EAP-TLS and LDAP with Windows Server 2012R2 Native Functional Level

tj2718 at aol.com tj2718 at aol.com
Mon Oct 24 23:07:06 CEST 2016


Following Alan's guidance from his post earlier, I have:

1) Removed FreeRADIUS 4.0.x and installed 3.0.12

2) I've read through the debug when a failure occurs.
It looks like while I have the LDAP check enabled the computers using certificates
get rejected because they are not found by the LDAP search/filter.

(5) if (Ldap-Group == "WiFi") -> FALSE
(5) else {
(5) [reject] = reject
(5) } # else = reject
(5) } # post-auth = reject
(5) Using Post-Auth-Type Reject

3) When the LDAP check is commented out the computers using certificates can connect so I have not
reissued all certificates yet. From the debug failure it appears to be an LDAP query/filter issue. Am I interpreting the output correctly?

> > We upgraded the functional level to 2012R2 Native and it broke everything.
> 
> It's probably LDAP.

I believe it may be the LDAP group membership filter which is:

membership_filter = "(|(member=%{control:Ldap-UserDn})(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"

The computers are joined to our domain and their computer accounts are
in the WiFi security group.  Their sAMAccountName ends with a $
Is that why there is not a match with the membership_filter?

> > post-auth {
> >
> >
> > #   if (Ldap-Group == "WiFi") {
> > #     noop
> > #   }
> >
> 
> So you've commented out the Ldap-Group check and it works. My guess is
> that the AD functional upgrade has changed the schema or LDAP permissions
> and your group query is failing now.
> 
> > and watching the radiusd -X debug.
> 
> As Alan says - you need to post a debug of a *failing* case. Better yet, look
> carefully at it the debug before posting it - the failure will probably be
> obvious.
> 
> If not, post the full debug of a failure.

Please see debug below.

I would like to configure it so that if the computer has a valid certificate it would
use EAP-TLS and be connected, if no certificate is presented FreeRADIUS
would prompt for username and password and use LDAP-Group membership being the
determining factor whether or not the user is granted access.

Thank you for your input.

***DEBUG***
Ready to process requests
(0) Received Access-Request Id 27 from 10.10.2.5:32809 to 10.10.0.238:1812 length 197
(0) User-Name = "host/TElsberry10-Tab"
(0) NAS-IP-Address = 10.10.2.5
(0) NAS-Identifier = "dc9fdb7003d4"
(0) NAS-Port = 0
(0) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET"
(0) Calling-Station-Id = "88-53-2E-7C-FD-DA"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) EAP-Message = 0x0231001901686f73742f54456c73626572727931302d546162
(0) Message-Authenticator = 0x8b480d049454b1777cceef127c71a9bc
(0) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) ntdomain: Checking for prefix before "\"
(0) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL
(0) ntdomain: No such realm "NULL"
(0) [ntdomain] = noop
(0) eap: Peer sent EAP Response (code 2) ID 49 length 25
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: Initiating new EAP-TLS session
(0) eap_tls: Flushing SSL sessions (of #0)
(0) eap_tls: Setting verify mode to require certificate from client
(0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 50 length 6
(0) eap: EAP session adding &reply:State = 0xe1b5c235e187cf19
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 27 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0
(0) EAP-Message = 0x013200060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xe1b5c235e187cf190cf7c580ecd5b37c
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 28 from 10.10.2.5:32809 to 10.10.0.238:1812 length 404
(1) User-Name = "host/TElsberry10-Tab"
(1) NAS-IP-Address = 10.10.2.5
(1) NAS-Identifier = "dc9fdb7003d4"
(1) NAS-Port = 0
(1) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET"
(1) Calling-Station-Id = "88-53-2E-7C-FD-DA"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) EAP-Message = 0x023200d60d80000000cc16030300c7010000c30303580e438e2c3ba26409542c6b43b8236cc0add76d5f301b22f977a5639f4ee00420b34e87a7414a2363c38f425676fe4f42d2ae22d16561ca32a2d9ed6aaa5463fa003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013003900
(1) State = 0xe1b5c235e187cf190cf7c580ecd5b37c
(1) Message-Authenticator = 0x3de565fdd57ae1d8ecf2966261faf36d
(1) session-state: No cached attributes
(1) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) ntdomain: Checking for prefix before "\"
(1) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL
(1) ntdomain: No such realm "NULL"
(1) [ntdomain] = noop
(1) eap: Peer sent EAP Response (code 2) ID 50 length 214
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xe1b5c235e187cf19
(1) eap: Finished EAP session with state 0xe1b5c235e187cf19
(1) eap: Previous EAP request found for state 0xe1b5c235e187cf19, released from the list
(1) eap: Peer sent packet with method EAP TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: Continuing EAP-TLS
(1) eap_tls: Peer indicated complete TLS record size will be 204 bytes
(1) eap_tls: Got complete TLS record (204 bytes)
(1) eap_tls: [eaptls verify] = length included
(1) eap_tls: (other): before/accept initialization
(1) eap_tls: TLS_accept: before/accept initialization
(1) eap_tls: <<< recv TLS 1.2 [length 00c7]
(1) eap_tls: TLS_accept: SSLv3 read client hello A
(1) eap_tls: >>> send TLS 1.2 [length 0059]
(1) eap_tls: TLS_accept: SSLv3 write server hello A
(1) eap_tls: >>> send TLS 1.2 [length 085c]
(1) eap_tls: TLS_accept: SSLv3 write certificate A
(1) eap_tls: >>> send TLS 1.2 [length 014d]
(1) eap_tls: TLS_accept: SSLv3 write key exchange A
(1) eap_tls: >>> send TLS 1.2 [length 00c6]
(1) eap_tls: TLS_accept: SSLv3 write certificate request A
(1) eap_tls: TLS_accept: SSLv3 flush data
(1) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_tls: In SSL Handshake Phase
(1) eap_tls: In SSL Accept mode
(1) eap_tls: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 51 length 1004
(1) eap: EAP session adding &reply:State = 0xe1b5c235e086cf19
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 28 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0
(1) EAP-Message = 0x013303ec0dc000000adc160303005902000055030354f2b96677d828e24af212a93d25dc6911e0f6d5662710489e0f21fd09b95c69201a364ac83fb12e7e36891f3bab987c5f3155520aa2fb3391dac9551a778e70b0c03000000dff01000100000b000403000102160303085c0b0008580008550003a4
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xe1b5c235e086cf190cf7c580ecd5b37c
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 29 from 10.10.2.5:32809 to 10.10.0.238:1812 length 196
(2) User-Name = "host/TElsberry10-Tab"
(2) NAS-IP-Address = 10.10.2.5
(2) NAS-Identifier = "dc9fdb7003d4"
(2) NAS-Port = 0
(2) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET"
(2) Calling-Station-Id = "88-53-2E-7C-FD-DA"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) EAP-Message = 0x023300060d00
(2) State = 0xe1b5c235e086cf190cf7c580ecd5b37c
(2) Message-Authenticator = 0xeba2bda8b2853a7e3d1ae63406185608
(2) session-state: No cached attributes
(2) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) ntdomain: Checking for prefix before "\"
(2) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL
(2) ntdomain: No such realm "NULL"
(2) [ntdomain] = noop
(2) eap: Peer sent EAP Response (code 2) ID 51 length 6
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xe1b5c235e086cf19
(2) eap: Finished EAP session with state 0xe1b5c235e086cf19
(2) eap: Previous EAP request found for state 0xe1b5c235e086cf19, released from the list
(2) eap: Peer sent packet with method EAP TLS (13)
(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: Continuing EAP-TLS
(2) eap_tls: Peer ACKed our handshake fragment
(2) eap_tls: [eaptls verify] = request
(2) eap_tls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 52 length 1004
(2) eap: EAP session adding &reply:State = 0xe1b5c235e381cf19
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 29 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0
(2) EAP-Message = 0x013403ec0dc000000adc3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b300906035504061302555331133011
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xe1b5c235e381cf190cf7c580ecd5b37c
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 30 from 10.10.2.5:32809 to 10.10.0.238:1812 length 196
(3) User-Name = "host/TElsberry10-Tab"
(3) NAS-IP-Address = 10.10.2.5
(3) NAS-Identifier = "dc9fdb7003d4"
(3) NAS-Port = 0
(3) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET"
(3) Calling-Station-Id = "88-53-2E-7C-FD-DA"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) EAP-Message = 0x023400060d00
(3) State = 0xe1b5c235e381cf190cf7c580ecd5b37c
(3) Message-Authenticator = 0x3ed9b3db9703668243209cb24444213b
(3) session-state: No cached attributes
(3) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) ntdomain: Checking for prefix before "\"
(3) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL
(3) ntdomain: No such realm "NULL"
(3) [ntdomain] = noop
(3) eap: Peer sent EAP Response (code 2) ID 52 length 6
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) [files] = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xe1b5c235e381cf19
(3) eap: Finished EAP session with state 0xe1b5c235e381cf19
(3) eap: Previous EAP request found for state 0xe1b5c235e381cf19, released from the list
(3) eap: Peer sent packet with method EAP TLS (13)
(3) eap: Calling submodule eap_tls to process data
(3) eap_tls: Continuing EAP-TLS
(3) eap_tls: Peer ACKed our handshake fragment
(3) eap_tls: [eaptls verify] = request
(3) eap_tls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 53 length 802
(3) eap: EAP session adding &reply:State = 0xe1b5c235e280cf19
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 30 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0
(3) EAP-Message = 0x013503220d8000000adc57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa1329
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xe1b5c235e280cf190cf7c580ecd5b37c
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 31 from 10.10.2.5:32809 to 10.10.0.238:1812 length 1535
(4) User-Name = "host/TElsberry10-Tab"
(4) NAS-IP-Address = 10.10.2.5
(4) NAS-Identifier = "dc9fdb7003d4"
(4) NAS-Port = 0
(4) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET"
(4) Calling-Station-Id = "88-53-2E-7C-FD-DA"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) EAP-Message = 0x023505370d800000052d16030304f50b0003a30003a000039d3082039930820281a0030201020202009c300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c30
(4) State = 0xe1b5c235e280cf190cf7c580ecd5b37c
(4) Message-Authenticator = 0xe4d02148bbf11903f7995c2ea5760ecc
(4) session-state: No cached attributes
(4) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) ntdomain: Checking for prefix before "\"
(4) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL
(4) ntdomain: No such realm "NULL"
(4) [ntdomain] = noop
(4) eap: Peer sent EAP Response (code 2) ID 53 length 1335
(4) eap: No EAP Start, assuming it's an on-going EAP conversation
(4) [eap] = updated
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) [pap] = noop
(4) } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xe1b5c235e280cf19
(4) eap: Finished EAP session with state 0xe1b5c235e280cf19
(4) eap: Previous EAP request found for state 0xe1b5c235e280cf19, released from the list
(4) eap: Peer sent packet with method EAP TLS (13)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: Continuing EAP-TLS
(4) eap_tls: Peer indicated complete TLS record size will be 1325 bytes
(4) eap_tls: Got complete TLS record (1325 bytes)
(4) eap_tls: [eaptls verify] = length included
(4) eap_tls: <<< recv TLS 1.2 [length 03a7]
(4) eap_tls: Creating attributes from certificate OIDs
(4) eap_tls: TLS-Cert-Serial := "a793227a08ee79ec"
(4) eap_tls: TLS-Cert-Expiration := "400316212404Z"
(4) eap_tls: TLS-Cert-Subject := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry at rsd.net/CN=RSD RADIUS Certificate Authority"
(4) eap_tls: TLS-Cert-Issuer := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry at rsd.net/CN=RSD RADIUS Certificate Authority"
(4) eap_tls: TLS-Cert-Common-Name := "RSD RADIUS Certificate Authority"
(4) eap_tls: Creating attributes from certificate OIDs
(4) eap_tls: TLS-Client-Cert-Serial := "9c"
(4) eap_tls: TLS-Client-Cert-Expiration := "260822222730Z"
(4) eap_tls: TLS-Client-Cert-Subject := "/C=US/ST=California/O=RSD/CN=TElsberry10-Tab/emailAddress=TElsberry10-Tab at rsd.net"
(4) eap_tls: TLS-Client-Cert-Issuer := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry at rsd.net/CN=RSD RADIUS Certificate Authority"
(4) eap_tls: TLS-Client-Cert-Common-Name := "TElsberry10-Tab"
(4) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(4) eap_tls: TLS_accept: SSLv3 read client certificate A
(4) eap_tls: <<< recv TLS 1.2 [length 0046]
(4) eap_tls: TLS_accept: SSLv3 read client key exchange A
(4) eap_tls: <<< recv TLS 1.2 [length 0108]
(4) eap_tls: TLS_accept: SSLv3 read certificate verify A
(4) eap_tls: <<< recv TLS 1.2 [length 0001]
(4) eap_tls: <<< recv TLS 1.2 [length 0010]
(4) eap_tls: TLS_accept: SSLv3 read finished A
(4) eap_tls: >>> send TLS 1.2 [length 0001]
(4) eap_tls: TLS_accept: SSLv3 write change cipher spec A
(4) eap_tls: >>> send TLS 1.2 [length 0010]
(4) eap_tls: TLS_accept: SSLv3 write finished A
(4) eap_tls: TLS_accept: SSLv3 flush data
(4) eap_tls: (other): SSL negotiation finished successfully
(4) eap_tls: SSL Connection Established
(4) eap_tls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 54 length 61
(4) eap: EAP session adding &reply:State = 0xe1b5c235e583cf19
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 31 from 10.10.0.238:1812 to 10.10.2.5:32809 length 0
(4) EAP-Message = 0x0136003d0d8000000033140303000101160303002842b8eeefd7fa470e6317261c9fbe1ab5c6ba81a8691930eecd62774bb3bd248f9cbfac2dc45404ec
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xe1b5c235e583cf190cf7c580ecd5b37c
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 32 from 10.10.2.5:32809 to 10.10.0.238:1812 length 196
(5) User-Name = "host/TElsberry10-Tab"
(5) NAS-IP-Address = 10.10.2.5
(5) NAS-Identifier = "dc9fdb7003d4"
(5) NAS-Port = 0
(5) Called-Station-Id = "DC-9F-DB-70-7A-82:RSD-TABLET"
(5) Calling-Station-Id = "88-53-2E-7C-FD-DA"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) EAP-Message = 0x023600060d00
(5) State = 0xe1b5c235e583cf190cf7c580ecd5b37c
(5) Message-Authenticator = 0xb44d62e8c23068a4e0c13849488f835d
(5) session-state: No cached attributes
(5) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "host/TElsberry10-Tab", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) ntdomain: Checking for prefix before "\"
(5) ntdomain: No '\' in User-Name = "host/TElsberry10-Tab", looking up realm NULL
(5) ntdomain: No such realm "NULL"
(5) [ntdomain] = noop
(5) eap: Peer sent EAP Response (code 2) ID 54 length 6
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xe1b5c235e583cf19
(5) eap: Finished EAP session with state 0xe1b5c235e583cf19
(5) eap: Previous EAP request found for state 0xe1b5c235e583cf19, released from the list
(5) eap: Peer sent packet with method EAP TLS (13)
(5) eap: Calling submodule eap_tls to process data
(5) eap_tls: Continuing EAP-TLS
(5) eap_tls: Peer ACKed our handshake fragment. handshake is finished
(5) eap_tls: [eaptls verify] = success
(5) eap_tls: [eaptls process] = success
(5) eap_tls: caching TLS-Cert-Serial := "a793227a08ee79ec"
(5) eap_tls: caching TLS-Cert-Expiration := "400316212404Z"
(5) eap_tls: caching TLS-Cert-Subject := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry at rsd.net/CN=RSD RADIUS Certificate Authority"
(5) eap_tls: caching TLS-Cert-Issuer := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry at rsd.net/CN=RSD RADIUS Certificate Authority"
(5) eap_tls: caching TLS-Cert-Common-Name := "RSD RADIUS Certificate Authority"
(5) eap_tls: caching TLS-Client-Cert-Serial := "9c"
(5) eap_tls: caching TLS-Client-Cert-Expiration := "260822222730Z"
(5) eap_tls: caching TLS-Client-Cert-Subject := "/C=US/ST=California/O=RSD/CN=TElsberry10-Tab/emailAddress=TElsberry10-Tab at rsd.net"
(5) eap_tls: caching TLS-Client-Cert-Issuer := "/C=US/ST=California/L=Lake Forest/O=RSD/emailAddress=telsberry at rsd.net/CN=RSD RADIUS Certificate Authority"
(5) eap_tls: caching TLS-Client-Cert-Common-Name := "TElsberry10-Tab"
(5) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(5) eap_tls: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk.
(5) eap: Sending EAP Success (code 3) ID 54 length 4
(5) eap: Freeing handler
(5) [eap] = ok
(5) } # authenticate = ok
(5) # Executing section post-auth from file /opt/freeradius/etc/raddb/sites-enabled/default
(5) post-auth {
(5) if (!&reply:State) {
(5) if (!&reply:State) -> TRUE
(5) if (!&reply:State) {
(5) update reply {
(5) EXPAND 0x%{randstr:16h}
(5) --> 0x20d7cf39b7874998bcfb45bb907815d98a
(5) State := 0x20d7cf39b7874998bcfb45bb907815d98a
(5) } # update reply = noop
(5) } # if (!&reply:State) = noop
(5) update {
(5) No attributes updated
(5) } # update = noop
(5) [exec] = noop
(5) if (Ldap-Group == "WiFi") {
(5) Searching for user in group "WiFi"
rlm_ldap (ldap): Reserved connection (0)
(5) EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(5) --> (sAMAccountName=host/TElsberry10-Tab)
(5) Performing search in "dc=rsdtc,dc=com" with filter "(sAMAccountName=host/TElsberry10-Tab)", scope "sub"
(5) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL ldap://ForestDnsZones.RSDTC.COM/DC=ForestDnsZones,DC=RSDTC,DC=COM
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.RSDTC.COM/DC=DomainDnsZones,DC=RSDTC,DC=COM
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL ldap://RSDTC.COM/CN=Configuration,DC=RSDTC,DC=COM
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(5) Search returned no results
rlm_ldap (ldap): Deleting connection (0)
rlm_ldap (ldap): Need 6 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 28 pending slots used
rlm_ldap (ldap): Connecting to ldap://dc12vm.rsdtc.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(5) if (Ldap-Group == "WiFi") -> FALSE
(5) else {
(5) [reject] = reject
(5) } # else = reject
(5) } # post-auth = reject
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) [eap] = noop
(5) } # Post-Auth-Type REJECT = noop
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 32 from 10.10.0.238:1812 to 10.10.2.5:32809 length 201
(5) MS-MPPE-Recv-Key = 0xdc168503ebb9e9734af7d32965b70a9405abf628204ab5e1dd626bccc9e820d0
(5) MS-MPPE-Send-Key = 0xd395f9b1bcb934dc4ccdfeb8e7bb2bd26d136d1ec1eadb9770d165200a08d35e
(5) EAP-Message = 0x03360004
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) User-Name = "host/TElsberry10-Tab"
(5) State := 0x20d7cf39b7874998bcfb45bb907815d98a
Waking up in 3.7 seconds.
(0) Cleaning up request packet ID 27 with timestamp +6
(1) Cleaning up request packet ID 28 with timestamp +6
(2) Cleaning up request packet ID 29 with timestamp +6
(3) Cleaning up request packet ID 30 with timestamp +6
(4) Cleaning up request packet ID 31 with timestamp +6
(5) Cleaning up request packet ID 32 with timestamp +6
Ready to process requests





More information about the Freeradius-Users mailing list