freeradius auth in win AD

Zenon Matuszyk zenon.matuszyk at networkers.pl
Thu Jun 16 14:19:47 CEST 2016


Hello,

I have a little problem with auth in Windows AD by using 
userPrincipalName (using samAccountName works fine). In mschap file i have:

     ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{%{Stripped-User-Name}:-%{User-Name}} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

and ldap file:

  filter = "(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})"

  In debug I see:



rad_recv: Access-Request packet from host 10.65.100.41 port 32775, 
id=207, length=318
         User-Name = "aa.aa at stud.wcc.domain.pl"
         Chargeable-User-Identity = ""
         Location-Capable = Civix-Location
         Calling-Station-Id = "b4-74-9f-ea-2a-1e"
         Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST"
         NAS-Port = 2
         Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2"
         Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674"
         NAS-IP-Address = 10.65.100.41
         NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1"
         Airespace-Wlan-Id = 4
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "216"
         EAP-Message = 
0x0203001d0161612e616140737475642e6173702e6b72616b6f772e706c
         Message-Authenticator = 0x398163ea5774aa56b4a9a5bb7f1ec443
# Executing section authorize from file 
/etc/freeradius-eduroam//sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 3 length 29
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
   [ldap] Entering ldap_groupcmp()
[files]         expand: dc=wcc,dc=local -> dc=wcc,dc=local
[files]         expand: %{Stripped-User-Name} ->
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
[files]         expand: 
(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(userPrincipalName=aa.aa at stud.wcc.domain.pl)
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] attempting LDAP reconnection
   [ldap] (re)connect to pdc.wcc.local:389, authentication 0
   [ldap] bind as cn=freeradius,ou=Services,dc=wcc,dc=local/rad--wcc--02 
to pdc.wcc.local:389
   [ldap] waiting for bind result ...
   [ldap] Bind was successful
   [ldap] performing search in dc=wcc,dc=local, with filter 
(userPrincipalName=aa.aa at stud.wcc.domain.pl)
   [ldap] ldap_release_conn: Release Id: 0
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(&(cn=workers)(|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))))
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with 
filter (objectclass=*)
   [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, 
with filter (cn=workers)
   [ldap] object not found
rlm_ldap::groupcmp: Group workers not found or user not a member
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] Entering ldap_groupcmp()
[files]         expand: dc=wcc,dc=local -> dc=wcc,dc=local
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(&(cn=students)(|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))))
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with 
filter (objectclass=*)
   [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, 
with filter (cn=students)
rlm_ldap::ldap_groupcmp: User found in group students
   [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 8
++[files] returns ok
[ldap] performing user authorization for aa.aa at stud.wcc.domain.pl
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
[ldap]  expand: 
(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(userPrincipalName=aa.aa at stud.wcc.domain.pl)
[ldap]  expand: dc=wcc,dc=local -> dc=wcc,dc=local
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(userPrincipalName=aa.aa at stud.wcc.domain.pl)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
   [ldap] sAMAccountName -> AD-Samaccountname = "s87030702814"
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?
[ldap] user aa.aa at stud.wcc.domain.pl authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius-eduroam//sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 207 to 10.65.100.41 port 32775
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 := "216"
         EAP-Message = 0x01040016041018835bd878d0921cb20627ef9ffb1eac
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xe4e07f21e4e47b7995348cff618d76b9
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.65.100.41 port 32775, 
id=208, length=313
         User-Name = "aa.aa at stud.wcc.domain.pl"
         Chargeable-User-Identity = ""
         Location-Capable = Civix-Location
         Calling-Station-Id = "b4-74-9f-ea-2a-1e"
         Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST"
         NAS-Port = 2
         Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2"
         Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674"
         NAS-IP-Address = 10.65.100.41
         NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1"
         Airespace-Wlan-Id = 4
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "216"
         EAP-Message = 0x020400060319
         State = 0xe4e07f21e4e47b7995348cff618d76b9
         Message-Authenticator = 0xee09ae2d1c397db4c44fa8ef0ada48ae
# Executing section authorize from file 
/etc/freeradius-eduroam//sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
   [ldap] Entering ldap_groupcmp()
[files]         expand: dc=wcc,dc=local -> dc=wcc,dc=local
[files]         expand: %{Stripped-User-Name} ->
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
[files]         expand: 
(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(userPrincipalName=aa.aa at stud.wcc.domain.pl)
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(userPrincipalName=aa.aa at stud.wcc.domain.pl)
   [ldap] ldap_release_conn: Release Id: 0
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(&(cn=workers)(|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))))
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with 
filter (objectclass=*)
   [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, 
with filter (cn=workers)
   [ldap] object not found
rlm_ldap::groupcmp: Group workers not found or user not a member
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] Entering ldap_groupcmp()
[files]         expand: dc=wcc,dc=local -> dc=wcc,dc=local
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(&(cn=students)(|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))))
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with 
filter (objectclass=*)
   [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, 
with filter (cn=students)
rlm_ldap::ldap_groupcmp: User found in group students
   [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 8
++[files] returns ok
[ldap] performing user authorization for aa.aa at stud.wcc.domain.pl
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
[ldap]  expand: 
(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(userPrincipalName=aa.aa at stud.wcc.domain.pl)
[ldap]  expand: dc=wcc,dc=local -> dc=wcc,dc=local
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(userPrincipalName=aa.aa at stud.wcc.domain.pl)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
   [ldap] sAMAccountName -> AD-Samaccountname = "s87030702814"
WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?
[ldap] user aa.aa at stud.wcc.domain.pl authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius-eduroam//sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 208 to 10.65.100.41 port 32775
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 := "216"
         EAP-Message = 0x010500061920
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xe4e07f21e5e5667995348cff618d76b9
Finished request 1.
Going to the next request
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 10.65.100.41 port 32775, 
id=209, length=429
         User-Name = "aa.aa at stud.wcc.domain.pl"
         Chargeable-User-Identity = ""
         Location-Capable = Civix-Location
         Calling-Station-Id = "b4-74-9f-ea-2a-1e"
         Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST"
         NAS-Port = 2
         Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2"
         Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674"
         NAS-IP-Address = 10.65.100.41
         NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1"
         Airespace-Wlan-Id = 4
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "216"
         EAP-Message = 
0x0205007a198000000070160301006b01000067030157628ed30f67b761e282d085d72f59adfd847fc69ee371cc28ea1f91446a23bc000018c014c0130035002fc00ac00900380032000a00130005000401000026000500050100000000000a0006000400170018000b000201000023000000170000ff01000100
         State = 0xe4e07f21e5e5667995348cff618d76b9
         Message-Authenticator = 0xcf052b361d54c7fb8dbea484cc3bd8de
# Executing section authorize from file 
/etc/freeradius-eduroam//sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 5 length 122
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius-eduroam//sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
   TLS Length 112
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006b], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 078d], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 209 to 10.65.100.41 port 32775
         EAP-Message = 
0x0106040019c0000008a9160301003902000035030157628ef51c8afd7fb1a076f303a422ca51d2b0b157bfe72a963d0b55b3ff1f5c00c01400000dff01000100000b000403000102160301078d0b00078900078600031d3082031930820282a00302010202020a24300d06092a864886f70d01010505003081d1310b300906035504061302504c311330110603550408130a4d616c6f706f6c736b61310f300d060355040713064b72616b6f77313c303a060355040a1333416b6164656d696120537a74756b205069656b6e79636820696d2e204a616e61204d6174656a6b692077204b72616b6f77696531133011060355040b130a415350204b7261
         EAP-Message = 
0x6b6f77312830260603550403131f43656e7472756d20436572747966696b61636a6920415350204b72616b6f77311f301d06092a864886f70d01090116106361406173702e6b72616b6f772e706c301e170d3132313133303037333035335a170d3137313130343037333035335a3081b8310b300906035504061302504c311330110603550408130a4d616c6f706f6c736b61313c303a060355040a1333416b6164656d696120537a74756b205069656b6e79636820696d2e204a616e61204d6174656a6b692077204b72616b6f77696531133011060355040b130a415350204b72616b6f77311d301b060355040313147261646975732e6173702e6b
         EAP-Message = 
0x72616b6f772e706c3122302006092a864886f70d01090116137261647573406173702e6b72616b6f772e706c30819f300d06092a864886f70d010101050003818d0030818902818100d104dba6ea4dcc1f522aeb1ef52a86ea70daff5728a5f3dcecbc1f3dcbd8a3b840919e4d9eee002ec9bcfc9adfc3030050b8bcfc0f414e11877289a6626075c1664b411ea67703a64a8510ebdec3a85d2c5afdc5853a3039abdf0ba901165ba55ea3012dade844a9cb0780dafba5610ca856e0adea76dc942ee56d2c7b1d40a50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100c722e8
         EAP-Message = 
0x55a3fa1f28f8c936f5d92f075c229f043ef9e11442d330ff17008ced8eb9330d3dd78a33bf318996cb00b95fcb15e56efcf114dbedb041c8b9931c5ed9e4820d9d026677d869e8e65f484dd83dab13036f1b2593424245117da396e0ae30184dc39de0f290490955998c5627f12f874c74211a9fd17435bc2d32529f240004633082045f308203c8a00302010202090085c7c43a6326f0ab300d06092a864886f70d01010505003081d1310b300906035504061302504c311330110603550408130a4d616c6f706f6c736b61310f300d060355040713064b72616b6f77313c303a060355040a1333416b6164656d696120537a74756b205069656b6e79
         EAP-Message = 0x636820696d2e204a616e6120
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xe4e07f21e6e6667995348cff618d76b9
Finished request 2.
Going to the next request
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 10.65.100.41 port 32775, 
id=210, length=313
         User-Name = "aa.aa at stud.wcc.domain.pl"
         Chargeable-User-Identity = ""
         Location-Capable = Civix-Location
         Calling-Station-Id = "b4-74-9f-ea-2a-1e"
         Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST"
         NAS-Port = 2
         Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2"
         Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674"
         NAS-IP-Address = 10.65.100.41
         NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1"
         Airespace-Wlan-Id = 4
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "216"
         EAP-Message = 0x020600061900
         State = 0xe4e07f21e6e6667995348cff618d76b9
         Message-Authenticator = 0x00d087c8c9b2868d9b3d87e1cc5bcce0
# Executing section authorize from file 
/etc/freeradius-eduroam//sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius-eduroam//sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 210 to 10.65.100.41 port 32775
         EAP-Message = 
0x010703fc19404d6174656a6b692077204b72616b6f77696531133011060355040b130a415350204b72616b6f77312830260603550403131f43656e7472756d20436572747966696b61636a6920415350204b72616b6f77311f301d06092a864886f70d01090116106361406173702e6b72616b6f772e706c301e170d3131313133303131313431325a170d3331303831373131313431325a3081d1310b300906035504061302504c311330110603550408130a4d616c6f706f6c736b61310f300d060355040713064b72616b6f77313c303a060355040a1333416b6164656d696120537a74756b205069656b6e79636820696d2e204a616e61204d6174
         EAP-Message = 
0x656a6b692077204b72616b6f77696531133011060355040b130a415350204b72616b6f77312830260603550403131f43656e7472756d20436572747966696b61636a6920415350204b72616b6f77311f301d06092a864886f70d01090116106361406173702e6b72616b6f772e706c30819f300d06092a864886f70d010101050003818d0030818902818100fb2478b3fd733307f8bf3790b6b4c2ceed0cf07b15c6e2efbfb96b0a8f443abccfac270016fcc6d35950019c0e348b79fc97cebc3f1c698fb02f4e2f782b300b3f0b538e746d3a73006eacbec068cfc328acb96b3e0ceb89e1495ebd82891049de3efaa20cf28545a5a7975ba56f8e50aa
         EAP-Message = 
0x1b0d750d85d4484ecfee6d1b11e5390203010001a382013b30820137301d0603551d0e041604141677035f5e86f248944b24b93a5292e9568b1dc8308201060603551d230481fe3081fb80141677035f5e86f248944b24b93a5292e9568b1dc8a181d7a481d43081d1310b300906035504061302504c311330110603550408130a4d616c6f706f6c736b61310f300d060355040713064b72616b6f77313c303a060355040a1333416b6164656d696120537a74756b205069656b6e79636820696d2e204a616e61204d6174656a6b692077204b72616b6f77696531133011060355040b130a415350204b72616b6f77312830260603550403131f43656e
         EAP-Message = 
0x7472756d20436572747966696b61636a6920415350204b72616b6f77311f301d06092a864886f70d01090116106361406173702e6b72616b6f772e706c82090085c7c43a6326f0ab300c0603551d13040530030101ff300d06092a864886f70d010105050003818100d1e891bba4b193f5695ec8b356834e9f65245c68012ad88452e406ec3eb8d11119925ad0283664476e78d00dd6395c62971acffcdf869907be7c9221bfb0c8801a17f00904f354801c6a564b12c99692a3608e68688e33f114e702aaef01871570ac4426bc8e35a8c9dff188f1752506d9f458b32ba311568d7ac64e303a042e16030100cb0c0000c70300174104d035cf0e22d5
         EAP-Message = 0xb2c02889833be395
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xe4e07f21e7e7667995348cff618d76b9
Finished request 3.
Going to the next request
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 10.65.100.41 port 32775, 
id=211, length=313
         User-Name = "aa.aa at stud.wcc.domain.pl"
         Chargeable-User-Identity = ""
         Location-Capable = Civix-Location
         Calling-Station-Id = "b4-74-9f-ea-2a-1e"
         Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST"
         NAS-Port = 2
         Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2"
         Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674"
         NAS-IP-Address = 10.65.100.41
         NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1"
         Airespace-Wlan-Id = 4
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "216"
         EAP-Message = 0x020700061900
         State = 0xe4e07f21e7e7667995348cff618d76b9
         Message-Authenticator = 0x01ec9033518a72159b2dea4263cd2b77
# Executing section authorize from file 
/etc/freeradius-eduroam//sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius-eduroam//sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 211 to 10.65.100.41 port 32775
         EAP-Message = 
0x010800c319007d817762afcedcd239ec14513684f7f94d191494faccaa06effad9e58d39820e4f5647daa052abd7e7b49074cbfacb3bd2e1008066b7e15b1e17ba1642140c22bba1027378e36599e026c9eca4b4b3d904e5a5fd45f5751be89edcd9a4c22da741ac95da243fbdb7e39730fd9c50fdd1658591c0bbf771333f4a7cd1eb0105c985cc8df4e627aeca1f02e7b4c713741eb2165d5e181545175e76bf823f6dff2781dea2ee0736037352635b7398d0e7e9b2e157fe16030100040e000000
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xe4e07f21e0e8667995348cff618d76b9
Finished request 4.
Going to the next request
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 10.65.100.41 port 32775, 
id=212, length=451
         User-Name = "aa.aa at stud.wcc.domain.pl"
         Chargeable-User-Identity = ""
         Location-Capable = Civix-Location
         Calling-Station-Id = "b4-74-9f-ea-2a-1e"
         Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST"
         NAS-Port = 2
         Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2"
         Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674"
         NAS-IP-Address = 10.65.100.41
         NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1"
         Airespace-Wlan-Id = 4
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "216"
         EAP-Message = 
0x02080090198000000086160301004610000042410403e7081c98bcda62512f4d203b9f598447197d8eb63d2adbb6a1d31bcaf8637dde11be3ddfb9091e7be0b91c333ce0b1af1f78796a25b5c02df37a0432872eea1403010001011603010030cb2050690622d017ed0a6963816b8b78cc278b9e6b166ef8094a5ae870be8b97a42f70cecc570cf8f43008896dfbbbbf
         State = 0xe4e07f21e0e8667995348cff618d76b9
         Message-Authenticator = 0xa935f4a4d0d32ad7fcda0d8e2660fb83
# Executing section authorize from file 
/etc/freeradius-eduroam//sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 8 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius-eduroam//sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
   TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 212 to 10.65.100.41 port 32775
         EAP-Message = 
0x01090041190014030100010116030100301ed6f53ea85d9c6f1c9486e2141d4a680224a377f835dcc3fcdfbdcafb604c309d2af9bce8e8e9d39ee13f6229050ac8
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xe4e07f21e1e9667995348cff618d76b9
Finished request 5.
Going to the next request
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 10.65.100.41 port 32775, 
id=213, length=313
         User-Name = "aa.aa at stud.wcc.domain.pl"
         Chargeable-User-Identity = ""
         Location-Capable = Civix-Location
         Calling-Station-Id = "b4-74-9f-ea-2a-1e"
         Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST"
         NAS-Port = 2
         Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2"
         Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674"
         NAS-IP-Address = 10.65.100.41
         NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1"
         Airespace-Wlan-Id = 4
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "216"
         EAP-Message = 0x020900061900
         State = 0xe4e07f21e1e9667995348cff618d76b9
         Message-Authenticator = 0x5366466fff4c6b7bcd1d24a6f3d72b0c
# Executing section authorize from file 
/etc/freeradius-eduroam//sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 9 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius-eduroam//sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 213 to 10.65.100.41 port 32775
         EAP-Message = 
0x010a002b19001703010020c623b3d76abff3c81e73899a1eb587af56e8d00f3ad966be957be1a171bb62b3
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xe4e07f21e2ea667995348cff618d76b9
Finished request 6.
Going to the next request
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 10.65.100.41 port 32775, 
id=214, length=366
         User-Name = "aa.aa at stud.wcc.domain.pl"
         Chargeable-User-Identity = ""
         Location-Capable = Civix-Location
         Calling-Station-Id = "b4-74-9f-ea-2a-1e"
         Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST"
         NAS-Port = 2
         Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2"
         Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674"
         NAS-IP-Address = 10.65.100.41
         NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1"
         Airespace-Wlan-Id = 4
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "216"
         EAP-Message = 
0x020a003b1900170301003062c1068fd1c72ce5d715510b021fb2920d5d8f847a99de6e5dee35df22f834e58116a0458fa2e25ae7f188f891007d34
         State = 0xe4e07f21e2ea667995348cff618d76b9
         Message-Authenticator = 0x6bf348b944190d74383badd3fd272279
# Executing section authorize from file 
/etc/freeradius-eduroam//sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 10 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius-eduroam//sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - aa.aa at stud.wcc.domain.pl
[peap] Got inner identity 'aa.aa at stud.wcc.domain.pl'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
         EAP-Message = 
0x020a001d0161612e616140737475642e6173702e6b72616b6f772e706c
server  {
[peap] Setting User-Name to aa.aa at stud.wcc.domain.pl
Sending tunneled request
         EAP-Message = 
0x020a001d0161612e616140737475642e6173702e6b72616b6f772e706c
         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "aa.aa at stud.wcc.domain.pl"
         Chargeable-User-Identity = ""
         Location-Capable = Civix-Location
         Calling-Station-Id = "b4-74-9f-ea-2a-1e"
         Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST"
         NAS-Port = 2
         Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2"
         Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674"
         NAS-IP-Address = 10.65.100.41
         NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1"
         Airespace-Wlan-Id = 4
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "216"
server inner-tunnel {
# Executing section authorize from file 
/etc/freeradius-eduroam//sites-enabled/inner-tunnel
+- entering group authorize {...}
++[mschap] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 29
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
   [ldap] Entering ldap_groupcmp()
[files]         expand: dc=wcc,dc=local -> dc=wcc,dc=local
[files]         expand: %{Stripped-User-Name} ->
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
[files]         expand: 
(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(userPrincipalName=aa.aa at stud.wcc.domain.pl)
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(userPrincipalName=aa.aa at stud.wcc.domain.pl)
   [ldap] ldap_release_conn: Release Id: 0
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(&(cn=workers)(|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))))
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with 
filter (objectclass=*)
   [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, 
with filter (cn=workers)
   [ldap] object not found
rlm_ldap::groupcmp: Group workers not found or user not a member
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] Entering ldap_groupcmp()
[files]         expand: dc=wcc,dc=local -> dc=wcc,dc=local
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(&(cn=students)(|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))))
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with 
filter (objectclass=*)
   [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, 
with filter (cn=students)
rlm_ldap::ldap_groupcmp: User found in group students
   [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 8
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user 'aa.aa at stud.wcc.domain.pl'
# Executing group from file 
/etc/freeradius-eduroam//sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 := "216"
         EAP-Message = 
0x010b00321a010b002d109ce0b0ed27560f706b913753486d010361612e616140737475642e6173702e6b72616b6f772e706c
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xf7406046f74b7ad73c0df3922cff6ba2
[peap] Got tunneled reply RADIUS code 11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 := "216"
         EAP-Message = 
0x010b00321a010b002d109ce0b0ed27560f706b913753486d010361612e616140737475642e6173702e6b72616b6f772e706c
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xf7406046f74b7ad73c0df3922cff6ba2
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 214 to 10.65.100.41 port 32775
         EAP-Message = 
0x010b005b190017030100503ae86e59fc0b91c6c5ae412b2292f1f5d6efa460ec1b01c358014be90d5006fa9b793a2e1af9e64795f54e239fd7281dd696d018c7f44b4cb2eb67ecd475cc434c473f009dba337006b1aab298ba8ad4
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xe4e07f21e3eb667995348cff618d76b9
Finished request 7.
Going to the next request
Waking up in 2.7 seconds.
rad_recv: Access-Request packet from host 10.65.100.41 port 32775, 
id=215, length=430
         User-Name = "aa.aa at stud.wcc.domain.pl"
         Chargeable-User-Identity = ""
         Location-Capable = Civix-Location
         Calling-Station-Id = "b4-74-9f-ea-2a-1e"
         Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST"
         NAS-Port = 2
         Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2"
         Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674"
         NAS-IP-Address = 10.65.100.41
         NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1"
         Airespace-Wlan-Id = 4
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "216"
         EAP-Message = 
0x020b007b1900170301007093a027714c83b1c3148c0f0cb48de716b6b8527d3c24f93d9b44a02cc3dcda6daf31becba6d782b69a235c564632021dfaae14f860e1822b139394a91915dc4763438a1eb0f2c647c13c486a3562ac0c029a326c091013c0b4544e9a716599fb33ce121f27c9aedfc38e736d36a339f2
         State = 0xe4e07f21e3eb667995348cff618d76b9
         Message-Authenticator = 0x4aa39debfb53301591faa7194e96605e
# Executing section authorize from file 
/etc/freeradius-eduroam//sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 11 length 123
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius-eduroam//sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
         EAP-Message = 
0x020b00531a020b004e315381f7e957bdb65b4cecc534fb1381090000000000000000484795e959127ad898fd4230c3e3f52cbd19297d084e00d50061612e616140737475642e6173702e6b72616b6f772e706c
server  {
[peap] Setting User-Name to aa.aa at stud.wcc.domain.pl
Sending tunneled request
         EAP-Message = 
0x020b00531a020b004e315381f7e957bdb65b4cecc534fb1381090000000000000000484795e959127ad898fd4230c3e3f52cbd19297d084e00d50061612e616140737475642e6173702e6b72616b6f772e706c
         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "aa.aa at stud.wcc.domain.pl"
         State = 0xf7406046f74b7ad73c0df3922cff6ba2
         Chargeable-User-Identity = ""
         Location-Capable = Civix-Location
         Calling-Station-Id = "b4-74-9f-ea-2a-1e"
         Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST"
         NAS-Port = 2
         Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2"
         Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674"
         NAS-IP-Address = 10.65.100.41
         NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1"
         Airespace-Wlan-Id = 4
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "216"
server inner-tunnel {
# Executing section authorize from file 
/etc/freeradius-eduroam//sites-enabled/inner-tunnel
+- entering group authorize {...}
++[mschap] returns noop
++[control] returns noop
[eap] EAP packet type response id 11 length 83
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
   [ldap] Entering ldap_groupcmp()
[files]         expand: dc=wcc,dc=local -> dc=wcc,dc=local
[files]         expand: %{Stripped-User-Name} ->
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
[files]         expand: 
(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(userPrincipalName=aa.aa at stud.wcc.domain.pl)
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(userPrincipalName=aa.aa at stud.wcc.domain.pl)
   [ldap] ldap_release_conn: Release Id: 0
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(&(cn=workers)(|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))))
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with 
filter (objectclass=*)
   [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, 
with filter (cn=workers)
   [ldap] object not found
rlm_ldap::groupcmp: Group workers not found or user not a member
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] Entering ldap_groupcmp()
[files]         expand: dc=wcc,dc=local -> dc=wcc,dc=local
[files]         expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=wcc,dc=local, with filter 
(&(cn=students)(|(&(objectClass=GroupOfNames)(member=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa 
aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))))
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with 
filter (objectclass=*)
   [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, 
with filter (cn=students)
rlm_ldap::ldap_groupcmp: User found in group students
   [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 8
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user 'aa.aa at stud.wcc.domain.pl'
# Executing group from file 
/etc/freeradius-eduroam//sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file 
/etc/freeradius-eduroam//sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: aa.aa at stud.wcc.domain.pl
[mschap] Told to do MS-CHAPv2 for aa.aa at stud.wcc.domain.pl with NT-Password
[mschap]        expand: %{Stripped-User-Name} ->
[mschap]        ... expanding second conditional
[mschap]        expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
[mschap]        expand: 
--username=%{%{Stripped-User-Name}:-%{User-Name}} -> 
--username=aa.aa at stud.wcc.domain.pl
[mschap] Creating challenge hash with username: aa.aa at stud.wcc.domain.pl
[mschap]        expand: --challenge=%{mschap:Challenge:-00} -> 
--challenge=1282528812d8f6bb
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} -> 
--nt-response=484795e959127ad898fd4230c3e3f52cbd19297d084e00d5
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says Logon failure 
(0xc000006d)): [aa.aa at stud.wcc.domain.pl] (from client 10.65.100.41 port 
2 cli b4-74-9f-ea-2a-1e via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 := "216"
         MS-CHAP-Error = "\013E=691 R=1"
         EAP-Message = 0x040b0004
         Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 := "216"
         MS-CHAP-Error = "\013E=691 R=1"
         EAP-Message = 0x040b0004
         Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 215 to 10.65.100.41 port 32775
         EAP-Message = 
0x010c002b1900170301002020427a067789db85515b75eca6b998b12bb6deeb76176187226b9a84520a3b05
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xe4e07f21ecec667995348cff618d76b9
Finished request 8.
Going to the next request
Waking up in 2.0 seconds.
rad_recv: Access-Request packet from host 10.65.100.41 port 32775, 
id=216, length=350
         User-Name = "aa.aa at stud.wcc.domain.pl"
         Chargeable-User-Identity = ""
         Location-Capable = Civix-Location
         Calling-Station-Id = "b4-74-9f-ea-2a-1e"
         Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST"
         NAS-Port = 2
         Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2"
         Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674"
         NAS-IP-Address = 10.65.100.41
         NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1"
         Airespace-Wlan-Id = 4
         Service-Type = Framed-User
         Framed-MTU = 1300
         NAS-Port-Type = Wireless-802.11
         Tunnel-Type:0 = VLAN
         Tunnel-Medium-Type:0 = IEEE-802
         Tunnel-Private-Group-Id:0 = "216"
         EAP-Message = 
0x020c002b190017030100205085a1640815b69b53fa1a5c28367074dda54682f404abe7deb8fcd3494e92cb
         State = 0xe4e07f21ecec667995348cff618d76b9
         Message-Authenticator = 0x2a8e923b8e2d7d08b9fdd1747d80c60d
# Executing section authorize from file 
/etc/freeradius-eduroam//sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 12 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius-eduroam//sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the 
debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will 
tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [aa.aa at stud.wcc.domain.pl] (from client 10.65.100.41 
port 2 cli b4-74-9f-ea-2a-1e)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius-eduroam//sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 
aa.aa at stud.wcc.domain.pl
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 216 to 10.65.100.41 port 32775
         EAP-Message = 0x040c0004
         Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.0 seconds.
Cleaning up request 0 ID 207 with timestamp +37
Waking up in 1.0 seconds.
Cleaning up request 1 ID 208 with timestamp +38
Cleaning up request 2 ID 209 with timestamp +39
Cleaning up request 3 ID 210 with timestamp +39
Cleaning up request 4 ID 211 with timestamp +39
Cleaning up request 5 ID 212 with timestamp +39
Cleaning up request 6 ID 213 with timestamp +39
Waking up in 1.0 seconds.
Cleaning up request 7 ID 214 with timestamp +39
Waking up in 0.7 seconds.
Cleaning up request 8 ID 215 with timestamp +40
Waking up in 1.0 seconds.
Cleaning up request 9 ID 216 with timestamp +41
Ready to process requests.



-- 
Z poważaniem / Yours sincerely
Zenon Matuszyk
mobile: 00 48 797 004 938
e-mail: zenon.matuszyk at networkers.pl
www: http://www.networkers.pl




More information about the Freeradius-Users mailing list