Authentication Error.
mustafa mujahid
mustafa.mujahid at outlook.com
Thu Apr 6 12:20:20 CEST 2017
hello,
Im working with radius 3.0.12 and have deployed 2 virtual servers. One for LAN authentication and other for Wireless authentication.
basically when I run a simple query like :
authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' and Attribute = 'NT-Password' ORDER BY id"
It works and users are successfully authenticated. The peculiar issue I'm having is that when I run the following query authentication fails. The query is as follows:
authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = '%{SQL-User-Name}' and wlan = 'y' and vlanid=SUBSTR('%{NAS-Port-Id}' ,INSTR('%{NAS-Port-Id}', '=', -1)+3) ORDER BY id"
In the first pass through in sql the user is found by freeradius and communication continues but fails in the 8th iteration of the debug log. The NT-Password attribute is present in the table but radius return the following error :
(8) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/wlc_huawei-tunnel
(8) eap_mschapv2: authenticate {
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(8) mschap: Creating challenge hash with username: zaain.abbas
(8) mschap: Client is using MS-CHAPv2
(8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
(8) [mschap] = reject
Kindly see Below the complete Debug output. Any help on this would be greatly appreciated. I have attached a screen-shot that shows values in DB for a user.
Listening on auth interface eth0 address * port 1812
Listening on command file /var/log/radius/run/radiusd/radiusd.sock
Listening on auth address 127.0.0.1 port 18120 bound to server cisco_lan-tunnel
Listening on auth address 127.0.0.1 port 18130 bound to server wlc_huawei-tunnel
Listening on proxy address * port 41280
Ready to process requests
(0) Received Access-Request Id 96 from 172.16.33.246:1812 to 115.186.154.51:1812 length 324
(0) User-Name = "ali.asad"
(0) NAS-Port = 50
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) Calling-Station-Id = "606d-c7eb-39bd"
(0) NAS-Identifier = "NTL-WLC-AC6605-B"
(0) NAS-Port-Type = Wireless-802.11
(0) NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=50"
(0) EAP-Message = 0x02b2000d01616c692e61736164
(0) Message-Authenticator = 0x179c32fbbd2df6b90b044080c39c79e2
(0) Called-Station-Id = "F8-4A-BF-F2-98-80:NTL-OPS"
(0) NAS-IP-Address = 172.16.33.246
(0) Framed-MTU = 1500
(0) Acct-Session-Id = "NTL-WLC0000000000005082995a003078"
(0) Huawei-Startup-Stamp = 1471070906
(0) Huawei-IPHost-Addr = "255.255.255.255 60:6d:c7:eb:39:bd"
(0) Huawei-Connect-ID = 3078
(0) Huawei-Version = "Huawei AC6605"
(0) Huawei-Product-ID = "AC"
(0) Huawei-Loopback-Address = "F84A-BFF2-9880"
(0) Huawei-User-Mac = "\000\000\000\001"
(0) # Executing section authorize from file /etc/raddb/sites-enabled/wlc_huawei
(0) authorize {
(0) [preprocess] = ok
(0) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(0) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(0) auth_log: EXPAND %t
(0) auth_log: --> Wed Apr 5 22:09:04 2017
(0) [auth_log] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "ali.asad", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap_wlc_huawei: Peer sent EAP Response (code 2) ID 178 length 13
(0) eap_wlc_huawei: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap_wlc_huawei] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap_wlc_huawei
(0) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(0) authenticate {
(0) eap_wlc_huawei: Peer sent packet with method EAP Identity (1)
(0) eap_wlc_huawei: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap_wlc_huawei: Sending EAP Request (code 1) ID 179 length 22
(0) eap_wlc_huawei: EAP session adding &reply:State = 0x43da516043695567
(0) [eap_wlc_huawei] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(0) Sent Access-Challenge Id 96 from 115.186.154.51:1812 to 172.16.33.246:1812 length 0
(0) EAP-Message = 0x01b300160410aba61a87e58d1b1b60aaaeb177f1c82c
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x43da516043695567cc0d35af791e907a
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 97 from 172.16.33.246:1812 to 115.186.154.51:1812 length 290
(1) User-Name = "ali.asad"
(1) NAS-Port = 50
(1) Service-Type = Framed-User
(1) Framed-Protocol = 4294967295
(1) Calling-Station-Id = "606d-c7eb-39bd"
(1) NAS-Identifier = "NTL-WLC-AC6605-B"
(1) NAS-Port-Type = Wireless-802.11
(1) NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=50"
(1) State = 0x43da516043695567cc0d35af791e907a
(1) EAP-Message = 0x02b300060319
(1) Message-Authenticator = 0xc85bc4c210d39ae76e2de1bdc7f05522
(1) Called-Station-Id = "F8-4A-BF-F2-98-80:NTL-OPS"
(1) Login-IP-Host = 0.0.0.0
(1) NAS-IP-Address = 172.16.33.246
(1) Framed-MTU = 1500
(1) Huawei-Startup-Stamp = 1471070906
(1) Huawei-IPHost-Addr = "255.255.255.255 60:6d:c7:eb:39:bd"
(1) Huawei-Connect-ID = 3078
(1) Huawei-Version = "Huawei AC6605"
(1) Huawei-Product-ID = "AC"
(1) Huawei-User-Mac = "\000\000\000"
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/wlc_huawei
(1) authorize {
(1) [preprocess] = ok
(1) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(1) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(1) auth_log: EXPAND %t
(1) auth_log: --> Wed Apr 5 22:09:04 2017
(1) [auth_log] = ok
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "ali.asad", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap_wlc_huawei: Peer sent EAP Response (code 2) ID 179 length 6
(1) eap_wlc_huawei: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap_wlc_huawei] = updated
(1) sql_wlc_huawei: EXPAND %{User-Name}
(1) sql_wlc_huawei: --> ali.asad
(1) sql_wlc_huawei: SQL-User-Name set to 'ali.asad'
rlm_sql (sql_wlc_huawei): Reserved connection (0)
(1) sql_wlc_huawei: EXPAND SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = '%{SQL-User-Name}' and wlan = 'y' and vlanid=SUBSTR('%{NAS-Port-Id}' ,INSTR('%{NAS-Port-Id}', '=', -1)+3) ORDER BY id
(1) sql_wlc_huawei: --> SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = 'ali.asad' and wlan = 'y' and vlanid=SUBSTR('slot=3D0=3Bsubslot=3D0=3Bport=3D0=3Bvlanid=3D50' ,INSTR('slot=3D0=3Bsubslot=3D0=3Bport=3D0=3Bvlanid=3D50', '=', -1)+3) ORDER BY id
(1) sql_wlc_huawei: Executing select query: SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = 'ali.asad' and wlan = 'y' and vlanid=SUBSTR('slot=3D0=3Bsubslot=3D0=3Bport=3D0=3Bvlanid=3D50' ,INSTR('slot=3D0=3Bsubslot=3D0=3Bport=3D0=3Bvlanid=3D50', '=', -1)+3) ORDER BY id
(1) sql_wlc_huawei: User found in radcheck table
(1) sql_wlc_huawei: Conditional check items matched, merging assignment check items
(1) sql_wlc_huawei: NT-Password := 0x4633303443393130313932354643303241364641373646363145303444303133
rlm_sql (sql_wlc_huawei): Released connection (0)
(1) [sql_wlc_huawei] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap_wlc_huawei
(1) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(1) authenticate {
(1) eap_wlc_huawei: Expiring EAP session with state 0x43da516043695567
(1) eap_wlc_huawei: Finished EAP session with state 0x43da516043695567
(1) eap_wlc_huawei: Previous EAP request found for state 0x43da516043695567, released from the list
(1) eap_wlc_huawei: Peer sent packet with method EAP NAK (3)
(1) eap_wlc_huawei: Found mutually acceptable type PEAP (25)
(1) eap_wlc_huawei: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap_wlc_huawei: Sending EAP Request (code 1) ID 180 length 6
(1) eap_wlc_huawei: EAP session adding &reply:State = 0x43da5160426e4867
(1) [eap_wlc_huawei] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(1) Sent Access-Challenge Id 97 from 115.186.154.51:1812 to 172.16.33.246:1812 length 0
(1) EAP-Message = 0x01b400061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x43da5160426e4867cc0d35af791e907a
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 98 from 172.16.33.246:1812 to 115.186.154.51:1812 length 466
(2) User-Name = "ali.asad"
(2) NAS-Port = 50
(2) Service-Type = Framed-User
(2) Framed-Protocol = 4294967295
(2) Calling-Station-Id = "606d-c7eb-39bd"
(2) NAS-Identifier = "NTL-WLC-AC6605-B"
(2) NAS-Port-Type = Wireless-802.11
(2) NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=50"
(2) State = 0x43da5160426e4867cc0d35af791e907a
(2) EAP-Message = 0x02b400b61980000000ac16030300a7010000a3030358e52543cd7c662888867b2bdc8de1ef6dfc963c5350f444ef6b358ab04335a700003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c01300390033009d009c003d003c0035002f000a006a004000380032001300050004010000
(2) Message-Authenticator = 0x88d6f4f8c6eaa1e85685adfe684138b4
(2) Called-Station-Id = "F8-4A-BF-F2-98-80:NTL-OPS"
(2) Login-IP-Host = 0.0.0.0
(2) NAS-IP-Address = 172.16.33.246
(2) Framed-MTU = 1500
(2) Huawei-Startup-Stamp = 1471070906
(2) Huawei-IPHost-Addr = "255.255.255.255 60:6d:c7:eb:39:bd"
(2) Huawei-Connect-ID = 3078
(2) Huawei-Version = "Huawei AC6605"
(2) Huawei-Product-ID = "AC"
(2) Huawei-User-Mac = "\000\000\000"
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/wlc_huawei
(2) authorize {
(2) [preprocess] = ok
(2) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(2) auth_log: --> /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(2) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(2) auth_log: EXPAND %t
(2) auth_log: --> Wed Apr 5 22:09:04 2017
(2) [auth_log] = ok
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "ali.asad", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap_wlc_huawei: Peer sent EAP Response (code 2) ID 180 length 182
(2) eap_wlc_huawei: Continuing tunnel setup
(2) [eap_wlc_huawei] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap_wlc_huawei
(2) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(2) authenticate {
(2) eap_wlc_huawei: Expiring EAP session with state 0x43da5160426e4867
(2) eap_wlc_huawei: Finished EAP session with state 0x43da5160426e4867
(2) eap_wlc_huawei: Previous EAP request found for state 0x43da5160426e4867, released from the list
(2) eap_wlc_huawei: Peer sent packet with method EAP PEAP (25)
(2) eap_wlc_huawei: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 172 bytes
(2) eap_peap: Got complete TLS record (172 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before/accept initialization
(2) eap_peap: TLS_accept: before/accept initialization
(2) eap_peap: <<< recv TLS 1.2 [length 00a7]
(2) eap_peap: TLS_accept: SSLv3 read client hello A
(2) eap_peap: >>> send TLS 1.2 [length 0039]
(2) eap_peap: TLS_accept: SSLv3 write server hello A
(2) eap_peap: >>> send TLS 1.2 [length 08d3]
(2) eap_peap: TLS_accept: SSLv3 write certificate A
(2) eap_peap: >>> send TLS 1.2 [length 014d]
(2) eap_peap: TLS_accept: SSLv3 write key exchange A
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3 write server done A
(2) eap_peap: TLS_accept: SSLv3 flush data
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap_wlc_huawei: Sending EAP Request (code 1) ID 181 length 1004
(2) eap_wlc_huawei: EAP session adding &reply:State = 0x43da5160416f4867
(2) [eap_wlc_huawei] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(2) Sent Access-Challenge Id 98 from 115.186.154.51:1812 to 172.16.33.246:1812 length 0
(2) EAP-Message = 0x01b503ec19c000000a71160303003902000035030358e524b04687a7ba5c39d39b2df2301db876dbae8b61fea27ca7c10f034fc85100c03000000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x43da5160416f4867cc0d35af791e907a
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 99 from 172.16.33.246:1812 to 115.186.154.51:1812 length 290
(3) User-Name = "ali.asad"
(3) NAS-Port = 50
(3) Service-Type = Framed-User
(3) Framed-Protocol = 4294967295
(3) Calling-Station-Id = "606d-c7eb-39bd"
(3) NAS-Identifier = "NTL-WLC-AC6605-B"
(3) NAS-Port-Type = Wireless-802.11
(3) NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=50"
(3) State = 0x43da5160416f4867cc0d35af791e907a
(3) EAP-Message = 0x02b500061900
(3) Message-Authenticator = 0x9099486e5fe2a8c8e55134d85dc1f360
(3) Called-Station-Id = "F8-4A-BF-F2-98-80:NTL-OPS"
(3) Login-IP-Host = 0.0.0.0
(3) NAS-IP-Address = 172.16.33.246
(3) Framed-MTU = 1500
(3) Huawei-Startup-Stamp = 1471070906
(3) Huawei-IPHost-Addr = "255.255.255.255 60:6d:c7:eb:39:bd"
(3) Huawei-Connect-ID = 3078
(3) Huawei-Version = "Huawei AC6605"
(3) Huawei-Product-ID = "AC"
(3) Huawei-User-Mac = "\000\000\000"
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/wlc_huawei
(3) authorize {
(3) [preprocess] = ok
(3) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(3) auth_log: --> /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(3) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(3) auth_log: EXPAND %t
(3) auth_log: --> Wed Apr 5 22:09:04 2017
(3) [auth_log] = ok
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "ali.asad", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap_wlc_huawei: Peer sent EAP Response (code 2) ID 181 length 6
(3) eap_wlc_huawei: Continuing tunnel setup
(3) [eap_wlc_huawei] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap_wlc_huawei
(3) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(3) authenticate {
(3) eap_wlc_huawei: Expiring EAP session with state 0x43da5160416f4867
(3) eap_wlc_huawei: Finished EAP session with state 0x43da5160416f4867
(3) eap_wlc_huawei: Previous EAP request found for state 0x43da5160416f4867, released from the list
(3) eap_wlc_huawei: Peer sent packet with method EAP PEAP (25)
(3) eap_wlc_huawei: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap_wlc_huawei: Sending EAP Request (code 1) ID 182 length 1000
(3) eap_wlc_huawei: EAP session adding &reply:State = 0x43da5160406c4867
(3) [eap_wlc_huawei] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(3) Sent Access-Challenge Id 99 from 115.186.154.51:1812 to 172.16.33.246:1812 length 0
(3) EAP-Message = 0x01b603e819409b2d4c0345df751fd711e8ea4e75714b29a30375779446c49ce87ccf9d58117de4f2115aa1e5653a44779d0cc47875d9c752336a6c5fe4badfcf84bc9e1a915e7297c630bad9abf8c30004e8308204e4308203cca003020102020900b6aa9b5ee768955a300d06092a864886f70d010105
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x43da5160406c4867cc0d35af791e907a
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 100 from 172.16.33.246:1812 to 115.186.154.51:1812 length 290
(4) User-Name = "ali.asad"
(4) NAS-Port = 50
(4) Service-Type = Framed-User
(4) Framed-Protocol = 4294967295
(4) Calling-Station-Id = "606d-c7eb-39bd"
(4) NAS-Identifier = "NTL-WLC-AC6605-B"
(4) NAS-Port-Type = Wireless-802.11
(4) NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=50"
(4) State = 0x43da5160406c4867cc0d35af791e907a
(4) EAP-Message = 0x02b600061900
(4) Message-Authenticator = 0xa97892fa02743a9e1c8f4ebbb0591eb7
(4) Called-Station-Id = "F8-4A-BF-F2-98-80:NTL-OPS"
(4) Login-IP-Host = 0.0.0.0
(4) NAS-IP-Address = 172.16.33.246
(4) Framed-MTU = 1500
(4) Huawei-Startup-Stamp = 1471070906
(4) Huawei-IPHost-Addr = "255.255.255.255 60:6d:c7:eb:39:bd"
(4) Huawei-Connect-ID = 3078
(4) Huawei-Version = "Huawei AC6605"
(4) Huawei-Product-ID = "AC"
(4) Huawei-User-Mac = "\000\000\000"
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/wlc_huawei
(4) authorize {
(4) [preprocess] = ok
(4) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(4) auth_log: --> /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(4) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(4) auth_log: EXPAND %t
(4) auth_log: --> Wed Apr 5 22:09:04 2017
(4) [auth_log] = ok
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "ali.asad", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap_wlc_huawei: Peer sent EAP Response (code 2) ID 182 length 6
(4) eap_wlc_huawei: Continuing tunnel setup
(4) [eap_wlc_huawei] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap_wlc_huawei
(4) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(4) authenticate {
(4) eap_wlc_huawei: Expiring EAP session with state 0x43da5160406c4867
(4) eap_wlc_huawei: Finished EAP session with state 0x43da5160406c4867
(4) eap_wlc_huawei: Previous EAP request found for state 0x43da5160406c4867, released from the list
(4) eap_wlc_huawei: Peer sent packet with method EAP PEAP (25)
(4) eap_wlc_huawei: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap_wlc_huawei: Sending EAP Request (code 1) ID 183 length 691
(4) eap_wlc_huawei: EAP session adding &reply:State = 0x43da5160476d4867
(4) [eap_wlc_huawei] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(4) Sent Access-Challenge Id 100 from 115.186.154.51:1812 to 172.16.33.246:1812 length 0
(4) EAP-Message = 0x01b702b319000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d0101050500038201010048377e8fa1d71da67cd91ae43c66ec9d54d74a2593705ce23f35396f788e48
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x43da5160476d4867cc0d35af791e907a
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 101 from 172.16.33.246:1812 to 115.186.154.51:1812 length 420
(5) User-Name = "ali.asad"
(5) NAS-Port = 50
(5) Service-Type = Framed-User
(5) Framed-Protocol = 4294967295
(5) Calling-Station-Id = "606d-c7eb-39bd"
(5) NAS-Identifier = "NTL-WLC-AC6605-B"
(5) NAS-Port-Type = Wireless-802.11
(5) NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=50"
(5) State = 0x43da5160476d4867cc0d35af791e907a
(5) EAP-Message = 0x02b7008819800000007e160303004610000042410415b7a6eada56a0134bb44dd1030cf6fcddfcd34ab0dca770d613b1ff06db29517bd6679a337c5e1b2e13af74f36b0eac985e9d9cdfbf237d401247a21c9c43a814030300010116030300280000000000000000f3cf9428fd7716ef50f29492c0349e
(5) Message-Authenticator = 0x2aeb0287ed76477f373776f231189382
(5) Called-Station-Id = "F8-4A-BF-F2-98-80:NTL-OPS"
(5) Login-IP-Host = 0.0.0.0
(5) NAS-IP-Address = 172.16.33.246
(5) Framed-MTU = 1500
(5) Huawei-Startup-Stamp = 1471070906
(5) Huawei-IPHost-Addr = "255.255.255.255 60:6d:c7:eb:39:bd"
(5) Huawei-Connect-ID = 3078
(5) Huawei-Version = "Huawei AC6605"
(5) Huawei-Product-ID = "AC"
(5) Huawei-User-Mac = "\000\000\000"
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/wlc_huawei
(5) authorize {
(5) [preprocess] = ok
(5) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(5) auth_log: --> /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(5) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(5) auth_log: EXPAND %t
(5) auth_log: --> Wed Apr 5 22:09:04 2017
(5) [auth_log] = ok
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "ali.asad", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap_wlc_huawei: Peer sent EAP Response (code 2) ID 183 length 136
(5) eap_wlc_huawei: Continuing tunnel setup
(5) [eap_wlc_huawei] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap_wlc_huawei
(5) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(5) authenticate {
(5) eap_wlc_huawei: Expiring EAP session with state 0x43da5160476d4867
(5) eap_wlc_huawei: Finished EAP session with state 0x43da5160476d4867
(5) eap_wlc_huawei: Previous EAP request found for state 0x43da5160476d4867, released from the list
(5) eap_wlc_huawei: Peer sent packet with method EAP PEAP (25)
(5) eap_wlc_huawei: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(5) eap_peap: Got complete TLS record (126 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< recv TLS 1.2 [length 0046]
(5) eap_peap: TLS_accept: SSLv3 read client key exchange A
(5) eap_peap: <<< recv TLS 1.2 [length 0001]
(5) eap_peap: <<< recv TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3 read finished A
(5) eap_peap: >>> send TLS 1.2 [length 0001]
(5) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap: >>> send TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3 write finished A
(5) eap_peap: TLS_accept: SSLv3 flush data
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: SSL Connection Established
(5) eap_peap: [eaptls process] = handled
(5) eap_wlc_huawei: Sending EAP Request (code 1) ID 184 length 57
(5) eap_wlc_huawei: EAP session adding &reply:State = 0x43da516046624867
(5) [eap_wlc_huawei] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(5) Sent Access-Challenge Id 101 from 115.186.154.51:1812 to 172.16.33.246:1812 length 0
(5) EAP-Message = 0x01b80039190014030300010116030300284709dc997810c5b08ba0124d96638ceefed5c2f6b68fa5c7515ecf3ae63fd6f7da99b24f8197e3bd
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x43da516046624867cc0d35af791e907a
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 102 from 172.16.33.246:1812 to 115.186.154.51:1812 length 290
(6) User-Name = "ali.asad"
(6) NAS-Port = 50
(6) Service-Type = Framed-User
(6) Framed-Protocol = 4294967295
(6) Calling-Station-Id = "606d-c7eb-39bd"
(6) NAS-Identifier = "NTL-WLC-AC6605-B"
(6) NAS-Port-Type = Wireless-802.11
(6) NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=50"
(6) State = 0x43da516046624867cc0d35af791e907a
(6) EAP-Message = 0x02b800061900
(6) Message-Authenticator = 0xfee6dbe8c83d6cbc07d3a23b9a96e911
(6) Called-Station-Id = "F8-4A-BF-F2-98-80:NTL-OPS"
(6) Login-IP-Host = 0.0.0.0
(6) NAS-IP-Address = 172.16.33.246
(6) Framed-MTU = 1500
(6) Huawei-Startup-Stamp = 1471070906
(6) Huawei-IPHost-Addr = "255.255.255.255 60:6d:c7:eb:39:bd"
(6) Huawei-Connect-ID = 3078
(6) Huawei-Version = "Huawei AC6605"
(6) Huawei-Product-ID = "AC"
(6) Huawei-User-Mac = "\000\000\000"
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/wlc_huawei
(6) authorize {
(6) [preprocess] = ok
(6) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log: --> /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(6) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(6) auth_log: EXPAND %t
(6) auth_log: --> Wed Apr 5 22:09:05 2017
(6) [auth_log] = ok
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "ali.asad", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap_wlc_huawei: Peer sent EAP Response (code 2) ID 184 length 6
(6) eap_wlc_huawei: Continuing tunnel setup
(6) [eap_wlc_huawei] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap_wlc_huawei
(6) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(6) authenticate {
(6) eap_wlc_huawei: Expiring EAP session with state 0x43da516046624867
(6) eap_wlc_huawei: Finished EAP session with state 0x43da516046624867
(6) eap_wlc_huawei: Previous EAP request found for state 0x43da516046624867, released from the list
(6) eap_wlc_huawei: Peer sent packet with method EAP PEAP (25)
(6) eap_wlc_huawei: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap_wlc_huawei: Sending EAP Request (code 1) ID 185 length 40
(6) eap_wlc_huawei: EAP session adding &reply:State = 0x43da516045634867
(6) [eap_wlc_huawei] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(6) Sent Access-Challenge Id 102 from 115.186.154.51:1812 to 172.16.33.246:1812 length 0
(6) EAP-Message = 0x01b900281900170303001d4709dc997810c5b169685748d0a64e9b9036d03750b985a3a2c6ff5568
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x43da516045634867cc0d35af791e907a
(6) Finished request
Waking up in 3.9 seconds.
(7) Received Access-Request Id 103 from 172.16.33.246:1812 to 115.186.154.51:1812 length 328
(7) User-Name = "ali.asad"
(7) NAS-Port = 50
(7) Service-Type = Framed-User
(7) Framed-Protocol = 4294967295
(7) Calling-Station-Id = "606d-c7eb-39bd"
(7) NAS-Identifier = "NTL-WLC-AC6605-B"
(7) NAS-Port-Type = Wireless-802.11
(7) NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=50"
(7) State = 0x43da516045634867cc0d35af791e907a
(7) EAP-Message = 0x02b9002c190017030300210000000000000001cfe4b7b821943e67703699aa5fb42425dcd49517013e500aca
(7) Message-Authenticator = 0x048f46172578991ab027396b03115f02
(7) Called-Station-Id = "F8-4A-BF-F2-98-80:NTL-OPS"
(7) Login-IP-Host = 0.0.0.0
(7) NAS-IP-Address = 172.16.33.246
(7) Framed-MTU = 1500
(7) Huawei-Startup-Stamp = 1471070906
(7) Huawei-IPHost-Addr = "255.255.255.255 60:6d:c7:eb:39:bd"
(7) Huawei-Connect-ID = 3078
(7) Huawei-Version = "Huawei AC6605"
(7) Huawei-Product-ID = "AC"
(7) Huawei-User-Mac = "\000\000\000"
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/wlc_huawei
(7) authorize {
(7) [preprocess] = ok
(7) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(7) auth_log: --> /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(7) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(7) auth_log: EXPAND %t
(7) auth_log: --> Wed Apr 5 22:09:05 2017
(7) [auth_log] = ok
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "ali.asad", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap_wlc_huawei: Peer sent EAP Response (code 2) ID 185 length 44
(7) eap_wlc_huawei: Continuing tunnel setup
(7) [eap_wlc_huawei] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap_wlc_huawei
(7) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(7) authenticate {
(7) eap_wlc_huawei: Expiring EAP session with state 0x43da516045634867
(7) eap_wlc_huawei: Finished EAP session with state 0x43da516045634867
(7) eap_wlc_huawei: Previous EAP request found for state 0x43da516045634867, released from the list
(7) eap_wlc_huawei: Peer sent packet with method EAP PEAP (25)
(7) eap_wlc_huawei: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - ali.asad
(7) eap_peap: Got inner identity 'ali.asad'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x02b9000d01616c692e61736164
(7) eap_peap: Setting User-Name to ali.asad
(7) eap_peap: Sending tunneled request to wlc_huawei-tunnel
(7) eap_peap: EAP-Message = 0x02b9000d01616c692e61736164
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "ali.asad"
(7) Virtual server wlc_huawei-tunnel received request
(7) EAP-Message = 0x02b9000d01616c692e61736164
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "ali.asad"
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server wlc_huawei-tunnel {
(7) # Executing section authorize from file /etc/raddb/sites-enabled/wlc_huawei-tunnel
(7) authorize {
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "ali.asad", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap_wlc_huawei: Peer sent EAP Response (code 2) ID 185 length 13
(7) eap_wlc_huawei: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [eap_wlc_huawei] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap_wlc_huawei
(7) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei-tunnel
(7) authenticate {
(7) eap_wlc_huawei: Peer sent packet with method EAP Identity (1)
(7) eap_wlc_huawei: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap_wlc_huawei: Sending EAP Request (code 1) ID 186 length 43
(7) eap_wlc_huawei: EAP session adding &reply:State = 0xda51e3dbdaebf9d4
(7) [eap_wlc_huawei] = handled
(7) } # authenticate = handled
(7) } # server wlc_huawei-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x01ba002b1a01ba00261028b1d84452a89f7f6b8b1cc3f83ae2af667265657261646975732d332e302e3132
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xda51e3dbdaebf9d40b2096b8dfe0e74b
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x01ba002b1a01ba00261028b1d84452a89f7f6b8b1cc3f83ae2af667265657261646975732d332e302e3132
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xda51e3dbdaebf9d40b2096b8dfe0e74b
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x01ba002b1a01ba00261028b1d84452a89f7f6b8b1cc3f83ae2af667265657261646975732d332e302e3132
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xda51e3dbdaebf9d40b2096b8dfe0e74b
(7) eap_peap: Got tunneled Access-Challenge
(7) eap_wlc_huawei: Sending EAP Request (code 1) ID 186 length 74
(7) eap_wlc_huawei: EAP session adding &reply:State = 0x43da516044604867
(7) [eap_wlc_huawei] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(7) Sent Access-Challenge Id 103 from 115.186.154.51:1812 to 172.16.33.246:1812 length 0
(7) EAP-Message = 0x01ba004a1900170303003f4709dc997810c5b252857801bc7e0c4ea1ddb169c4ff08845409092caeed6aed402ee998728f88de6c333c1ec4b8b44f9d295d8e14cca873ed513f4899ee44
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x43da516044604867cc0d35af791e907a
(7) Finished request
Waking up in 3.9 seconds.
(8) Received Access-Request Id 104 from 172.16.33.246:1812 to 115.186.154.51:1812 length 382
(8) User-Name = "ali.asad"
(8) NAS-Port = 50
(8) Service-Type = Framed-User
(8) Framed-Protocol = 4294967295
(8) Calling-Station-Id = "606d-c7eb-39bd"
(8) NAS-Identifier = "NTL-WLC-AC6605-B"
(8) NAS-Port-Type = Wireless-802.11
(8) NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=50"
(8) State = 0x43da516044604867cc0d35af791e907a
(8) EAP-Message = 0x02ba0062190017030300570000000000000002769c466bef6de6557ea42a566585a9c789655d7edf2adb8caeba34a0786bd8133d5a7c3cb7e5aaa340c99b868f72530a0f0ae65f279cfc6453d4ff7d8407ae075a4cab8f1a3a286f0ebe5bf56edb2f
(8) Message-Authenticator = 0xbdb61546d1cd6b68627fc7071123c161
(8) Called-Station-Id = "F8-4A-BF-F2-98-80:NTL-OPS"
(8) Login-IP-Host = 0.0.0.0
(8) NAS-IP-Address = 172.16.33.246
(8) Framed-MTU = 1500
(8) Huawei-Startup-Stamp = 1471070906
(8) Huawei-IPHost-Addr = "255.255.255.255 60:6d:c7:eb:39:bd"
(8) Huawei-Connect-ID = 3078
(8) Huawei-Version = "Huawei AC6605"
(8) Huawei-Product-ID = "AC"
(8) Huawei-User-Mac = "\000\000\000"
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/wlc_huawei
(8) authorize {
(8) [preprocess] = ok
(8) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(8) auth_log: --> /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(8) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(8) auth_log: EXPAND %t
(8) auth_log: --> Wed Apr 5 22:09:05 2017
(8) [auth_log] = ok
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "ali.asad", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap_wlc_huawei: Peer sent EAP Response (code 2) ID 186 length 98
(8) eap_wlc_huawei: Continuing tunnel setup
(8) [eap_wlc_huawei] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap_wlc_huawei
(8) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(8) authenticate {
(8) eap_wlc_huawei: Expiring EAP session with state 0xda51e3dbdaebf9d4
(8) eap_wlc_huawei: Finished EAP session with state 0x43da516044604867
(8) eap_wlc_huawei: Previous EAP request found for state 0x43da516044604867, released from the list
(8) eap_wlc_huawei: Peer sent packet with method EAP PEAP (25)
(8) eap_wlc_huawei: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x02ba00431a02ba003e319bd6bf46337ff2fe2f415664c42941220000000000000000451b47de3fcf8963e5af60d7d5d328e8b77dfc3d1354ac0900616c692e61736164
(8) eap_peap: Setting User-Name to ali.asad
(8) eap_peap: Sending tunneled request to wlc_huawei-tunnel
(8) eap_peap: EAP-Message = 0x02ba00431a02ba003e319bd6bf46337ff2fe2f415664c42941220000000000000000451b47de3fcf8963e5af60d7d5d328e8b77dfc3d1354ac0900616c692e61736164
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "ali.asad"
(8) eap_peap: State = 0xda51e3dbdaebf9d40b2096b8dfe0e74b
(8) Virtual server wlc_huawei-tunnel received request
(8) EAP-Message = 0x02ba00431a02ba003e319bd6bf46337ff2fe2f415664c42941220000000000000000451b47de3fcf8963e5af60d7d5d328e8b77dfc3d1354ac0900616c692e61736164
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "ali.asad"
(8) State = 0xda51e3dbdaebf9d40b2096b8dfe0e74b
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server wlc_huawei-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/wlc_huawei-tunnel
(8) authorize {
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "ali.asad", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap_wlc_huawei: Peer sent EAP Response (code 2) ID 186 length 67
(8) eap_wlc_huawei: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap_wlc_huawei] = updated
(8) sql_wlc_huawei: EXPAND %{User-Name}
(8) sql_wlc_huawei: --> ali.asad
(8) sql_wlc_huawei: SQL-User-Name set to 'ali.asad'
rlm_sql (sql_wlc_huawei): Reserved connection (1)
(8) sql_wlc_huawei: EXPAND SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = '%{SQL-User-Name}' and wlan = 'y' and vlanid=SUBSTR('%{NAS-Port-Id}' ,INSTR('%{NAS-Port-Id}', '=', -1)+3) ORDER BY id
(8) sql_wlc_huawei: --> SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = 'ali.asad' and wlan = 'y' and vlanid=SUBSTR('' ,INSTR('', '=', -1)+3) ORDER BY id
(8) sql_wlc_huawei: Executing select query: SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = 'ali.asad' and wlan = 'y' and vlanid=SUBSTR('' ,INSTR('', '=', -1)+3) ORDER BY id
(8) sql_wlc_huawei: WARNING: Cannot do check groups when group_membership_query is not set
rlm_sql (sql_wlc_huawei): Released connection (1)
(8) [sql_wlc_huawei] = notfound
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap_wlc_huawei
(8) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei-tunnel
(8) authenticate {
(8) eap_wlc_huawei: Expiring EAP session with state 0xda51e3dbdaebf9d4
(8) eap_wlc_huawei: Finished EAP session with state 0xda51e3dbdaebf9d4
(8) eap_wlc_huawei: Previous EAP request found for state 0xda51e3dbdaebf9d4, released from the list
(8) eap_wlc_huawei: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap_wlc_huawei: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/wlc_huawei-tunnel
(8) eap_mschapv2: authenticate {
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(8) mschap: Creating challenge hash with username: ali.asad
(8) mschap: Client is using MS-CHAPv2
(8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
(8) [mschap] = reject
(8) } # authenticate = reject
(8) eap_wlc_huawei: Sending EAP Failure (code 4) ID 186 length 4
(8) eap_wlc_huawei: Freeing handler
(8) [eap_wlc_huawei] = reject
(8) } # authenticate = reject
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei-tunnel
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject: --> ali.asad
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) update outer.session-state {
(8) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT/LM-Password. Cannot perform authentication'
(8) } # update outer.session-state = noop
(8) } # Post-Auth-Type REJECT = updated
(8) } # server wlc_huawei-tunnel
(8) Virtual server sending reply
(8) MS-CHAP-Error = "\272E=691 R=1 C=9f4a4f59411d16c01d91cc71ff7e082f V=3 M=Authentication failed"
(8) EAP-Message = 0x04ba0004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Got tunneled reply code 3
(8) eap_peap: MS-CHAP-Error = "\272E=691 R=1 C=9f4a4f59411d16c01d91cc71ff7e082f V=3 M=Authentication failed"
(8) eap_peap: EAP-Message = 0x04ba0004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Got tunneled reply RADIUS code 3
(8) eap_peap: MS-CHAP-Error = "\272E=691 R=1 C=9f4a4f59411d16c01d91cc71ff7e082f V=3 M=Authentication failed"
(8) eap_peap: EAP-Message = 0x04ba0004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Tunneled authentication was rejected
(8) eap_peap: FAILURE
(8) eap_wlc_huawei: Sending EAP Request (code 1) ID 187 length 46
(8) eap_wlc_huawei: EAP session adding &reply:State = 0x43da51604b614867
(8) [eap_wlc_huawei] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(8) session-state: Saving cached attributes
(8) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
(8) Sent Access-Challenge Id 104 from 115.186.154.51:1812 to 172.16.33.246:1812 length 0
(8) EAP-Message = 0x01bb002e190017030300234709dc997810c5b356526c68c6682789d56951049d439c741bbbfe165d866030280863
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x43da51604b614867cc0d35af791e907a
(8) Finished request
Waking up in 3.9 seconds.
(9) Received Access-Request Id 105 from 172.16.33.246:1812 to 115.186.154.51:1812 length 330
(9) User-Name = "ali.asad"
(9) NAS-Port = 50
(9) Service-Type = Framed-User
(9) Framed-Protocol = 4294967295
(9) Calling-Station-Id = "606d-c7eb-39bd"
(9) NAS-Identifier = "NTL-WLC-AC6605-B"
(9) NAS-Port-Type = Wireless-802.11
(9) NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=50"
(9) State = 0x43da51604b614867cc0d35af791e907a
(9) EAP-Message = 0x02bb002e1900170303002300000000000000032d4e20b53af693019f01e70f16a406d9725376cc2b965dd43c68b8
(9) Message-Authenticator = 0x20d26c3101e8208c7dc207ba7ca920d3
(9) Called-Station-Id = "F8-4A-BF-F2-98-80:NTL-OPS"
(9) Login-IP-Host = 0.0.0.0
(9) NAS-IP-Address = 172.16.33.246
(9) Framed-MTU = 1500
(9) Huawei-Startup-Stamp = 1471070906
(9) Huawei-IPHost-Addr = "255.255.255.255 60:6d:c7:eb:39:bd"
(9) Huawei-Connect-ID = 3078
(9) Huawei-Version = "Huawei AC6605"
(9) Huawei-Product-ID = "AC"
(9) Huawei-User-Mac = "\000\000\000"
(9) Restoring &session-state
(9) &session-state:Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot perform authentication"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/wlc_huawei
(9) authorize {
(9) [preprocess] = ok
(9) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(9) auth_log: --> /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(9) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/172.16.33.246/auth-detail-20170405
(9) auth_log: EXPAND %t
(9) auth_log: --> Wed Apr 5 22:09:05 2017
(9) [auth_log] = ok
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "ali.asad", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap_wlc_huawei: Peer sent EAP Response (code 2) ID 187 length 46
(9) eap_wlc_huawei: Continuing tunnel setup
(9) [eap_wlc_huawei] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap_wlc_huawei
(9) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(9) authenticate {
(9) eap_wlc_huawei: Expiring EAP session with state 0x43da51604b614867
(9) eap_wlc_huawei: Finished EAP session with state 0x43da51604b614867
(9) eap_wlc_huawei: Previous EAP request found for state 0x43da51604b614867, released from the list
(9) eap_wlc_huawei: Peer sent packet with method EAP PEAP (25)
(9) eap_wlc_huawei: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv failure
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: The users session was previously rejected: returning reject (again.)
(9) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(9) eap_peap: to find out the reason why the user was rejected
(9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
(9) eap_peap: what went wrong, and how to fix the problem
(9) eap_wlc_huawei: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(9) eap_wlc_huawei: Sending EAP Failure (code 4) ID 187 length 4
(9) eap_wlc_huawei: Failed in EAP select
(9) [eap_wlc_huawei] = invalid
(9) } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/raddb/sites-enabled/wlc_huawei
(9) Post-Auth-Type REJECT {
(9) sql_wlc_huawei: EXPAND .query
(9) sql_wlc_huawei: --> .query
(9) sql_wlc_huawei: WARNING: No such configuration item .query
(9) [sql_wlc_huawei] = noop
(9) } # Post-Auth-Type REJECT = noop
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 105 from 115.186.154.51:1812 to 172.16.33.246:1812 length 44
(9) EAP-Message = 0x04bb0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.9 seconds.
^C
BR/Mustafa
More information about the Freeradius-Users
mailing list