003020102020100300d06092a864886f70d010105050030403111300f060355040a1308736d616c64696e6f31173015060355040b130e7a65726f7368656c6c206635666131123010060355040313095a65726f5368656c6c301e170d313531
EAP-Message = 0x3031353230343034335a170d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1c2aac6e3c1b3cd8f7bb7a7c9250742
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=13,
length=186
User-Name = "test1 at smaldino.lan"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G"
Calling-Station-Id = "BC-3B-AF-C1-9B-41"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020300061900
State = 0xe1c2aac6e3c1b3cd8f7bb7a7c9250742
Message-Authenticator = 0x9cfe139ac01c61752c18a7d388667309
# Executing section authorize from file /etc/raddb/radiusd.conf
+group authorize {
[routeradmin] expand: .enab15. -> .enab15.
routeradmin: Does not match: User-Name = test1 at smaldino.lan
++[routeradmin] = ok
++[preprocess] = ok
[auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply
[auth_log] /var/log/radius/reply expands to /var/log/radius/reply
[auth_log] expand: %t -> Fri Oct 16 17:30:49 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "smaldino.lan" for User-Name = "test1 at smaldino.lan
"
[suffix] Found realm "SMALDINO.LAN"
[suffix] Adding Stripped-User-Name = "test1"
[suffix] Adding Realm = "SMALDINO.LAN"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[files] = noop
[ldap] performing user authorization for test1
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1)
[ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter
(cn=test1)
[ldap] checking if remote access for test1 is allowed by dialupAccess
[ldap] Added User-Password = testa in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
Exec output:
[pppIP] Exec: program returned: 0
++[pppIP] = ok
+} # group authorize = ok
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 13 to 192.168.2.1 port 45290
EAP-Message =
0x010403fc19403235313031323230343034335a30403111300f060355040a1308736d616c64696e6f31173015060355040b130e7a65726f7368656c6c206635666131123010060355040313095a65726f5368656c6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100c983e10b966097fa8cdcc116ca16f95a9fa3ff365c3afc3870473f14308f0e9bf8f2d238a29396c0bfa28787a32b5c37df143255ebf2beb0da5aa2dde6cb7ac816d84a4f0b7c6cf801f41c9f1864c5746a19ab63e528407b76c474bfeaa2a5508fbb21e7385be79469beda208179e7c7431fa5653b6427f029445ffda67e98be7b8ff7d0bc6e03
EAP-Message =
0xd00f009634ac4474b69514c73e11e88609b1c854969abbd84d7a30d984780d6c8914c3fc8662662d648ba35adf4d9d3a91b84f10c13a3f6daaad83580e1b967491e1ce8455dfeaafb136bfecd436ce977d3bb7b678392ae6733b715541625de10304701ad617651192988324c18d5685e76e6fec30221c8b650203010001a3819a308197301d0603551d0e04160414260ab6b08949dd42c15f6f70ee273d02ab40bb4030680603551d230461305f8014260ab6b08949dd42c15f6f70ee273d02ab40bb40a144a44230403111300f060355040a1308736d616c64696e6f31173015060355040b130e7a65726f7368656c6c206635666131123010060355
EAP-Message =
0x040313095a65726f5368656c6c820100300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010098174b261bcadaf871a77223fbd6c3e19001c44657b245df2fe84d0bc97498696ee9c3f9ab1d811189da45915e8f2af130934f41d53264b0245cc7d1baef9ccb3c1d936933ef7c21c2663b454e2dce96aa389c4c90ac37411191dbf1e1d0c2db33f0fbb2ac98f4ea25bef3240190adcde5dd88b60c1c66f7099fae94714330cd9454daa48e840fd23d1bcd6c85a542ed956cc87b28e8422043890df20f354f5780a53fde4d3ccb064f2cb42fb132bb3d3372a70fcc13e73b7f5b77016a25f1b42a8a0da03a5e79ef7e4b99
EAP-Message =
0xd1ec2beda6bed9c8da4a96da10d15f6b62b4c21c87a0c4eb800427f0134d36b480cde0e865f7ff50b45771c21a223396516648857a160301020d0c0002090080bf8ec9af3537d850914da67115562a2214d2ad0b1f1fac1fcb7f4899b88ce4e660b5da88ffb064f0bdfd94881795f6e4901247037ee111dcbeb512cfb1ace3c35ff4316dfccbd2a5d2dc7be52acf4b9db3ffd7896eea89e9879e9bbe16ed7eef0c75c2a835964bf0234029f6fe8e31554ab70d768d5c1659fe7ff435d3f707db0001020080a700c7436388918a6147213ca8ee2824c43967830afa13078e10d880d0e5348cb93342307ae3407bc43014aac874c2e88dba462fdef3b459
EAP-Message = 0x529d5e7cf72734cf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1c2aac6e2c6b3cd8f7bb7a7c9250742
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=14,
length=186
User-Name = "test1 at smaldino.lan"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G"
Calling-Station-Id = "BC-3B-AF-C1-9B-41"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020400061900
State = 0xe1c2aac6e2c6b3cd8f7bb7a7c9250742
Message-Authenticator = 0x036f0f4ebd2ecf2f42519b9ad1983cf1
# Executing section authorize from file /etc/raddb/radiusd.conf
+group authorize {
[routeradmin] expand: .enab15. -> .enab15.
routeradmin: Does not match: User-Name = test1 at smaldino.lan
++[routeradmin] = ok
++[preprocess] = ok
[auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply
[auth_log] /var/log/radius/reply expands to /var/log/radius/reply
[auth_log] expand: %t -> Fri Oct 16 17:30:49 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "smaldino.lan" for User-Name = "test1 at smaldino.lan
"
[suffix] Found realm "SMALDINO.LAN"
[suffix] Adding Stripped-User-Name = "test1"
[suffix] Adding Realm = "SMALDINO.LAN"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[files] = noop
[ldap] performing user authorization for test1
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1)
[ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter
(cn=test1)
[ldap] checking if remote access for test1 is allowed by dialupAccess
[ldap] Added User-Password = testa in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
Exec output:
[pppIP] Exec: program returned: 0
++[pppIP] = ok
+} # group authorize = ok
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 14 to 192.168.2.1 port 45290
EAP-Message =
0x0105015119005e963fa660565b4f8d54a4372bff3740c57468a50cf21cd8099dd3cf425b7290ed2436ee93161bcc029536743df097d32ae39e90fc05f71bb2b321a485a800b50100b4dc522b855ce93ef5c9b899d8e0a8411d840241ececb7dc5c1943ff2982e80fd5e4e5962aa409b18116629a4872088c64eef13c409fe3866526de48426570ba1a64dfb416ad4f26324b6e8b95f34f05e278136ef01667f3cdb971f0865f77fdc3f686583136ed78708bad75ae4ef44b784320f3378d337f1018497e859baca9f31136e2e7543954a88d6e217ac9043e5b0959c8b5d901b78e55f6cd5106d84929bfd31aadbb05fa0e0aa0e62b98fa0f354ac412d5
EAP-Message =
0x4bcf1659c974acbd061c230a936775ca0ce5d0590ea4b3d185806e7fb12aab089f77cbaa7ec004873d51555d3a447198e8471c1d92993599e7cc30c4cc1264e97f0b1d0f196e2294d36c6416030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1c2aac6e5c7b3cd8f7bb7a7c9250742
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 10 with timestamp +35
Cleaning up request 1 ID 11 with timestamp +35
Cleaning up request 2 ID 12 with timestamp +35
Cleaning up request 3 ID 13 with timestamp +35
Cleaning up request 4 ID 14 with timestamp +35
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xe1c2aac6e5c7b3cd did not finish!
WARNING: !! Please read
http://wiki.freeradius.org/guide/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
--
Vito A. Smaldino
More information about the Freeradius-Users
mailing list