EAP-TTLS not working
Marlen Caemmerer
caemmerer at ash-berlin.eu
Mon Oct 17 15:35:04 CEST 2016
Hello,
Am 2016-10-13 15:20, schrieb A.L.M.Buxey at lboro.ac.uk:
> debug didnt have an auth attenot in it. how is the Mac configured for
> EAP auth - using a profile? - your config has default type for TTLS
> being md5
> - maybe want to look at that
Sorry for the late answer. I had to get a test client.
I use a network profile for it which is generated via a portal called
cat.eduroam.org.
This is the debug output of a client that connected.
... adding new socket proxy address * port 39108
Listening on authentication address * port 1820
Listening on accounting address * port 1821
Listening on proxy address * port 1822
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 59385, id=132,
length=203
User-Name = "anonymous at ash-berlin.eu"
Calling-Station-Id = "5C-96-9D-10-D1-4B"
Called-Station-Id = "00-23-EA-7D-93-A0:eduroam"
NAS-Port = 29
NAS-IP-Address = 172.16.1.30
NAS-Identifier = "WLC1"
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "14"
EAP-Message =
0x0201001c01616e6f6e796d6f7573406173682d6265726c696e2e6575
Message-Authenticator = 0x92b06b7b20a6d6066fc225283c27a312
server eduroam {
# Executing section authorize from file
/etc/freeradius.testing/sites-enabled/eduroam
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1
[auth_log] expand:
/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
[auth_log]
/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to
/var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
[auth_log] expand: %t -> Mon Oct 17 15:05:33 2016
++[auth_log] = ok
[suffix] Looking up realm "ash-berlin.eu" for User-Name =
"anonymous at ash-berlin.eu"
[suffix] No such realm "ash-berlin.eu"
++[suffix] = noop
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
/.*@ash-berlin.eu$/))
expand: %{control:Proxy-To-Realm} ->
?? Evaluating ("%{control:Proxy-To-Realm}" == "DEFAULT") -> FALSE
?? Skipping (User-Name =~ /.*@ash-berlin.eu$/)
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
/.*@ash-berlin.eu$/)) -> FALSE
++[preprocess] = ok
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair NAS-IP-Address = 172.16.1.30
rlm_perl: Added pair NAS-Port = 29
rlm_perl: Added pair User-Name = anonymous at ash-berlin.eu
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair Airespace-Wlan-Id = 7
rlm_perl: Added pair EAP-Message =
0x0201001c01616e6f6e796d6f7573406173682d6265726c696e2e6575
rlm_perl: Added pair Calling-Station-Id = 5C-96-9D-10-D1-4B
rlm_perl: Added pair Tunnel-Private-Group-Id = 14
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Message-Authenticator =
0x92b06b7b20a6d6066fc225283c27a312
rlm_perl: Added pair NAS-Identifier = WLC1
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Called-Station-Id = 00-23-EA-7D-93-A0:eduroam
rlm_perl: Added pair Auth-Type = Perl
++[perl] = ok
[eap] EAP packet type response id 1 length 28
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] = noop
++[mschap] = noop
+} # group authorize = updated
Found Auth-Type = Perl
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user
'anonymous at ash-berlin.eu'
# Executing group from file
/etc/freeradius.testing/sites-enabled/eduroam
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
} # server eduroam
Sending Access-Challenge of id 132 to 127.0.0.1 port 59385
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfcd9611ffcdb74ad4996af7f0a8b0ca0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 59385, id=133,
length=324
User-Name = "anonymous at ash-berlin.eu"
Calling-Station-Id = "5C-96-9D-10-D1-4B"
Called-Station-Id = "00-23-EA-7D-93-A0:eduroam"
NAS-Port = 29
NAS-IP-Address = 172.16.1.30
NAS-Identifier = "WLC1"
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "14"
EAP-Message =
0x0202008315800000007916030100740100007003015804cc9ceea63bd085306a87f9e341866b350550ad000bceb6dd70db3bd9cb8a00002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000
State = 0xfcd9611ffcdb74ad4996af7f0a8b0ca0
Message-Authenticator = 0x8adafa3b33eae84e3fab037306fdef47
server eduroam {
# Executing section authorize from file
/etc/freeradius.testing/sites-enabled/eduroam
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1
[auth_log] expand:
/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
[auth_log]
/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to
/var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
[auth_log] expand: %t -> Mon Oct 17 15:05:33 2016
++[auth_log] = ok
[suffix] Looking up realm "ash-berlin.eu" for User-Name =
"anonymous at ash-berlin.eu"
[suffix] No such realm "ash-berlin.eu"
++[suffix] = noop
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
/.*@ash-berlin.eu$/))
expand: %{control:Proxy-To-Realm} ->
?? Evaluating ("%{control:Proxy-To-Realm}" == "DEFAULT") -> FALSE
?? Skipping (User-Name =~ /.*@ash-berlin.eu$/)
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
/.*@ash-berlin.eu$/)) -> FALSE
++[preprocess] = ok
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair User-Name = anonymous at ash-berlin.eu
rlm_perl: Added pair Airespace-Wlan-Id = 7
rlm_perl: Added pair Tunnel-Private-Group-Id = 14
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Message-Authenticator =
0x8adafa3b33eae84e3fab037306fdef47
rlm_perl: Added pair Called-Station-Id = 00-23-EA-7D-93-A0:eduroam
rlm_perl: Added pair State = 0xfcd9611ffcdb74ad4996af7f0a8b0ca0
rlm_perl: Added pair NAS-Port = 29
rlm_perl: Added pair NAS-IP-Address = 172.16.1.30
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair Calling-Station-Id = 5C-96-9D-10-D1-4B
rlm_perl: Added pair EAP-Message =
0x0202008315800000007916030100740100007003015804cc9ceea63bd085306a87f9e341866b350550ad000bceb6dd70db3bd9cb8a00002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair NAS-Identifier = WLC1
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Auth-Type = Perl
++[perl] = ok
[eap] EAP packet type response id 2 length 131
[eap] Continuing tunnel setup.
++[eap] = ok
++[pap] = noop
++[mschap] = noop
+} # group authorize = ok
Found Auth-Type = Perl
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user
'anonymous at ash-berlin.eu'
# Executing group from file
/etc/freeradius.testing/sites-enabled/eduroam
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 121
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0074], ClientHello
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 144b], Certificate
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[ttls] TLS_accept: unknown state
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: unknown state
[ttls] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
} # server eduroam
Sending Access-Challenge of id 133 to 127.0.0.1 port 59385
EAP-Message =
0x0103040015c0000015e71603010039020000350301d978e2494eee2b85dec288b4b5315cd57326fb299b9d907362622fc1890a8e7800c01400000dff01000100000b000403000102160301144b0b00144700144400061e3082061a30820502a00302010202071bdf866ad82312300d06092a864886f70d01010b05003081a7310b3009060355040613024445310f300d06035504080c064265726c696e310f300d06035504070c064265726c696e31283026060355040a0c1f416c6963652d53616c6f6d6f6e2d486f6368736368756c65204265726c696e310d300b060355040b0c04436f6d5a311c301a06035504030c13415348204245524c494e20
EAP-Message =
0x4341202d20473031311f301d06092a864886f70d01090116106361406173682d6265726c696e2e6575301e170d3136303832363039313631315a170d3139303633303030303030305a308183310b3009060355040613024445310f300d06035504080c064265726c696e310f300d06035504070c064265726c696e31283026060355040a0c1f416c6963652d53616c6f6d6f6e2d486f6368736368756c65204265726c696e310d300b060355040b0c04436f6d5a3119301706035504030c10782e617366682d6265726c696e2e646530820122300d06092a864886f70d01010105000382010f003082010a02820101009894a1c24dac379420d92bc582
EAP-Message =
0xec58d6cf4732207271a70916ce2da6b9f3e62e4fe855728c3320650e2c2eb074db7116d6b43c2f2964eddeff5760b4fba6acb964cc0a88efc09cc55bd9fdeaabfbf3988b891f2ef8b5980874b462f50145b9e995e4b9e45b42c7e23a17d768dd0cacab16cc58ec51186d5887562d2ba9092d3629b141cb24ccd468b311dc0c417cbf1decc2000b4cfa12dd94a2e5802d8bd1bd5f43f1f4a59a664776dc4c8b94c96d90109c6e9ac05cdaf558784a7bb0a1d679de214d74f64a358fb9c480ab39b9983d7728ccafc2c2dee10f4d27188c6da5dc3d620c40c200d25acbe8de5b880d5e9432b917bac57a51e0857744ba6e741e250203010001a382026b30
EAP-Message =
0x82026730090603551d1304023000300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e0416041462ebde92e74bf94d09a00189889d9abb67a961b1301f0603551d23041830168014d344b9a15fdd7c3165e86f2913aa4d1a6bcdc6fc30300603551d11042930278210782e617366682d6265726c696e2e64658213786c616e2e617366682d6265726c696e2e64653081850603551d1f047e307c303ca03aa0388636687474703a2f2f636470312e7063612e64666e2e64652f6173682d6265726c696e2d63612f7075622f63726c2f636163726c2e63726c303ca03a
EAP-Message = 0xa0388636687474703a2f2f63
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfcd9611ffdda74ad4996af7f0a8b0ca0
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 59385, id=134,
length=199
User-Name = "anonymous at ash-berlin.eu"
Calling-Station-Id = "5C-96-9D-10-D1-4B"
Called-Station-Id = "00-23-EA-7D-93-A0:eduroam"
NAS-Port = 29
NAS-IP-Address = 172.16.1.30
NAS-Identifier = "WLC1"
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "14"
EAP-Message = 0x020300061500
State = 0xfcd9611ffdda74ad4996af7f0a8b0ca0
Message-Authenticator = 0x492084960259d2d8cac9828a6941b637
server eduroam {
# Executing section authorize from file
/etc/freeradius.testing/sites-enabled/eduroam
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1
[auth_log] expand:
/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
[auth_log]
/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to
/var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
[auth_log] expand: %t -> Mon Oct 17 15:05:33 2016
++[auth_log] = ok
[suffix] Looking up realm "ash-berlin.eu" for User-Name =
"anonymous at ash-berlin.eu"
[suffix] No such realm "ash-berlin.eu"
++[suffix] = noop
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
/.*@ash-berlin.eu$/))
expand: %{control:Proxy-To-Realm} ->
?? Evaluating ("%{control:Proxy-To-Realm}" == "DEFAULT") -> FALSE
?? Skipping (User-Name =~ /.*@ash-berlin.eu$/)
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
/.*@ash-berlin.eu$/)) -> FALSE
++[preprocess] = ok
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair User-Name = anonymous at ash-berlin.eu
rlm_perl: Added pair Airespace-Wlan-Id = 7
rlm_perl: Added pair Tunnel-Private-Group-Id = 14
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Message-Authenticator =
0x492084960259d2d8cac9828a6941b637
rlm_perl: Added pair Called-Station-Id = 00-23-EA-7D-93-A0:eduroam
rlm_perl: Added pair State = 0xfcd9611ffdda74ad4996af7f0a8b0ca0
rlm_perl: Added pair NAS-Port = 29
rlm_perl: Added pair NAS-IP-Address = 172.16.1.30
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair Calling-Station-Id = 5C-96-9D-10-D1-4B
rlm_perl: Added pair EAP-Message = 0x020300061500
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair NAS-Identifier = WLC1
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Auth-Type = Perl
++[perl] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[pap] = noop
++[mschap] = noop
+} # group authorize = ok
Found Auth-Type = Perl
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user
'anonymous at ash-berlin.eu'
# Executing group from file
/etc/freeradius.testing/sites-enabled/eduroam
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
} # server eduroam
Sending Access-Challenge of id 134 to 127.0.0.1 port 59385
EAP-Message =
0x0104040015c0000015e76470322e7063612e64666e2e64652f6173682d6265726c696e2d63612f7075622f63726c2f636163726c2e63726c3081d506082b060105050701010481c83081c5303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304606082b06010505073002863a687474703a2f2f636470312e7063612e64666e2e64652f6173682d6265726c696e2d63612f7075622f6361636572742f6361636572742e637274304606082b06010505073002863a687474703a2f2f636470322e7063612e64666e2e64652f6173682d6265726c696e2d63612f7075
EAP-Message =
0x622f6361636572742f6361636572742e63727430590603551d2004523050300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e3008060667810c0102023011060f2b0601040181ad21822c01010403053011060f2b0601040181ad21822c0201040301300d06092a864886f70d01010b050003820101008f1a8ce6b00a64971970cd4ab32bfd1c4a01725f8c7a05c61fa2e5284a8759634cb39b9e97766b6bd1b7db3435d365850762a8a4d4c406a06799f4765ebb6fb0db7a7cddc5b6da15ea222570d2c420daead262215b8ef7734b5937217aad7ca01bbce2c0c641e600e5a95849e0b35a27428efb33d218d1959cda58
EAP-Message =
0x569e9664254c202c1f942841e29c2210a483397403c4a5877ff0e36180dcc3e1f0853729724dc5ced97113f607879be07a876643a68687a597e605ad725d319b0a8f2832299c90e63e43ef04d131d424f769821e76f0b2d5891bb6a3ee8509f1214d884ab3b41927bee6227f911d537af8d7231c0aab10f64a73e6c55f380610cec314644d00059e3082059a30820482a00302010202071930bad4f92758300d06092a864886f70d01010b0500305a310b300906035504061302444531133011060355040a130a44464e2d56657265696e3110300e060355040b130744464e2d504b49312430220603550403131b44464e2d56657265696e2050434120
EAP-Message =
0x476c6f62616c202d20473031301e170d3135303332343130333233365a170d3139303633303030303030305a3081a7310b3009060355040613024445310f300d06035504080c064265726c696e310f300d06035504070c064265726c696e31283026060355040a0c1f416c6963652d53616c6f6d6f6e2d486f6368736368756c65204265726c696e310d300b060355040b0c04436f6d5a311c301a06035504030c13415348204245524c494e204341202d20473031311f301d06092a864886f70d01090116106361406173682d6265726c696e2e657530820122300d06092a864886f70d01010105000382010f003082010a0282010100ad53771db4be
EAP-Message = 0x88e9d154d793618b2b021a5f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfcd9611ffedd74ad4996af7f0a8b0ca0
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 59385, id=135,
length=199
User-Name = "anonymous at ash-berlin.eu"
Calling-Station-Id = "5C-96-9D-10-D1-4B"
Called-Station-Id = "00-23-EA-7D-93-A0:eduroam"
NAS-Port = 29
NAS-IP-Address = 172.16.1.30
NAS-Identifier = "WLC1"
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "14"
EAP-Message = 0x020400061500
State = 0xfcd9611ffedd74ad4996af7f0a8b0ca0
Message-Authenticator = 0x348b2d21fe2556a93c0d4a930f2d9693
server eduroam {
# Executing section authorize from file
/etc/freeradius.testing/sites-enabled/eduroam
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1
[auth_log] expand:
/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
[auth_log]
/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to
/var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
[auth_log] expand: %t -> Mon Oct 17 15:05:33 2016
++[auth_log] = ok
[suffix] Looking up realm "ash-berlin.eu" for User-Name =
"anonymous at ash-berlin.eu"
[suffix] No such realm "ash-berlin.eu"
++[suffix] = noop
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
/.*@ash-berlin.eu$/))
expand: %{control:Proxy-To-Realm} ->
?? Evaluating ("%{control:Proxy-To-Realm}" == "DEFAULT") -> FALSE
?? Skipping (User-Name =~ /.*@ash-berlin.eu$/)
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
/.*@ash-berlin.eu$/)) -> FALSE
++[preprocess] = ok
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair User-Name = anonymous at ash-berlin.eu
rlm_perl: Added pair Airespace-Wlan-Id = 7
rlm_perl: Added pair Tunnel-Private-Group-Id = 14
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Message-Authenticator =
0x348b2d21fe2556a93c0d4a930f2d9693
rlm_perl: Added pair Called-Station-Id = 00-23-EA-7D-93-A0:eduroam
rlm_perl: Added pair State = 0xfcd9611ffedd74ad4996af7f0a8b0ca0
rlm_perl: Added pair NAS-Port = 29
rlm_perl: Added pair NAS-IP-Address = 172.16.1.30
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair Calling-Station-Id = 5C-96-9D-10-D1-4B
rlm_perl: Added pair EAP-Message = 0x020400061500
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair NAS-Identifier = WLC1
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Auth-Type = Perl
++[perl] = ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[pap] = noop
++[mschap] = noop
+} # group authorize = ok
Found Auth-Type = Perl
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user
'anonymous at ash-berlin.eu'
# Executing group from file
/etc/freeradius.testing/sites-enabled/eduroam
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
} # server eduroam
Sending Access-Challenge of id 135 to 127.0.0.1 port 59385
EAP-Message =
0x0105040015c0000015e75566e84910b2e07600cf25e19c417a2d3bb78d31093aa77586abfc36eed19e340e25e5fe11540199fea6df7e13e4c540ebcad9cf036083879f91c9e012deb8434b6884a4d6787d806459102350860125af09e5d6e8947c34456db03e86442ac48aec8a67cab27cf3367b4833d24de24735d998d06cbcb1adf75dd403e2a6224f2aa0e73e99c560e964aa55ab17c5c8dd922d14ea9457265e04c4b3491e86395b254ada657e78479ce1cb43ae190c75f61f36e4ff206bc7c2a1e88306e8679be7ec59f4c10b5895244239435eb172a52de91cbb64e23cbe184663fd430974ddf1f2e859fda41dddf64204221078d50203010001
EAP-Message =
0xa38202153082021130120603551d130101ff040830060101ff020101300e0603551d0f0101ff04040302010630290603551d2004223020300d060b2b0601040181ad21822c1e300f060d2b0601040181ad21822c010104301d0603551d0e04160414d344b9a15fdd7c3165e86f2913aa4d1a6bcdc6fc301f0603551d2304183016801449b7c6cfe83d1f7fea447b1329f7f10a703ede64301b0603551d110414301281106361406173682d6265726c696e2e65753081880603551d1f048180307e303da03ba0398637687474703a2f2f636470312e7063612e64666e2e64652f676c6f62616c2d726f6f742d63612f7075622f63726c2f636163726c2e
EAP-Message =
0x63726c303da03ba0398637687474703a2f2f636470322e7063612e64666e2e64652f676c6f62616c2d726f6f742d63612f7075622f63726c2f636163726c2e63726c3081d706082b060105050701010481ca3081c7303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304706082b06010505073002863b687474703a2f2f636470312e7063612e64666e2e64652f676c6f62616c2d726f6f742d63612f7075622f6361636572742f6361636572742e637274304706082b06010505073002863b687474703a2f2f636470322e7063612e64666e2e64652f676c6f6261
EAP-Message =
0x6c2d726f6f742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101001fb9bd5d8a03df03e79c02a84642dff15b0582a0c34aa3d6d72b9570fa95bc3c9d3d3574683d2e944e3a8b3f41d140ed0dc15deb69db81c390489743d4f9d85356cbddfa64f26f368dc2c40ab079d9adac3cb8d4b2d9cfe860c605f692b84d105d23fbe57a55df9f44507c0f449116968c1031787f382733204d6ec4f1382edb126aee240b8ec64dab8808b8fbc4a5ad8498f974ee1fedb0b4ec2ddb8940d2ce9182eefec98a3424e55224115096df91c024701ff1cef1b595de2f897b89866822f6b7c2ac53aca824b1
EAP-Message = 0x031ec6e57be92b407c2ff241
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfcd9611fffdc74ad4996af7f0a8b0ca0
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 59385, id=136,
length=199
User-Name = "anonymous at ash-berlin.eu"
Calling-Station-Id = "5C-96-9D-10-D1-4B"
Called-Station-Id = "00-23-EA-7D-93-A0:eduroam"
NAS-Port = 29
NAS-IP-Address = 172.16.1.30
NAS-Identifier = "WLC1"
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "14"
EAP-Message = 0x020500061500
State = 0xfcd9611fffdc74ad4996af7f0a8b0ca0
Message-Authenticator = 0x24cb994250a8f14c3115376f34924f5d
server eduroam {
# Executing section authorize from file
/etc/freeradius.testing/sites-enabled/eduroam
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1
[auth_log] expand:
/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
[auth_log]
/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to
/var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
[auth_log] expand: %t -> Mon Oct 17 15:05:33 2016
++[auth_log] = ok
[suffix] Looking up realm "ash-berlin.eu" for User-Name =
"anonymous at ash-berlin.eu"
[suffix] No such realm "ash-berlin.eu"
++[suffix] = noop
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
/.*@ash-berlin.eu$/))
expand: %{control:Proxy-To-Realm} ->
?? Evaluating ("%{control:Proxy-To-Realm}" == "DEFAULT") -> FALSE
?? Skipping (User-Name =~ /.*@ash-berlin.eu$/)
++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
/.*@ash-berlin.eu$/)) -> FALSE
++[preprocess] = ok
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair User-Name = anonymous at ash-berlin.eu
rlm_perl: Added pair Airespace-Wlan-Id = 7
rlm_perl: Added pair Tunnel-Private-Group-Id = 14
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Message-Authenticator =
0x24cb994250a8f14c3115376f34924f5d
rlm_perl: Added pair Called-Station-Id = 00-23-EA-7D-93-A0:eduroam
rlm_perl: Added pair State = 0xfcd9611fffdc74ad4996af7f0a8b0ca0
rlm_perl: Added pair NAS-Port = 29
rlm_perl: Added pair NAS-IP-Address = 172.16.1.30
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair Calling-Station-Id = 5C-96-9D-10-D1-4B
rlm_perl: Added pair EAP-Message = 0x020500061500
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair NAS-Identifier = WLC1
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Auth-Type = Perl
++[perl] = ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[pap] = noop
++[mschap] = noop
+} # group authorize = ok
Found Auth-Type = Perl
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user
'anonymous at ash-berlin.eu'
# Executing group from file
/etc/freeradius.testing/sites-enabled/eduroam
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
} # server eduroam
Sending Access-Challenge of id 136 to 127.0.0.1 port 59385
EAP-Message =
0x0106040015c0000015e77c4e5fd6dfccd8c33e03fe115f8cc8502fbb3d90ccd567f3b32aacbfa7cee813d00bc3dbd3fc6399c3380004d9308204d5308203bda0030201020208504ec6f53d11b464300d06092a864886f70d01010b05003071310b3009060355040613024445311c301a060355040a131344657574736368652054656c656b6f6d204147311f301d060355040b1316542d54656c655365632054727573742043656e746572312330210603550403131a44657574736368652054656c656b6f6d20526f6f742043412032301e170d3134303732323132303832365a170d3139303730393233353930305a305a310b300906035504061302
EAP-Message =
0x444531133011060355040a130a44464e2d56657265696e3110300e060355040b130744464e2d504b49312430220603550403131b44464e2d56657265696e2050434120476c6f62616c202d2047303130820122300d06092a864886f70d01010105000382010f003082010a0282010100e99bc36785f90daef58d54c39650353d62e96e4ced94d7005b952274d420eb348fd6ecc031040b9981e2a614d252a02823848b7489045e5be0e278c178cb16cb2835397b2d9045d0eda0007a7cbf4a0e1b00c386e95c2b31117b0cf38224438c1c388b6a68009aeedc4f78abd2c6139b76adeede26e8ef01af740fc109a2f66bcebdd3cd14304ff5e5e3a4c862
EAP-Message =
0x9b821a0327300d0265604dedd109232a96355827d376c671b6901dc4edff35867d6f33b3db0fc511c28a83a1945d416bd8d210f54cfdca51acd9bdef9283bbdaeb8b16565643cfe1d5133da61f2730cd4954dbc913349a7175c56ceaa70b98f9219d27af3ea33939486a8cadc999fbc312f2bd0203010001a382018630820182300e0603551d0f0101ff040403020106301d0603551d0e0416041449b7c6cfe83d1f7fea447b1329f7f10a703ede64301f0603551d2304183016801431c3791bbaf553d717e0897a2d176c0ab32b9d3330120603551d130101ff040830060101ff02010230620603551d20045b30593011060f2b0601040181ad21822c
EAP-Message =
0x01010402023011060f2b0601040181ad21822c01010403003011060f2b0601040181ad21822c0101040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e303e0603551d1f043730353033a031a02f862d687474703a2f2f706b69303333362e74656c657365632e64652f726c2f44545f524f4f545f43415f322e63726c307806082b06010505070101046c306a302c06082b060105050730018620687474703a2f2f6f637370303333362e74656c657365632e64652f6f63737072303a06082b06010505073002862e687474703a2f2f706b69303333362e74656c657365632e64652f6372742f44545f524f4f545f
EAP-Message = 0x43415f322e636572300d0609
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfcd9611ff8df74ad4996af7f0a8b0ca0
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 59385, id=137,
length=199
User-Name = "anonymous at ash-berlin.eu"
Calling-Station-Id = "5C-96-9D-10-D1-4B"
Called-Station-Id = "00-23-EA-7D-93-A0:eduroam"
NAS-Port = 29
NAS-IP-Address = 172.16.1.30
NAS-Identifier = "WLC1"
Airespace-Wlan-Id = 7
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "14"
EAP-Message = 0x020600061500
State = 0xfcd9611ff8df74ad4996af7f0a8b0ca0
Message-Authenticator = 0xb16a35692f1e06ef4aaf6a6c472883b7
server eduroam {
# Executing section authorize from file
/etc/freeradius.testing/sites-enabled/eduroam
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1
[auth_log] expand:
/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
[auth_log]
/var/log/radius-eduroam/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to
/var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
[auth_log] expand: %t -> Mon Oct 17 15:05:33 2016
With kind regards,
Marlen Caemmerer
More information about the Freeradius-Users
mailing list