FW: EAP authentication with Windows 10

Rob Rutledge robertrutledge2005 at charter.net
Sat Apr 22 22:26:04 CEST 2017


Hi All:

 

I have had Freeradius up and running successfully since February.  I set up
a Windows 10 wireless client to authenticate to it along with an iPhone 6.  

 

For some reason the Windows 10 client quit working last week.  (The iPhone
is still working fine although I see in the debugs it is using TLS1.0)   I
assumed it was a problem with the certificates expiring, but creating new
ones has not helped.  Therefore I went back to the originals.  I was not
able to get the client.p12 certificate installed so instead I use WPAV2 and
I did not specify the username/password in my AP.  Therefore the
authentication process would let me enter the username/password combination
and then have me accept the certificate which I only had to configure once.
Then it stopped working and I cannot even get past the username/password
combination now.  

 

I have provided the debug logs if anyone would be so kind to look at them.
Any help would be appreciated.

 

Ready to process requests

(0) Received Access-Request Id 127 from 10.160.134.40:1645 to
10.160.134.60:1812 length 204

(0)   User-Name = "Robby"

(0)   Framed-MTU = 1400

(0)   Called-Station-Id = "0026.cba5.c330:BigBang_2"

(0)   Calling-Station-Id = "c8f7.334c.b878"

(0)   Cisco-AVPair = "ssid=BigBang_2"

(0)   Service-Type = Login-User

(0)   Cisco-AVPair = "service-type=Login"

(0)   Message-Authenticator = 0x43e8c41ae092bd8de6f33591cf730c05

(0)   EAP-Message = 0x0202000a01526f626279

(0)   NAS-Port-Type = Wireless-802.11

(0)   NAS-Port = 625

(0)   NAS-Port-Id = "625"

(0)   NAS-IP-Address = 10.160.134.40

(0)   NAS-Identifier = "txweahomxp-ap1142001"

(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(0)   authorize {

(0)     policy filter_username {

(0)       if (&User-Name) {

(0)       if (&User-Name)  -> TRUE

(0)       if (&User-Name)  {

(0)         if (&User-Name =~ / /) {

(0)         if (&User-Name =~ / /)  -> FALSE

(0)         if (&User-Name =~ /@[^@]*@/ ) {

(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(0)         if (&User-Name =~ /\.\./ ) {

(0)         if (&User-Name =~ /\.\./ )  -> FALSE

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(0)         if (&User-Name =~ /\.$/)  {

(0)         if (&User-Name =~ /\.$/)   -> FALSE

(0)         if (&User-Name =~ /@\./)  {

(0)         if (&User-Name =~ /@\./)   -> FALSE

(0)       } # if (&User-Name)  = notfound

(0)     } # policy filter_username = notfound

(0)     [preprocess] = ok

(0)     [chap] = noop

(0)     [mschap] = noop

(0)     [digest] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: No '@' in User-Name = "Robby", looking up realm NULL

(0) suffix: No such realm "NULL"

(0)     [suffix] = noop

(0) eap: Peer sent EAP Response (code 2) ID 2 length 10

(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize

(0)     [eap] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = eap

(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(0)   authenticate {

(0) eap: Peer sent packet with method EAP Identity (1)

(0) eap: Calling submodule eap_md5 to process data

(0) eap_md5: Issuing MD5 Challenge

(0) eap: Sending EAP Request (code 1) ID 3 length 22

(0) eap: EAP session adding &reply:State = 0x8337d5108334d1a6

(0)     [eap] = handled

(0)   } # authenticate = handled

(0) Using Post-Auth-Type Challenge

(0) Post-Auth-Type sub-section not found.  Ignoring.

(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(0) Sent Access-Challenge Id 127 from 10.160.134.60:1812 to
10.160.134.40:1645 length 0

(0)   EAP-Message = 0x0103001604101e263ad0cd148ac153878d4e36fd2bb0

(0)   Message-Authenticator = 0x00000000000000000000000000000000

(0)   State = 0x8337d5108334d1a62b010c57ecd141a1

(0) Finished request

Waking up in 4.9 seconds.

(1) Received Access-Request Id 128 from 10.160.134.40:1645 to
10.160.134.60:1812 length 221

(1)   User-Name = "Robby"

(1)   Framed-MTU = 1400

(1)   Called-Station-Id = "0026.cba5.c330:BigBang_2"

(1)   Calling-Station-Id = "c8f7.334c.b878"

(1)   Cisco-AVPair = "ssid=BigBang_2"

(1)   Service-Type = Login-User

(1)   Cisco-AVPair = "service-type=Login"

(1)   Message-Authenticator = 0x35d76926529cca52c1508fc0bd80dc21

(1)   EAP-Message = 0x020300090319152b11

(1)   NAS-Port-Type = Wireless-802.11

(1)   NAS-Port = 625

(1)   NAS-Port-Id = "625"

(1)   State = 0x8337d5108334d1a62b010c57ecd141a1

(1)   NAS-IP-Address = 10.160.134.40

(1)   NAS-Identifier = "txweahomxp-ap1142001"

(1) session-state: No cached attributes

(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(1)   authorize {

(1)     policy filter_username {

(1)       if (&User-Name) {

(1)       if (&User-Name)  -> TRUE

(1)       if (&User-Name)  {

(1)         if (&User-Name =~ / /) {

(1)         if (&User-Name =~ / /)  -> FALSE

(1)         if (&User-Name =~ /@[^@]*@/ ) {

(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(1)         if (&User-Name =~ /\.\./ ) {

(1)         if (&User-Name =~ /\.\./ )  -> FALSE

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(1)         if (&User-Name =~ /\.$/)  {

(1)         if (&User-Name =~ /\.$/)   -> FALSE

(1)         if (&User-Name =~ /@\./)  {

(1)         if (&User-Name =~ /@\./)   -> FALSE

(1)       } # if (&User-Name)  = notfound

(1)     } # policy filter_username = notfound

(1)     [preprocess] = ok

(1)     [chap] = noop

(1)     [mschap] = noop

(1)     [digest] = noop

(1) suffix: Checking for suffix after "@"

(1) suffix: No '@' in User-Name = "Robby", looking up realm NULL

(1) suffix: No such realm "NULL"

(1)     [suffix] = noop

(1) eap: Peer sent EAP Response (code 2) ID 3 length 9

(1) eap: No EAP Start, assuming it's an on-going EAP conversation

(1)     [eap] = updated

(1) files: users: Matched entry Robby at line 26

(1)     [files] = ok

(1)     [expiration] = noop

(1)     [logintime] = noop

(1) pap: WARNING: Auth-Type already set.  Not setting to PAP

(1)     [pap] = noop

(1)   } # authorize = updated

(1) Found Auth-Type = eap

(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(1)   authenticate {

(1) eap: Expiring EAP session with state 0x8337d5108334d1a6

(1) eap: Finished EAP session with state 0x8337d5108334d1a6

(1) eap: Previous EAP request found for state 0x8337d5108334d1a6, released
from the list

(1) eap: Peer sent packet with method EAP NAK (3)

(1) eap: Found mutually acceptable type PEAP (25)

(1) eap: Calling submodule eap_peap to process data

(1) eap_peap: Initiating new EAP-TLS session

(1) eap_peap: Flushing SSL sessions (of #0)

(1) eap_peap: [eaptls start] = request

(1) eap: Sending EAP Request (code 1) ID 4 length 6

(1) eap: EAP session adding &reply:State = 0x8337d5108233cca6

(1)     [eap] = handled

(1)   } # authenticate = handled

(1) Using Post-Auth-Type Challenge

(1) Post-Auth-Type sub-section not found.  Ignoring.

(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(1) Sent Access-Challenge Id 128 from 10.160.134.60:1812 to
10.160.134.40:1645 length 0

(1)   EAP-Message = 0x010400061920

(1)   Message-Authenticator = 0x00000000000000000000000000000000

(1)   State = 0x8337d5108233cca62b010c57ecd141a1

(1) Finished request

Waking up in 4.9 seconds.

(2) Received Access-Request Id 129 from 10.160.134.40:1645 to
10.160.134.60:1812 length 422

(2)   User-Name = "Robby"

(2)   Framed-MTU = 1400

(2)   Called-Station-Id = "0026.cba5.c330:BigBang_2"

(2)   Calling-Station-Id = "c8f7.334c.b878"

(2)   Cisco-AVPair = "ssid=BigBang_2"

(2)   Service-Type = Login-User

(2)   Cisco-AVPair = "service-type=Login"

(2)   Message-Authenticator = 0x7fb2f3f2dcf5521eb3f3fbe5e9da71ad

(2)   EAP-Message =
0x020400d21980000000c816030300c3010000bf030358fbac2b32952543a1c44b9b0996a1a1
a8d8507a68c411dc17909af45fe51e2520a864338413d80b83ee00b44b8e99570a944b46e3ef
8fd22fc0409e1b878a86f3003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c0
14c013003900

(2)   NAS-Port-Type = Wireless-802.11

(2)   NAS-Port = 625

(2)   NAS-Port-Id = "625"

(2)   State = 0x8337d5108233cca62b010c57ecd141a1

(2)   NAS-IP-Address = 10.160.134.40

(2)   NAS-Identifier = "txweahomxp-ap1142001"

(2) session-state: No cached attributes

(2) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(2)   authorize {

(2)     policy filter_username {

(2)       if (&User-Name) {

(2)       if (&User-Name)  -> TRUE

(2)       if (&User-Name)  {

(2)         if (&User-Name =~ / /) {

(2)         if (&User-Name =~ / /)  -> FALSE

(2)         if (&User-Name =~ /@[^@]*@/ ) {

(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(2)         if (&User-Name =~ /\.\./ ) {

(2)         if (&User-Name =~ /\.\./ )  -> FALSE

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(2)         if (&User-Name =~ /\.$/)  {

(2)         if (&User-Name =~ /\.$/)   -> FALSE

(2)         if (&User-Name =~ /@\./)  {

(2)         if (&User-Name =~ /@\./)   -> FALSE

(2)       } # if (&User-Name)  = notfound

(2)     } # policy filter_username = notfound

(2)     [preprocess] = ok

(2)     [chap] = noop

(2)     [mschap] = noop

(2)     [digest] = noop

(2) suffix: Checking for suffix after "@"

(2) suffix: No '@' in User-Name = "Robby", looking up realm NULL

(2) suffix: No such realm "NULL"

(2)     [suffix] = noop

(2) eap: Peer sent EAP Response (code 2) ID 4 length 210

(2) eap: Continuing tunnel setup

(2)     [eap] = ok

(2)   } # authorize = ok

(2) Found Auth-Type = eap

(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(2)   authenticate {

(2) eap: Expiring EAP session with state 0x8337d5108233cca6

(2) eap: Finished EAP session with state 0x8337d5108233cca6

(2) eap: Previous EAP request found for state 0x8337d5108233cca6, released
from the list

(2) eap: Peer sent packet with method EAP PEAP (25)

(2) eap: Calling submodule eap_peap to process data

(2) eap_peap: Continuing EAP-TLS

(2) eap_peap: Peer indicated complete TLS record size will be 200 bytes

(2) eap_peap: Got complete TLS record (200 bytes)

(2) eap_peap: [eaptls verify] = length included

(2) eap_peap: (other): before/accept initialization

(2) eap_peap: TLS_accept: before/accept initialization

(2) eap_peap: <<< recv TLS 1.2  [length 00c3]

(2) eap_peap: TLS_accept: SSLv3 read client hello A

(2) eap_peap: >>> send TLS 1.2  [length 0059]

(2) eap_peap: TLS_accept: SSLv3 write server hello A

(2) eap_peap: >>> send TLS 1.2  [length 03e8]

(2) eap_peap: TLS_accept: SSLv3 write certificate A

(2) eap_peap: >>> send TLS 1.2  [length 014d]

(2) eap_peap: TLS_accept: SSLv3 write key exchange A

(2) eap_peap: >>> send TLS 1.2  [length 0004]

(2) eap_peap: TLS_accept: SSLv3 write server done A

(2) eap_peap: TLS_accept: SSLv3 flush data

(2) eap_peap: TLS_accept: SSLv3 read client certificate A

(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A

(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A

(2) eap_peap: In SSL Handshake Phase

(2) eap_peap: In SSL Accept mode

(2) eap_peap: [eaptls process] = handled

(2) eap: Sending EAP Request (code 1) ID 5 length 1004

(2) eap: EAP session adding &reply:State = 0x8337d5108132cca6

(2)     [eap] = handled

(2)   } # authenticate = handled

(2) Using Post-Auth-Type Challenge

(2) Post-Auth-Type sub-section not found.  Ignoring.

(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(2) Sent Access-Challenge Id 129 from 10.160.134.60:1812 to
10.160.134.40:1645 length 0

(2)   EAP-Message =
0x010503ec19c0000005a61603030059020000550303071820ee28d51600f472f17441b90fc6
3742989686d78cc2fc26571ef9c50f9c209922a163ea47f592fc458298194786a6ccd980f5df
6fb1abf5f33571cac52463c03000000dff01000100000b00040300010216030303e80b0003e4
0003e10003de

(2)   Message-Authenticator = 0x00000000000000000000000000000000

(2)   State = 0x8337d5108132cca62b010c57ecd141a1

(2) Finished request

Waking up in 4.9 seconds.

(3) Received Access-Request Id 130 from 10.160.134.40:1645 to
10.160.134.60:1812 length 218

(3)   User-Name = "Robby"

(3)   Framed-MTU = 1400

(3)   Called-Station-Id = "0026.cba5.c330:BigBang_2"

(3)   Calling-Station-Id = "c8f7.334c.b878"

(3)   Cisco-AVPair = "ssid=BigBang_2"

(3)   Service-Type = Login-User

(3)   Cisco-AVPair = "service-type=Login"

(3)   Message-Authenticator = 0x41ff5998373abb1309bcc0e3ea37ed8f

(3)   EAP-Message = 0x020500061900

(3)   NAS-Port-Type = Wireless-802.11

(3)   NAS-Port = 625

(3)   NAS-Port-Id = "625"

(3)   State = 0x8337d5108132cca62b010c57ecd141a1

(3)   NAS-IP-Address = 10.160.134.40

(3)   NAS-Identifier = "txweahomxp-ap1142001"

(3) session-state: No cached attributes

(3) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(3)   authorize {

(3)     policy filter_username {

(3)       if (&User-Name) {

(3)       if (&User-Name)  -> TRUE

(3)       if (&User-Name)  {

(3)         if (&User-Name =~ / /) {

(3)         if (&User-Name =~ / /)  -> FALSE

(3)         if (&User-Name =~ /@[^@]*@/ ) {

(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(3)         if (&User-Name =~ /\.\./ ) {

(3)         if (&User-Name =~ /\.\./ )  -> FALSE

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(3)         if (&User-Name =~ /\.$/)  {

(3)         if (&User-Name =~ /\.$/)   -> FALSE

(3)         if (&User-Name =~ /@\./)  {

(3)         if (&User-Name =~ /@\./)   -> FALSE

(3)       } # if (&User-Name)  = notfound

(3)     } # policy filter_username = notfound

(3)     [preprocess] = ok

(3)     [chap] = noop

(3)     [mschap] = noop

(3)     [digest] = noop

(3) suffix: Checking for suffix after "@"

(3) suffix: No '@' in User-Name = "Robby", looking up realm NULL

(3) suffix: No such realm "NULL"

(3)     [suffix] = noop

(3) eap: Peer sent EAP Response (code 2) ID 5 length 6

(3) eap: Continuing tunnel setup

(3)     [eap] = ok

(3)   } # authorize = ok

(3) Found Auth-Type = eap

(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(3)   authenticate {

(3) eap: Expiring EAP session with state 0x8337d5108132cca6

(3) eap: Finished EAP session with state 0x8337d5108132cca6

(3) eap: Previous EAP request found for state 0x8337d5108132cca6, released
from the list

(3) eap: Peer sent packet with method EAP PEAP (25)

(3) eap: Calling submodule eap_peap to process data

(3) eap_peap: Continuing EAP-TLS

(3) eap_peap: Peer ACKed our handshake fragment

(3) eap_peap: [eaptls verify] = request

(3) eap_peap: [eaptls process] = handled

(3) eap: Sending EAP Request (code 1) ID 6 length 458

(3) eap: EAP session adding &reply:State = 0x8337d5108031cca6

(3)     [eap] = handled

(3)   } # authenticate = handled

(3) Using Post-Auth-Type Challenge

(3) Post-Auth-Type sub-section not found.  Ignoring.

(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(3) Sent Access-Challenge Id 130 from 10.160.134.60:1812 to
10.160.134.40:1645 length 0

(3)   EAP-Message =
0x010601ca1900397f45cadbce38bc8800d068245cda7603d379b834bf5b4e113ea6a8f410aa
cb4df8b85adf8749a8be3778bccf80aabef10af4e29d7da239e1fc450c4227ab0e1265bd8049
d00483027ab10d1996480008c0286cfb73e4a06ee1b0cc555c2a6b2c004d81054fcefe8e1603
03014d0c0001

(3)   Message-Authenticator = 0x00000000000000000000000000000000

(3)   State = 0x8337d5108031cca62b010c57ecd141a1

(3) Finished request

Waking up in 4.9 seconds.

(4) Received Access-Request Id 131 from 10.160.134.40:1645 to
10.160.134.60:1812 length 348

(4)   User-Name = "Robby"

(4)   Framed-MTU = 1400

(4)   Called-Station-Id = "0026.cba5.c330:BigBang_2"

(4)   Calling-Station-Id = "c8f7.334c.b878"

(4)   Cisco-AVPair = "ssid=BigBang_2"

(4)   Service-Type = Login-User

(4)   Cisco-AVPair = "service-type=Login"

(4)   Message-Authenticator = 0xd641c43d2204c044cfc9efddb3ed46a1

(4)   EAP-Message =
0x0206008819800000007e16030300461000004241044ce03681389ff5ad25ca61a286c88298
ada26bf26f6b4e6eee223abc4ebc3273655a042aa3b8f16957a2f91d994694ba4fbfed625254
dcc4a84400667c4e63da1403030001011603030028000000000000000047a57d4600cdcf8279
b7679860ac44

(4)   NAS-Port-Type = Wireless-802.11

(4)   NAS-Port = 625

(4)   NAS-Port-Id = "625"

(4)   State = 0x8337d5108031cca62b010c57ecd141a1

(4)   NAS-IP-Address = 10.160.134.40

(4)   NAS-Identifier = "txweahomxp-ap1142001"

(4) session-state: No cached attributes

(4) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(4)   authorize {

(4)     policy filter_username {

(4)       if (&User-Name) {

(4)       if (&User-Name)  -> TRUE

(4)       if (&User-Name)  {

(4)         if (&User-Name =~ / /) {

(4)         if (&User-Name =~ / /)  -> FALSE

(4)         if (&User-Name =~ /@[^@]*@/ ) {

(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(4)         if (&User-Name =~ /\.\./ ) {

(4)         if (&User-Name =~ /\.\./ )  -> FALSE

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(4)         if (&User-Name =~ /\.$/)  {

(4)         if (&User-Name =~ /\.$/)   -> FALSE

(4)         if (&User-Name =~ /@\./)  {

(4)         if (&User-Name =~ /@\./)   -> FALSE

(4)       } # if (&User-Name)  = notfound

(4)     } # policy filter_username = notfound

(4)     [preprocess] = ok

(4)     [chap] = noop

(4)     [mschap] = noop

(4)     [digest] = noop

(4) suffix: Checking for suffix after "@"

(4) suffix: No '@' in User-Name = "Robby", looking up realm NULL

(4) suffix: No such realm "NULL"

(4)     [suffix] = noop

(4) eap: Peer sent EAP Response (code 2) ID 6 length 136

(4) eap: Continuing tunnel setup

(4)     [eap] = ok

(4)   } # authorize = ok

(4) Found Auth-Type = eap

(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(4)   authenticate {

(4) eap: Expiring EAP session with state 0x8337d5108031cca6

(4) eap: Finished EAP session with state 0x8337d5108031cca6

(4) eap: Previous EAP request found for state 0x8337d5108031cca6, released
from the list

(4) eap: Peer sent packet with method EAP PEAP (25)

(4) eap: Calling submodule eap_peap to process data

(4) eap_peap: Continuing EAP-TLS

(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes

(4) eap_peap: Got complete TLS record (126 bytes)

(4) eap_peap: [eaptls verify] = length included

(4) eap_peap: <<< recv TLS 1.2  [length 0046]

(4) eap_peap: TLS_accept: SSLv3 read client key exchange A

(4) eap_peap: TLS_accept: SSLv3 read certificate verify A

(4) eap_peap: <<< recv TLS 1.2  [length 0001]

(4) eap_peap: <<< recv TLS 1.2  [length 0010]

(4) eap_peap: TLS_accept: SSLv3 read finished A

(4) eap_peap: >>> send TLS 1.2  [length 0001]

(4) eap_peap: TLS_accept: SSLv3 write change cipher spec A

(4) eap_peap: >>> send TLS 1.2  [length 0010]

(4) eap_peap: TLS_accept: SSLv3 write finished A

(4) eap_peap: TLS_accept: SSLv3 flush data

(4) eap_peap: (other): SSL negotiation finished successfully

(4) eap_peap: SSL Connection Established

(4) eap_peap: [eaptls process] = handled

(4) eap: Sending EAP Request (code 1) ID 7 length 57

(4) eap: EAP session adding &reply:State = 0x8337d5108730cca6

(4)     [eap] = handled

(4)   } # authenticate = handled

(4) Using Post-Auth-Type Challenge

(4) Post-Auth-Type sub-section not found.  Ignoring.

(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(4) Sent Access-Challenge Id 131 from 10.160.134.60:1812 to
10.160.134.40:1645 length 0

(4)   EAP-Message =
0x010700391900140303000101160303002861b7a36a5561b04e9f0cb70e85700b387854eb41
320658261a5b77c113cbaefaa246556ea070a8a7

(4)   Message-Authenticator = 0x00000000000000000000000000000000

(4)   State = 0x8337d5108730cca62b010c57ecd141a1

(4) Finished request

Waking up in 4.9 seconds.

(5) Received Access-Request Id 132 from 10.160.134.40:1645 to
10.160.134.60:1812 length 253

(5)   User-Name = "Robby"

(5)   Framed-MTU = 1400

(5)   Called-Station-Id = "0026.cba5.c330:BigBang_2"

(5)   Calling-Station-Id = "c8f7.334c.b878"

(5)   Cisco-AVPair = "ssid=BigBang_2"

(5)   Service-Type = Login-User

(5)   Cisco-AVPair = "service-type=Login"

(5)   Message-Authenticator = 0x44a35e8a6f92e7be41870a9ed32c7f04

(5)   EAP-Message =
0x0207002919800000001f150303001a0000000000000001eea590d9939d70cefcd2bbceab89
b987c185

(5)   NAS-Port-Type = Wireless-802.11

(5)   NAS-Port = 625

(5)   NAS-Port-Id = "625"

(5)   State = 0x8337d5108730cca62b010c57ecd141a1

(5)   NAS-IP-Address = 10.160.134.40

(5)   NAS-Identifier = "txweahomxp-ap1142001"

(5) session-state: No cached attributes

(5) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

(5)   authorize {

(5)     policy filter_username {

(5)       if (&User-Name) {

(5)       if (&User-Name)  -> TRUE

(5)       if (&User-Name)  {

(5)         if (&User-Name =~ / /) {

(5)         if (&User-Name =~ / /)  -> FALSE

(5)         if (&User-Name =~ /@[^@]*@/ ) {

(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(5)         if (&User-Name =~ /\.\./ ) {

(5)         if (&User-Name =~ /\.\./ )  -> FALSE

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(5)         if (&User-Name =~ /\.$/)  {

(5)         if (&User-Name =~ /\.$/)   -> FALSE

(5)         if (&User-Name =~ /@\./)  {

(5)         if (&User-Name =~ /@\./)   -> FALSE

(5)       } # if (&User-Name)  = notfound

(5)     } # policy filter_username = notfound

(5)     [preprocess] = ok

(5)     [chap] = noop

(5)     [mschap] = noop

(5)     [digest] = noop

(5) suffix: Checking for suffix after "@"

(5) suffix: No '@' in User-Name = "Robby", looking up realm NULL

(5) suffix: No such realm "NULL"

(5)     [suffix] = noop

(5) eap: Peer sent EAP Response (code 2) ID 7 length 41

(5) eap: Continuing tunnel setup

(5)     [eap] = ok

(5)   } # authorize = ok

(5) Found Auth-Type = eap

(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(5)   authenticate {

(5) eap: Expiring EAP session with state 0x8337d5108730cca6

(5) eap: Finished EAP session with state 0x8337d5108730cca6

(5) eap: Previous EAP request found for state 0x8337d5108730cca6, released
from the list

(5) eap: Peer sent packet with method EAP PEAP (25)

(5) eap: Calling submodule eap_peap to process data

(5) eap_peap: Continuing EAP-TLS

(5) eap_peap: Peer indicated complete TLS record size will be 31 bytes

(5) eap_peap: Got complete TLS record (31 bytes)

(5) eap_peap: [eaptls verify] = length included

(5) eap_peap: <<< recv TLS 1.2  [length 0002]

(5) eap_peap: ERROR: TLS Alert read:fatal:access denied

(5) eap_peap: WARNING: No data inside of the tunnel

(5) eap_peap: [eaptls process] = ok

(5) eap_peap: Session established.  Decoding tunneled attributes

(5) eap_peap: PEAP state ?

(5) eap_peap: ERROR: Tunneled data is invalid

(5) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module
failed

(5) eap: Sending EAP Failure (code 4) ID 7 length 4

(5) eap: Failed in EAP select

(5)     [eap] = invalid

(5)   } # authenticate = invalid

(5) Failed to authenticate the user

(5) Using Post-Auth-Type Reject

(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default

(5)   Post-Auth-Type REJECT {

(5) attr_filter.access_reject: EXPAND %{User-Name}

(5) attr_filter.access_reject:    --> Robby

(5) attr_filter.access_reject: Matched entry DEFAULT at line 11

(5)     [attr_filter.access_reject] = updated

(5)     [eap] = noop

(5)     policy remove_reply_message_if_eap {

(5)       if (&reply:EAP-Message && &reply:Reply-Message) {

(5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(5)       else {

(5)         [noop] = noop

(5)       } # else = noop

(5)     } # policy remove_reply_message_if_eap = noop

(5)   } # Post-Auth-Type REJECT = updated

(5) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(5) Sending delayed response

(5) Sent Access-Reject Id 132 from 10.160.134.60:1812 to 10.160.134.40:1645
length 44

(5)   EAP-Message = 0x04070004

(5)   Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 3.9 seconds.

(0) Cleaning up request packet ID 127 with timestamp +17

(1) Cleaning up request packet ID 128 with timestamp +17

(2) Cleaning up request packet ID 129 with timestamp +17

(3) Cleaning up request packet ID 130 with timestamp +17

(4) Cleaning up request packet ID 131 with timestamp +17

(5) Cleaning up request packet ID 132 with timestamp +17

Ready to process requests

 

Thanks.

 

Rob Rutledge, CCNP CCDP

 



More information about the Freeradius-Users mailing list