radius and ldap authentication.
Mohd Akhbar
mymohaja at gmail.com
Fri Aug 11 06:53:52 CEST 2017
I want to connect radius with my ldap (389 Directory) and my user password
in SHA. Actually taking over the task from colleague. Please give some
advice. Thank you.
===========================================
[root at eduroam-idp ~]# radiusd -X
radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built
on Jul 17 2017 at 23:07:34
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/ldap.BAK
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/dhcp_sqlippool
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/radrelay
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/cache
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/eduroam-inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = yes
dead_time = 120
wake_all_if_all_dead = no
}
realm ~^(.+\.)?uthm\.edu\.my$ {
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
nostrip
authhost = 192.168.241.12:1812
secret = TcMvKbBdVChdYdeY
}
realm suffix {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 192.168.241.12
netmask = 32
require_message_authenticator = no
secret = "TcMvKbBdVChdYdeY"
shortname = "radsec"
nastype = "other"
virtual_server = "eduroam-inner-tunnel"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
}
radiusd: #### Loading Virtual Servers ####
server { # from file
modules {
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/letsencrypt/live/
idp.uthm.edu.my/privkey.pem"
certificate_file = "/etc/letsencrypt/live/idp.uthm.edu.my/cert.pem"
CA_file = "/etc/letsencrypt/live/idp.uthm.edu.my/chain.pem"
dh_file = "/etc/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
}
WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may
not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "eduroam-inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/huntgroups
reading pairlist file /etc/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
reading pairlist file /etc/raddb/users
reading pairlist file /etc/raddb/acct_users
reading pairlist file /etc/raddb/preproxy_users
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap
ldap {
server = "ldap.uthm.edu.my"
port = 389
password = "mypassword"
expect_password = yes
identity = "cn=Directory Manager"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
basedn = "dc=uthm,dc=edu,dc=my"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=inetOrgPerson)"
auto_header = no
access_attr = "uid"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 10
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in
the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP uid mapped to RADIUS User-Name
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x7f75996694a0
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server eduroam-inner-tunnel { # from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Instantiating module "auth_log" from file
/etc/raddb/modules/detail.log
detail auth_log {
detailfile =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "reply_log" from file
/etc/raddb/modules/detail.log
detail reply_log {
detailfile =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 0
}
listen {
type = "acct"
ipaddr = 127.0.0.1
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address 127.0.0.1 port 1812
Listening on accounting address 127.0.0.1 port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1217
Ready to process requests.
rad_recv: Status-Server packet from host 192.168.241.12 port 56951, id=0,
length=38
Message-Authenticator = 0xbf53e4c9a8a5a0bb431dc680c121d53d
server eduroam-inner-tunnel {
} # server eduroam-inner-tunnel
Sending Access-Accept of id 0 to 192.168.241.12 port 56951
Finished request 0.
Cleaning up request 0 ID 0 with timestamp +18
Going to the next request
Ready to process requests.
============================
log when i try to connect as user test.
-================================
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=150, length=223
User-Name = "test at uthm.edu.my"
NAS-IP-Address = 192.168.241.12
NAS-Port = 0
NAS-Identifier = "eduroam"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "606720CB37CC"
Called-Station-Id = "001A1E012EE8"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020100150174657374407574686d2e6564752e6d79
Aruba-Essid-Name = "eduroam"
Aruba-Location-Id = "PTM-MIS"
Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
Message-Authenticator = 0xdc2b75e509a96ab724feaf3d03953633
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log] expand: %t -> Fri Aug 11 12:48:34 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -> test
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap.uthm.edu.my:389, authentication 0
[ldap] bind as cn=Directory Manager/ik4k388x to ldap.uthm.edu.my:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
[ldap] uid -> User-Name == "test"
[ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 1 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 150 to 192.168.241.12 port 56951
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8fae4f288fac56d7f54a19d8916d3466
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Status-Server packet from host 192.168.241.12 port 56951, id=0,
length=38
Message-Authenticator = 0xecface185786ea7a6b82e20ad361fc34
server eduroam-inner-tunnel {
} # server eduroam-inner-tunnel
Sending Access-Accept of id 0 to 192.168.241.12 port 56951
Finished request 8.
Cleaning up request 8 ID 0 with timestamp +220
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=151, length=398
User-Name = "test at uthm.edu.my"
NAS-IP-Address = 192.168.241.12
NAS-Port = 0
NAS-Identifier = "eduroam"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "606720CB37CC"
Called-Station-Id = "001A1E012EE8"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x020200b21980000000a816030300a30100009f0303598d3725e7a897863c61fbd68a95003f647bab3f0324fa2da6110b4e8860890200003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c01300390033009d009c003d003c0035002f000a006a0040003800320013000500040100003a000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000170000ff01000100
State = 0x8fae4f288fac56d7f54a19d8916d3466
Aruba-Essid-Name = "eduroam"
Aruba-Location-Id = "PTM-MIS"
Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
Message-Authenticator = 0x063c2c71061d7ae5e121a4058281fa1d
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log] expand: %t -> Fri Aug 11 12:48:34 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -> test
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
[ldap] uid -> User-Name == "test"
[ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 2 length 178
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 168
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< Unknown TLS version [length 00a3]
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> Unknown TLS version [length 0039]
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> Unknown TLS version [length 09a8]
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> Unknown TLS version [length 014d]
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> Unknown TLS version [length 0004]
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 151 to 192.168.241.12 port 56951
EAP-Message =
0x0103040019c000000b461603030039020000350303598d3722b66051021af8c426626367198fc97f2723232f6c27daed0144df5f6600c03000000dff01000100000b00040300010216030309a80b0009a40009a100050530820501308203e9a0030201020212043ed440d5ecca3c0ac65f015b543248e449300d06092a864886f70d01010b0500304a310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f72697479205833301e170d3137303732373031333630305a170d3137313032353031333630305a301a3118301606035504
EAP-Message =
0x03130f6964702e7574686d2e6564752e6d7930820122300d06092a864886f70d01010105000382010f003082010a0282010100d23d855a6505d658f13890992c15d80251c49843e4d5bec8bfa049143a3496f2a18e04e2b397ce12be6b6af0aa25ac0b11c11602fcb355f2adf34dbfdd7158301070cd34317ddf09ecb2a4bd946d38769371c5d305cc5a0b95d812533561307ea748f676fc68fbbf6b2ae4736c74cab3399d9a3b3ec9a393c939967f0f3414010c18172663d9ab62f8beba8909cde4ea7dafbd21c13f304014ca457bcb32ff3c92ee1b5495fdffd587db664c8afa902ccac201dc89a3f3cb358b348eb606ed616f56c82dada466370f14
EAP-Message =
0xf8f54004db5d26f078fff6d3d064623a47337c0fccaff2b8005968d04175c0ecaeb6ff49e952dcf1b679290e7ca8b857baec65cdaabb0203010001a382020f3082020b300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff04023000301d0603551d0e04160414f5c39602b5276cfcccfb5394192bb8607a1c7c2a301f0603551d23041830168014a84a6a63047dddbae6d139b7a64565eff3a8eca1306f06082b0601050507010104633061302e06082b060105050730018622687474703a2f2f6f6373702e696e742d78332e6c657473656e63727970742e
EAP-Message =
0x6f7267302f06082b060105050730028623687474703a2f2f636572742e696e742d78332e6c657473656e63727970742e6f72672f301a0603551d1104133011820f6964702e7574686d2e6564752e6d793081fe0603551d200481f63081f33008060667810c0102013081e6060b2b0601040182df130101013081d6302606082b06010505070201161a687474703a2f2f6370732e6c657473656e63727970742e6f72673081ab06082b0601050507020230819e0c819b54686973204365727469666963617465206d6179206f6e6c792062652072656c6965642075706f6e2062792052656c79696e67205061727469657320616e64206f6e6c7920696e
EAP-Message = 0x206163636f7264616e636520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8fae4f288ead56d7f54a19d8916d3466
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=152, length=226
User-Name = "test at uthm.edu.my"
NAS-IP-Address = 192.168.241.12
NAS-Port = 0
NAS-Identifier = "eduroam"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "606720CB37CC"
Called-Station-Id = "001A1E012EE8"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020300061900
State = 0x8fae4f288ead56d7f54a19d8916d3466
Aruba-Essid-Name = "eduroam"
Aruba-Location-Id = "PTM-MIS"
Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
Message-Authenticator = 0x169f17aff5bf1ec04b4c7b2e442b3ed9
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log] expand: %t -> Fri Aug 11 12:48:34 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -> test
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
[ldap] uid -> User-Name == "test"
[ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 152 to 192.168.241.12 port 56951
EAP-Message =
0x010403fc1940776974682074686520436572746966696361746520506f6c69637920666f756e642061742068747470733a2f2f6c657473656e63727970742e6f72672f7265706f7369746f72792f300d06092a864886f70d01010b050003820101006af6a364c1c07b19bfaf54a31b10c74de4e2c2113b30dcbdcb77a5b82f6cbdf369ede76ef835056ea2f6d2bf4fb1f9ad5ff3530e0047caed7a469747b9869a2997f574c94cf2d2bb09798f00e2f84483d7562d851cfdeaa034cb9cadddb6826a6323673edd921eb1c070c5dcc03f862de9fa868028a8b3eff046d08a15af03035b8785019f81b076ca6b85722d4ed4789c0291055c85fac2ad0a49
EAP-Message =
0x2e57a9f8bd5a07f22977812adc3b2a11d725c86a3aa0a93700b5c61830cbc6081f26520d3b9ce6339fab2a6f58fab00c2648142c337a3c4939feb309e711eb02d96e9e1a4cc468696c233e5429c4fc69a5e2055d14fba459a279cc8f13a96ae7f5d01c4a1f000496308204923082037aa00302010202100a0141420000015385736a0b85eca708300d06092a864886f70d01010b0500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3136303331373136343034365a170d3231303331373136343034365a304a310b3009
EAP-Message =
0x06035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f7269747920583330820122300d06092a864886f70d01010105000382010f003082010a02820101009cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa
EAP-Message =
0x0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc3930203010001a382017d3082017930120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186307f06082b0601050507010104733071303206082b060105050730018626687474703a2f2f697372672e747275737469642e6f6373702e6964656e74727573742e636f6d303b06082b06010505073002862f687474703a2f2f617070732e6964656e
EAP-Message = 0x74727573742e636f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8fae4f288daa56d7f54a19d8916d3466
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=153, length=226
User-Name = "test at uthm.edu.my"
NAS-IP-Address = 192.168.241.12
NAS-Port = 0
NAS-Identifier = "eduroam"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "606720CB37CC"
Called-Station-Id = "001A1E012EE8"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020400061900
State = 0x8fae4f288daa56d7f54a19d8916d3466
Aruba-Essid-Name = "eduroam"
Aruba-Location-Id = "PTM-MIS"
Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
Message-Authenticator = 0xc60aac92364e2b6924ae3770ca74f5e0
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log] expand: %t -> Fri Aug 11 12:48:34 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -> test
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
[ldap] uid -> User-Name == "test"
[ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 153 to 192.168.241.12 port 56951
EAP-Message =
0x0105036019006d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414a84a6a63047dddbae6d139b7a64565eff3a8eca1300d06092a864886f70d0101
EAP-Message =
0x0b05000382010100dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0
EAP-Message =
0xc90244a787afc3345bb442160303014d0c0001490300174104937ef4214267c66e54b943286f2aaee0d7136583436503bc9771b29543c715226c45d5d7a14e14877be87ae18304b19c725acb27d5f7e67dd6a95146c87bd69204010100801b8d8ce4a7e05deb44da62e7fdefc579ea4fa2d6ea86438b76661a461e2edf2dda7254e76c90ebd2c425149a7f4c202d80c553f6ac268a6726c01ff4defadb7a06049b147774e50009e8ea4e75c7277ca1ab7dd549a2f99eaadab70143e49b1de3ae104e73f307aca89d03f0165ec72ae32586aa3322fd193c34f8e254cb1035404691253be279552f8b22e7e645ccf06f48ddd89274421ac224636daf1fce
EAP-Message =
0x6c8b5405eb5f25c413af4115fcaaaee24c89899d0a5de9676776b0c57c6d7e673a0439528bc4b55ba9f5572cedfbd3fc8405ea36f11d2661abc315739ccabafe8c19e498555e91a06ca95eac01dd688f2dd07779e92f3f84172551df1bdf2e7d16030300040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8fae4f288cab56d7f54a19d8916d3466
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=154, length=356
User-Name = "test at uthm.edu.my"
NAS-IP-Address = 192.168.241.12
NAS-Port = 0
NAS-Identifier = "eduroam"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "606720CB37CC"
Called-Station-Id = "001A1E012EE8"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0205008819800000007e1603030046100000424104c54e810e0876a2f48de285e28044b9d5705e0502717c3dc8017dc66f925db3a936b10c757bfdd0c306034d301be3d9f000b3d8e396baa95c8b466988a54e689b140303000101160303002800000000000000006ac72ce7125c46232cff9613def48589606506c06bf5ba73c81ef1a541f67972
State = 0x8fae4f288cab56d7f54a19d8916d3466
Aruba-Essid-Name = "eduroam"
Aruba-Location-Id = "PTM-MIS"
Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
Message-Authenticator = 0x9a6c65b38d5d36756f9d367c70d9c188
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log] expand: %t -> Fri Aug 11 12:48:34 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -> test
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
[ldap] uid -> User-Name == "test"
[ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 5 length 136
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 126
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< Unknown TLS version [length 0046]
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< Unknown TLS version [length 0001]
[peap] <<< Unknown TLS version [length 0010]
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> Unknown TLS version [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> Unknown TLS version [length 0010]
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 154 to 192.168.241.12 port 56951
EAP-Message =
0x01060039190014030300010116030300281c8a45d0b7de86498defbc89a27764b06a43196af0bf4a2db7824809a50bd2d3e34b5b203a2345cd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8fae4f288ba856d7f54a19d8916d3466
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=155, length=226
User-Name = "test at uthm.edu.my"
NAS-IP-Address = 192.168.241.12
NAS-Port = 0
NAS-Identifier = "eduroam"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "606720CB37CC"
Called-Station-Id = "001A1E012EE8"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020600061900
State = 0x8fae4f288ba856d7f54a19d8916d3466
Aruba-Essid-Name = "eduroam"
Aruba-Location-Id = "PTM-MIS"
Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
Message-Authenticator = 0xb3457d7a24957b9fa3781dc6b0c24295
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log] expand: %t -> Fri Aug 11 12:48:36 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -> test
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
[ldap] uid -> User-Name == "test"
[ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 155 to 192.168.241.12 port 56951
EAP-Message =
0x010700281900170303001d1c8a45d0b7de864ad470a8ed8a39384d931984faa55ad2ebc731ac4bbb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8fae4f288aa956d7f54a19d8916d3466
Finished request 13.
Going to the next request
Waking up in 2.6 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=156, length=272
User-Name = "test at uthm.edu.my"
NAS-IP-Address = 192.168.241.12
NAS-Port = 0
NAS-Identifier = "eduroam"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "606720CB37CC"
Called-Station-Id = "001A1E012EE8"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0207003419001703030029000000000000000134f54fb6fe56b12faf31a04562eb50ddcfa3354f7bbfd1545aa0130c45e0dd385c
State = 0x8fae4f288aa956d7f54a19d8916d3466
Aruba-Essid-Name = "eduroam"
Aruba-Location-Id = "PTM-MIS"
Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
Message-Authenticator = 0xa7c3a3db99bf62cb53cf74ae99a4acd5
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log] expand: %t -> Fri Aug 11 12:48:36 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -> test
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
[ldap] uid -> User-Name == "test"
[ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 7 length 52
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test at uthm.edu.my
[peap] Got inner identity 'test at uthm.edu.my'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x020700150174657374407574686d2e6564752e6d79
server eduroam-inner-tunnel {
[peap] Setting User-Name to test at uthm.edu.my
Sending tunneled request
EAP-Message = 0x020700150174657374407574686d2e6564752e6d79
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test at uthm.edu.my"
NAS-IP-Address = 192.168.241.12
NAS-Port = 0
NAS-Identifier = "eduroam"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "606720CB37CC"
Called-Station-Id = "001A1E012EE8"
Service-Type = Login-User
Framed-MTU = 1100
Aruba-Essid-Name = "eduroam"
Aruba-Location-Id = "PTM-MIS"
Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log] expand: %t -> Fri Aug 11 12:48:36 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -> test
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
[ldap] uid -> User-Name == "test"
[ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 7 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x0108002a1a0108002510343a9d3341344d17be103ba1b8102a4d74657374407574686d2e6564752e6d79
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcbeddcf3cbe5c6059f24a1ca23970697
[peap] Got tunneled reply RADIUS code Access-Challenge
EAP-Message =
0x0108002a1a0108002510343a9d3341344d17be103ba1b8102a4d74657374407574686d2e6564752e6d79
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcbeddcf3cbe5c6059f24a1ca23970697
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 156 to 192.168.241.12 port 56951
EAP-Message =
0x010800491900170303003e1c8a45d0b7de864b2d1e68270fa233de3ac15f3ba93a9d2e2df074591a16e288b38d1ec3175acf72ef0f30a6f19ee6e5a4e9b3ccb86e49568d7c2cb0af87
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8fae4f2889a656d7f54a19d8916d3466
Finished request 14.
Going to the next request
Waking up in 2.6 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=157, length=326
User-Name = "test at uthm.edu.my"
NAS-IP-Address = 192.168.241.12
NAS-Port = 0
NAS-Identifier = "eduroam"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "606720CB37CC"
Called-Station-Id = "001A1E012EE8"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0208006a1900170303005f0000000000000002e601a6aa39b3f001761524212d3ad0f41d4ed51d41f2ccd5e98cec19669d823871d2c63f9d0e24a20b54572e2f27420eee0f333e8bc450f328c4a5a29778e395986cd10574041407466476fa397de3d2e27c8e2408f5b2
State = 0x8fae4f2889a656d7f54a19d8916d3466
Aruba-Essid-Name = "eduroam"
Aruba-Location-Id = "PTM-MIS"
Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
Message-Authenticator = 0x1a31e183513b430559a36db139e98115
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log] expand: %t -> Fri Aug 11 12:48:36 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -> test
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
[ldap] uid -> User-Name == "test"
[ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 8 length 106
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x0208004b1a02080046315a9c485813afb0d85fa3ff490bc740b30000000000000000710dff1dfc34e780f32401e4a4772847f532a4ce5e8b43500074657374407574686d2e6564752e6d79
server eduroam-inner-tunnel {
[peap] Setting User-Name to test at uthm.edu.my
Sending tunneled request
EAP-Message =
0x0208004b1a02080046315a9c485813afb0d85fa3ff490bc740b30000000000000000710dff1dfc34e780f32401e4a4772847f532a4ce5e8b43500074657374407574686d2e6564752e6d79
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test at uthm.edu.my"
State = 0xcbeddcf3cbe5c6059f24a1ca23970697
NAS-IP-Address = 192.168.241.12
NAS-Port = 0
NAS-Identifier = "eduroam"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "606720CB37CC"
Called-Station-Id = "001A1E012EE8"
Service-Type = Login-User
Framed-MTU = 1100
Aruba-Essid-Name = "eduroam"
Aruba-Location-Id = "PTM-MIS"
Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log] expand: %t -> Fri Aug 11 12:48:36 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -> test
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
[ldap] uid -> User-Name == "test"
[ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 8 length 75
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: test at uthm.edu.my
[mschap] Client is using MS-CHAPv2 for test at uthm.edu.my, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [test at uthm.edu.my] (from client radsec port 0 cli
606720CB37CC via TLS tunnel)
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group REJECT {
[reply_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[reply_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
[reply_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
[reply_log] expand: %t -> Fri Aug 11 12:48:36 2017
++[reply_log] = ok
+} # group REJECT = ok
} # server eduroam-inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
} # server eduroam-inner-tunnel
Sending Access-Challenge of id 157 to 192.168.241.12 port 56951
EAP-Message =
0x0109002e190017030300231c8a45d0b7de864c86cfe8658e8f5a7692bff076e34cac34a4f898a86fb7d7bd87bd0d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8fae4f2888a756d7f54a19d8916d3466
Finished request 15.
Going to the next request
Waking up in 2.6 seconds.
rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
id=158, length=266
User-Name = "test at uthm.edu.my"
NAS-IP-Address = 192.168.241.12
NAS-Port = 0
NAS-Identifier = "eduroam"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "606720CB37CC"
Called-Station-Id = "001A1E012EE8"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0209002e19001703030023000000000000000334b2a2f72bfaff9cb368e59ee145ac3b61bb33f10ff54368601eda
State = 0x8fae4f2888a756d7f54a19d8916d3466
Aruba-Essid-Name = "eduroam"
Aruba-Location-Id = "PTM-MIS"
Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
Message-Authenticator = 0x13d985f1b0164cab9128cf4e07b3a9e0
server eduroam-inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authorize {
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[auth_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
[auth_log] expand: %t -> Fri Aug 11 12:48:36 2017
++[auth_log] = ok
[suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
[suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "uthm.edu.my"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} -> test
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
[ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
[ldap] checking if remote access for test is allowed by uid
[ldap] looking for check items in directory...
[ldap] uid -> User-Name == "test"
[ldap] userPassword -> Password-With-Header ==
"{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[files] = noop
++[mschap] = noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] = noop
[eap] EAP packet type response id 9 length 46
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [test at uthm.edu.my] (from client radsec port 0 cli
606720CB37CC)
} # server eduroam-inner-tunnel
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
+group REJECT {
[reply_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
[reply_log] expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
-> /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
[reply_log]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
[reply_log] expand: %t -> Fri Aug 11 12:48:36 2017
++[reply_log] = ok
+} # group REJECT = ok
Delaying reject of request 16 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 16
Sending Access-Reject of id 158 to 192.168.241.12 port 56951
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.6 seconds.
Cleaning up request 7 ID 150 with timestamp +220
Cleaning up request 9 ID 151 with timestamp +220
Cleaning up request 10 ID 152 with timestamp +220
Cleaning up request 11 ID 153 with timestamp +220
Cleaning up request 12 ID 154 with timestamp +220
Waking up in 2.2 seconds.
Cleaning up request 13 ID 155 with timestamp +222
Cleaning up request 14 ID 156 with timestamp +222
Cleaning up request 15 ID 157 with timestamp +222
Waking up in 1.0 seconds.
Cleaning up request 16 ID 158 with timestamp +222
Ready to process requests.
More information about the Freeradius-Users
mailing list